Contact Details
abligh@mwiah.co.uk
What happened?
Description
The --iac-security-filter flag no longer excludes directories from IaC scans after upgrading to plugin version 3.0.22. The filter was working correctly on plugin 3.0.21 (CLI 2.3.41) and stopped working when 3.0.22 (CLI 2.3.48) was released on April 16, 2026.
Steps to Reproduce
Configure a Checkmarx AST@3 pipeline task with the following in additionalParams:
--iac-security-filter "!helm/"
Run the scan against a repository that contains a helm/ directory with Kubernetes/Helm values YAML files.
Observe that IaC findings are still reported for files inside the helm/ directory.
Expected Behaviour
Files matching the !helm/ exclusion pattern should be excluded from IaC security scanning, as was the case with plugin 3.0.21 (CLI 2.3.41).
Actual Behaviour
The filter is accepted and parsed correctly (visible in pipeline logs), but has no effect. IaC findings from helm/*.yml files are still reported.
Pipeline log showing the parameter is being passed:
Additional parameters refined: --threshold,"sast-high=1; sast-medium=30; sca-high=1; iac-security-high=1",--iac-security-filter,"!helm/",--sca-hide-dev-test-dependencies
Additional parameter: --iac-security-filter
Additional parameter: "!helm/"
This output is identical between the last working scan (plugin 3.0.21) and the failing scan (plugin 3.0.22).
Environment
Plugin version (working): 3.0.21 (CLI 2.3.41)
Plugin version (broken): 3.0.22 (CLI 2.3.48)
Agent: Azure DevOps
Last successful scan: Thursday April 17, 2026
First failing scan: Friday April 18, 2026
Additional Context
No changes were made to the pipeline configuration, templates, or repository between the working and broken scans.
Multiple repositories using the same shared pipeline template are affected.
We have also tested alternative filter syntaxes (!helm, !helm/**, unquoted !helm/*) -- none have any effect.
The issue appears to be a regression in how the CLI (2.3.48) processes the --iac-security-filter flag for directory exclusion patterns.
Version
3.0.22 (CLI 2.3.48)
Operating System & Version
Windows 7
Specify Other OS Version
No response
Relevant log output
Contact Details
abligh@mwiah.co.uk
What happened?
Description
The --iac-security-filter flag no longer excludes directories from IaC scans after upgrading to plugin version 3.0.22. The filter was working correctly on plugin 3.0.21 (CLI 2.3.41) and stopped working when 3.0.22 (CLI 2.3.48) was released on April 16, 2026.
Steps to Reproduce
Configure a Checkmarx AST@3 pipeline task with the following in additionalParams:
--iac-security-filter "!helm/"
Run the scan against a repository that contains a helm/ directory with Kubernetes/Helm values YAML files.
Observe that IaC findings are still reported for files inside the helm/ directory.
Expected Behaviour
Files matching the !helm/ exclusion pattern should be excluded from IaC security scanning, as was the case with plugin 3.0.21 (CLI 2.3.41).
Actual Behaviour
The filter is accepted and parsed correctly (visible in pipeline logs), but has no effect. IaC findings from helm/*.yml files are still reported.
Pipeline log showing the parameter is being passed:
Additional parameters refined: --threshold,"sast-high=1; sast-medium=30; sca-high=1; iac-security-high=1",--iac-security-filter,"!helm/",--sca-hide-dev-test-dependencies
Additional parameter: --iac-security-filter
Additional parameter: "!helm/"
This output is identical between the last working scan (plugin 3.0.21) and the failing scan (plugin 3.0.22).
Environment
Plugin version (working): 3.0.21 (CLI 2.3.41)
Plugin version (broken): 3.0.22 (CLI 2.3.48)
Agent: Azure DevOps
Last successful scan: Thursday April 17, 2026
First failing scan: Friday April 18, 2026
Additional Context
No changes were made to the pipeline configuration, templates, or repository between the working and broken scans.
Multiple repositories using the same shared pipeline template are affected.
We have also tested alternative filter syntaxes (!helm, !helm/**, unquoted !helm/*) -- none have any effect.
The issue appears to be a regression in how the CLI (2.3.48) processes the --iac-security-filter flag for directory exclusion patterns.
Version
3.0.22 (CLI 2.3.48)
Operating System & Version
Windows 7
Specify Other OS Version
No response
Relevant log output