feat: add --out-of-scope domain filtering option

[sheikhshaheerimran]

Add --out-of-scope and --out-of-scope-file flags to exclude domains
from scanning. Supports wildcard patterns (e.g., *.staging.example.com)

Closes #867

[gemini-code-assist]

Summary of Changes

Hello @sheikhshaheerimran, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the scanning tool by providing a robust mechanism to define and enforce out-of-scope domains. This feature allows users to precisely control which targets are scanned, preventing unintended operations on excluded environments and improving the focus and efficiency of security assessments. It offers flexibility through both direct input and file-based exclusion lists, accommodating various use cases.

Highlights

• New Out-of-Scope Filtering Options: Introduced --out-of-scope and --out-of-scope-file command-line flags to allow users to specify domains that should be excluded from scanning. These options support wildcard patterns (e.g., *.example.com).
• Integrated Filtering Logic: The new out-of-scope filtering is integrated across various scanning modes, including single URL, raw data, HAR file processing, and piped input, ensuring that excluded targets are consistently skipped.
• Dedicated Optimization Package: A new internal optimization package has been added, containing IsOutOfScope and FilterOutOfScopeTargets functions to handle the domain exclusion logic efficiently, including parsing URLs and matching patterns.
• Comprehensive Unit Tests: New unit tests have been added for the domain optimization logic, covering various scenarios for exact and wildcard domain matching, ensuring the reliability of the out-of-scope filtering.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sheikhshaheerimran]

@hahwul requesting your review

[gemini-code-assist]

Code Review

This pull request introduces a new feature to exclude domains from scanning using --out-of-scope and --out-of-scope-file flags. The implementation is solid and includes comprehensive tests for the new logic. My feedback focuses on minor code improvements to reduce redundancy and improve maintainability. I've pointed out a couple of places where a redundant check can be removed, and also suggested refactoring duplicated code into a helper function for better code reuse.

[gemini-code-assist]

The optimization.FilterOutOfScopeTargets function already checks if options.OutOfScope is empty and returns early. This outer if condition is therefore redundant and can be removed to simplify the code.

targets = optimization.FilterOutOfScopeTargets(options, targets)

[gemini-code-assist]

The optimization.FilterOutOfScopeTargets function already checks if options.OutOfScope is empty and returns early. This outer if condition is therefore redundant and can be removed to simplify the code.

targets = optimization.FilterOutOfScopeTargets(options, targets)

[gemini-code-assist]

This out-of-scope check logic is duplicated across multiple command files (url.go, sxss.go, pipe.go, file.go). To improve maintainability and reduce code duplication, consider extracting this into a shared helper function within the cmd package. For example:

func isTargetOutOfScope(options model.Options, target string) bool {
	if optimization.IsOutOfScope(options, target) {
		printing.DalLog("INFO", "Target is out of scope, skipping", options)
		return true
	}
	return false
}

Then you could simplify this block to:

if isTargetOutOfScope(options, args[0]) {
    return
}

[codecov]

Codecov Report

❌ Patch coverage is 93.33333% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/optimization/inspectionDomain.go	93.33%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[hahwul]

Looks good! Approved.

[hahwul]

Test

./dalfox file ./samples/sample_target.txt --out-of-scope "*.hahwul.com"

# www.hahwul.com was skipped