Filter rules can be used not only to scan resources, but also to ignore resources.
You can indeed use both inclusion and exclusion logics.
Filter rules allow you to build complex expression to include and exclude a set of resources in your workflow. Powered by expression language JMESPath you could build a complex include and exclude expression.
Filter rules could be passed to
scan cmd with
You could also use the environment variable
Filter rules syntax in use is actually JMESPath.
Filter are applied on a normalized struct which contains the following fields:
- Type: Type of the resource, e.g.
- Id: Id of the resource, e.g.
- Attr: Contains every resource attributes (check
pkg/resource/aws/aws_s3_bucket.gofor a full list of supported attributes of a bucket)