diff --git a/attestation/file/file.go b/attestation/file/file.go
index 4f30cfc6..6dfef363 100644
--- a/attestation/file/file.go
+++ b/attestation/file/file.go
@@ -100,12 +100,19 @@ func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[
 		superInclude = true
 	}
 
+	excludeGlobNothing := false
+	if _, ok := excludeGlob.(match.Nothing); ok {
+		excludeGlobNothing = true
+	}
+
 	includePath := true
-	if excludeGlob != nil && excludeGlob.Match(path) {
+	if (excludeGlob != nil && excludeGlob.Match(path)) {
 		includePath = false
 	}
 	if !(superInclude && !includePath) && includeGlob != nil && includeGlob.Match(path) {
 		includePath = true
+	} else if excludeGlobNothing {
+		includePath = false
 	}
 
 	if !includePath {
diff --git a/attestation/file/file_test.go b/attestation/file/file_test.go
index 73344bff..96662e3a 100644
--- a/attestation/file/file_test.go
+++ b/attestation/file/file_test.go
@@ -38,13 +38,13 @@ func TestBrokenSymlink(t *testing.T) {
 	symTestDir := filepath.Join(dir, "symTestDir")
 	require.NoError(t, os.Symlink(testDir, symTestDir))
 
-	_, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{})
+	_, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, nil, nil)
 	require.NoError(t, err)
 
 	// remove the symlinks and make sure we don't get an error back
 	require.NoError(t, os.RemoveAll(testDir))
 	require.NoError(t, os.RemoveAll(testFile))
-	_, err = RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{})
+	_, err = RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, nil, nil)
 	require.NoError(t, err)
 }
 
@@ -58,6 +58,6 @@ func TestSymlinkCycle(t *testing.T) {
 	require.NoError(t, os.Symlink(dir, symTestDir))
 
 	// if a symlink cycle weren't properly handled this would be an infinite loop
-	_, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{})
+	_, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, nil, nil)
 	require.NoError(t, err)
 }