From 92a67d19f80034f896cf4bfe93fd6dd64427c295 Mon Sep 17 00:00:00 2001
From: MaineK00n <mainek00n.1229@gmail.com>
Date: Tue, 19 May 2026 17:37:55 +0900
Subject: [PATCH] feat(scanner): support disablerepo option for yum/dnf

Add Disablerepo config field so users can pass --disablerepo=<repo>
to repoquery on RHEL-family hosts, mirroring the existing Enablerepo
option. Useful for excluding third-party repos (e.g. EPEL) from
updatable package scans.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 config/config.go      | 7 ++++---
 config/tomlloader.go  | 4 ++++
 saas/uuid.go          | 4 ++++
 scanner/redhatbase.go | 3 +++
 subcmds/discover.go   | 4 ++++
 5 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/config/config.go b/config/config.go
index c6f0a94684..9d179320bf 100644
--- a/config/config.go
+++ b/config/config.go
@@ -243,9 +243,10 @@ type ServerInfo struct {
 	IgnorePkgsRegexp   []string                    `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
 	UUIDs              map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo               string                      `toml:"memo,omitempty" json:"memo,omitempty"`
-	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, Alma, Rocky, RHEL, Amazon
-	Optional           map[string]any              `toml:"optional,omitempty" json:"optional,omitempty"`     // Optional key-value set that will be outputted to JSON
-	Lockfiles          []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`   // ie) path/to/package-lock.json
+	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"`   // For CentOS, Alma, Rocky, RHEL, Amazon, Fedora
+	Disablerepo        []string                    `toml:"disablerepo,omitempty" json:"disablerepo,omitempty"` // For CentOS, Alma, Rocky, RHEL, Amazon, Fedora
+	Optional           map[string]any              `toml:"optional,omitempty" json:"optional,omitempty"`       // Optional key-value set that will be outputted to JSON
+	Lockfiles          []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`     // ie) path/to/package-lock.json
 	FindLock           bool                        `toml:"findLock,omitempty" json:"findLock,omitempty"`
 	FindLockDirs       []string                    `toml:"findLockDirs,omitempty" json:"findLockDirs,omitempty"`
 	Type               string                      `toml:"type,omitempty" json:"type,omitempty"` // "pseudo" or ""
diff --git a/config/tomlloader.go b/config/tomlloader.go
index 642d98a8db..e8ef261f22 100644
--- a/config/tomlloader.go
+++ b/config/tomlloader.go
@@ -124,6 +124,10 @@ func (c TOMLLoader) Load(pathToToml string) error {
 			}
 		}
 
+		if len(server.Disablerepo) == 0 {
+			server.Disablerepo = Conf.Default.Disablerepo
+		}
+
 		if server.PortScan.ScannerBinPath != "" {
 			server.PortScan.IsUseExternalScanner = true
 		}
diff --git a/saas/uuid.go b/saas/uuid.go
index ec26291057..a953743aba 100644
--- a/saas/uuid.go
+++ b/saas/uuid.go
@@ -191,6 +191,10 @@ func cleanForTOMLEncoding(server config.ServerInfo, def config.ServerInfo) confi
 		server.Enablerepo = nil
 	}
 
+	if reflect.DeepEqual(server.Disablerepo, def.Disablerepo) {
+		server.Disablerepo = nil
+	}
+
 	for k, v := range def.Optional {
 		if vv, ok := server.Optional[k]; ok && v == vv {
 			delete(server.Optional, k)
diff --git a/scanner/redhatbase.go b/scanner/redhatbase.go
index 93a44ae560..2d1fdd4494 100644
--- a/scanner/redhatbase.go
+++ b/scanner/redhatbase.go
@@ -788,6 +788,9 @@ func (o *redhatBase) scanUpdatablePackages() (models.Packages, error) {
 	for _, repo := range o.getServerInfo().Enablerepo {
 		cmd += " --enablerepo=" + repo
 	}
+	for _, repo := range o.getServerInfo().Disablerepo {
+		cmd += " --disablerepo=" + repo
+	}
 
 	r := o.exec(util.PrependProxyEnv(cmd), o.sudo.repoquery())
 	if !r.isSuccess() {
diff --git a/subcmds/discover.go b/subcmds/discover.go
index 68231a21b2..b2409d43e3 100644
--- a/subcmds/discover.go
+++ b/subcmds/discover.go
@@ -205,6 +205,8 @@ func printConfigToml(ips []string) (err error) {
 #containerType      = "docker" #or "lxd" or "lxc" default: docker
 #containersIncluded = ["${running}"]
 #containersExcluded = ["container_name_a"]
+#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
+#disablerepo        = ["epel"] # For RHEL-family
 
 # https://vuls.io/docs/en/config.toml.html#servers-section
 [servers]
@@ -231,6 +233,8 @@ host                = "{{$ip}}"
 #containerType      = "docker" #or "lxd" or "lxc" default: docker
 #containersIncluded = ["${running}"]
 #containersExcluded = ["container_name_a"]
+#enablerepo         = ["base", "updates"] # For RHEL-family. Currently only "base" and "updates" are allowed
+#disablerepo        = ["epel"] # For RHEL-family
 #confidenceScoreOver = 80
 
 #[servers.{{index $names $i}}.containers.container_name_a]