search

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
809 stars 112 forks source link

False Positive Handling #348

Open DanArlowski opened 3 years ago

DanArlowski commented 3 years ago

I Couldn't find any info on this in the docs, credscan fails on false positives (On SVG images to be precise) Is there any way i can flag files as false positives, maybe a .scanignore or something like that?

prabhu commented 3 years ago

@DanArlowski For credscan there is a bundled config that is used. You can send a PR by including svg to the extension shown.

https://github.com/ShiftLeftSecurity/sast-scan/blob/master/tools_config/credscan-config.toml#L587

Or you can set the environment variable CREDSCAN_CONFIG pointing to the directory (relative to the docker image) containing your custom credscan config file.