How to have different skip files/dirs configurations per scanner?

[melkamar]

Question

I want to scan my built Docker image for vulnerabilities as well as misconfigurations. However, I do not want to scan misconfigurations in the vendor directory with 3rdparty code. I still want to scan vulnerabilities though.

This is a minimal config:

scan:
  scanners:
    - vuln
    - misconfig

  skip-dirs:
    - /app/vendor

When I use this, then neither misconfig nor vuln scanners touch the /app/vendor directory. That is a problem, because the vuln would report:

app/vendor/composer/installed.json (composer-vendor)

Total: 2 (HIGH: 1, CRITICAL: 1)
...

If I do not skip that dir, then I get these false misconfig reports:

app/vendor/emag-tech-labs/messenger-mongo-bundle/docker/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

which is also not correct - I do not care about the Dockerfile of a 3rdparty package.

So, how can I define the skip-dirs directive only for the misconfig scanner? Or is my only option to run the scan twice, with completely different config files?

Target

Container Image

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Operating System

macos

Version

Version: 0.58.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-24 06:25:26.717251712 +0000 UTC
  NextUpdate: 2025-09-25 06:25:26.717251552 +0000 UTC
  DownloadedAt: 2025-09-24 12:21:06.920331 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-24 12:59:43.29607 +0000 UTC

[simar7]

Or is my only option to run the scan twice, with completely different config files?

At the moment we don't differentiate options between different scanners so this is true.

[melkamar]

Alright, thanks!