CM-65436: add SAST fallback ignore-extensions list (#473)

mateusz-sterczewski · claude · web-flow · commit 1c6435ed5ec3 · 2026-06-16T10:44:48.000+02:00
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/cycode/cli/consts.py b/cycode/cli/consts.py
@@ -53,6 +53,30 @@
     '.iso',
 )
 
+# Fallback block-list used for SAST only when the server does not return scannable extensions
+# (e.g. when the customer has custom rules, any text file is scannable). These are non-source
+# data formats that can slip past binary detection (the EICAR test file and ClamAV signature
+# databases are plain ASCII) and may be quarantined by object-storage antivirus after upload.
+SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
+    '.bin',
+    '.cvd',
+    '.cld',
+    '.cud',
+    '.hdb',
+    '.hsb',
+    '.mdb',
+    '.msb',
+    '.ndb',
+    '.ndu',
+    '.ldb',
+    '.ldu',
+    '.idb',
+    '.fp',
+    '.sfp',
+    '.ign',
+    '.ign2',
+)
+
 SCA_CONFIGURATION_SCAN_SUPPORTED_FILES = (  # keep in lowercase
     'cargo.lock',
     'cargo.toml',
diff --git a/cycode/cli/files_collector/file_excluder.py b/cycode/cli/files_collector/file_excluder.py
@@ -63,7 +63,10 @@ def __init__(self) -> None:
         }
         self._non_scannable_extensions: dict[str, tuple[str, ...]] = {
             consts.SECRET_SCAN_TYPE: consts.SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE,
+            consts.SAST_SCAN_TYPE: consts.SAST_SCAN_FILE_EXTENSIONS_TO_IGNORE,
         }
+        # Tracks scan types for which the SAST fallback log has already been emitted (log once, not per file)
+        self._logged_sast_fallback = False
 
     def apply_scan_config(self, scan_type: str, scan_config: 'models.ScanConfiguration') -> None:
         if scan_config.scannable_extensions:
@@ -86,6 +89,11 @@ def _is_file_extension_supported(self, scan_type: str, filename: str) -> bool:
 
         non_scannable_extensions = self._non_scannable_extensions.get(scan_type)
         if non_scannable_extensions:
+            # For SAST, reaching the block-list means the server returned no scannable extensions
+            # (e.g. custom rules, or no remote config). Log once so this is diagnosable.
+            if scan_type == consts.SAST_SCAN_TYPE and not self._logged_sast_fallback:
+                self._logged_sast_fallback = True
+                logger.debug('No scannable extensions provided for SAST; falling back to the built-in ignore list')
             return not filename.endswith(non_scannable_extensions)
 
         return True
