Include/Exclude¶
It is occasionally useful to ignore specific files in an image, for example if many temporary files are created which do not impact the static SBOM.
You can configure an include/exclude list on a per-container basis by setting the com.forallsecure.mdsbom.exclude
and/or com.forallsecure.mdsbom.include
annotations on the container.
Both annotations accept either a single glob or an array of glob strings formatted as a JSON array.
For example, both /tmp/**/*.tmp
and ["**/*.jpg", "/tmp/**/*.tmp"]
are valid values.
Please consult this reference for more details about the supported syntax.
By default, all files are included. If an exclude set is present, file accesses matching patterns in the exclude globset are ignored. If an exclude and include set are both present, the include set overrides the exclude set.
Put another way, files which don't match any set are included by default, files which match just the exclude set are excluded. files that match both the exclude and include set are included.
Setting the annotations¶
These annotations can be set with e.g. the --annotation
flag to Docker/Podman.