feat(scanner): support disablerepo option for yum/dnf

MaineK00n · claude · MaineK00n · commit 92a67d19f800 · 2026-05-19T18:14:26.000+09:00
Add Disablerepo config field so users can pass --disablerepo=&lt;repo&gt;
to repoquery on RHEL-family hosts, mirroring the existing Enablerepo
option. Useful for excluding third-party repos (e.g. EPEL) from
updatable package scans.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/config/config.go b/config/config.go
@@ -243,9 +243,10 @@ type ServerInfo struct {
 	IgnorePkgsRegexp   []string                    `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
 	UUIDs              map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo               string                      `toml:"memo,omitempty" json:"memo,omitempty"`
-	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, Alma, Rocky, RHEL, Amazon
-	Optional           map[string]any              `toml:"optional,omitempty" json:"optional,omitempty"`     // Optional key-value set that will be outputted to JSON
-	Lockfiles          []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`   // ie) path/to/package-lock.json
+	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"`   // For CentOS, Alma, Rocky, RHEL, Amazon, Fedora
+	Disablerepo        []string                    `toml:"disablerepo,omitempty" json:"disablerepo,omitempty"` // For CentOS, Alma, Rocky, RHEL, Amazon, Fedora
+	Optional           map[string]any              `toml:"optional,omitempty" json:"optional,omitempty"`       // Optional key-value set that will be outputted to JSON
+	Lockfiles          []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`     // ie) path/to/package-lock.json
 	FindLock           bool                        `toml:"findLock,omitempty" json:"findLock,omitempty"`
 	FindLockDirs       []string                    `toml:"findLockDirs,omitempty" json:"findLockDirs,omitempty"`
 	Type               string                      `toml:"type,omitempty" json:"type,omitempty"` // "pseudo" or ""
diff --git a/config/tomlloader.go b/config/tomlloader.go
@@ -124,6 +124,10 @@ func (c TOMLLoader) Load(pathToToml string) error {
 			}
 		}
 
+		if len(server.Disablerepo) == 0 {
+			server.Disablerepo = Conf.Default.Disablerepo
+		}
+
 		if server.PortScan.ScannerBinPath != "" {
 			server.PortScan.IsUseExternalScanner = true
 		}
diff --git a/saas/uuid.go b/saas/uuid.go
@@ -191,6 +191,10 @@ func cleanForTOMLEncoding(server config.ServerInfo, def config.ServerInfo) confi
 		server.Enablerepo = nil
 	}
 
+	if reflect.DeepEqual(server.Disablerepo, def.Disablerepo) {
+		server.Disablerepo = nil
+	}
+
 	for k, v := range def.Optional {
 		if vv, ok := server.Optional[k]; ok && v == vv {
 			delete(server.Optional, k)
diff --git a/scanner/redhatbase.go b/scanner/redhatbase.go
@@ -788,6 +788,9 @@ func (o *redhatBase) scanUpdatablePackages() (models.Packages, error) {
 	for _, repo := range o.getServerInfo().Enablerepo {
 		cmd += " --enablerepo=" + repo
 	}
+	for _, repo := range o.getServerInfo().Disablerepo {
+		cmd += " --disablerepo=" + repo
+	}
 
 	r := o.exec(util.PrependProxyEnv(cmd), o.sudo.repoquery())
 	if !r.isSuccess() {
diff --git a/subcmds/discover.go b/subcmds/discover.go
@@ -205,6 +205,8 @@ func printConfigToml(ips []string) (err error) {
 #containerType      = "docker" #or "lxd" or "lxc" default: docker
 #containersIncluded = ["${running}"]
 #containersExcluded = ["container_name_a"]
+#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
+#disablerepo        = ["epel"] # For RHEL-family
 
 # https://vuls.io/docs/en/config.toml.html#servers-section
 [servers]
@@ -231,6 +233,8 @@ host                = "{{$ip}}"
 #containerType      = "docker" #or "lxd" or "lxc" default: docker
 #containersIncluded = ["${running}"]
 #containersExcluded = ["container_name_a"]
+#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
+#disablerepo        = ["epel"] # For RHEL-family
 #confidenceScoreOver = 80
 
 #[servers.{{index $names $i}}.containers.container_name_a]

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,10 @@ func (c TOMLLoader) Load(pathToToml string) error {`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`
	`127`	`+ if len(server.Disablerepo) == 0 {`
	`128`	`+ server.Disablerepo = Conf.Default.Disablerepo`
	`129`	`+ }`
	`130`	`+`
`127`	`131`	`if server.PortScan.ScannerBinPath != "" {`
`128`	`132`	`server.PortScan.IsUseExternalScanner = true`
`129`	`133`	`}`
Original file line number	Diff line number	Diff line change
`@@ -788,6 +788,9 @@ func (o *redhatBase) scanUpdatablePackages() (models.Packages, error) {`
`788`	`788`	`for _, repo := range o.getServerInfo().Enablerepo {`
`789`	`789`	`cmd += " --enablerepo=" + repo`
`790`	`790`	`}`
	`791`	`+ for _, repo := range o.getServerInfo().Disablerepo {`
	`792`	`+ cmd += " --disablerepo=" + repo`
	`793`	`+ }`
`791`	`794`
`792`	`795`	`r := o.exec(util.PrependProxyEnv(cmd), o.sudo.repoquery())`
`793`	`796`	`if !r.isSuccess() {`