Global Exclusion/Suppression File Support/Format

joelmusheno commented 1 year ago

I'm using:

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Secrets scanning with Microsoft Security DevOps'
      inputs:
        categories: 'secrets'
        break: true

I'd like to establish a baseline without halting my build.

I know i could simply turn break: false but I'm trying to stop any contributors from including. I'd like to follow the pattern that static analysis does with with a suppression file (like GlobalSuppressions.cs for static code analysis).

I can't find any documentation on suppression lists/files, the only docs I can find point me to comments in line: #[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine")] or #[SuppressMessage("Microsoft.Security", "CS002:SecretInLine")]

I have a few issues

It's bad form to include // or /**/ in json files (of which we have many)
I have false positives on a binary file, in which I can't write a comment

Does anyone have a way to specify files/lines to ignore outside of in-line comments?

chrisnielsen-MS commented 1 year ago

Thank you for your feedback! We have plans to release a suppressions file feature in an upcoming release, but do not yet have an exact ETA on when it will be ready.

chrisnielsen-MS commented 1 year ago

Adding to this, although the official feature is not yet released/supported the mechanism for this is already in the codebase. Please see the instructions here for an example of how you can configure it early: https://github.com/microsoft/security-devops-azdevops/issues/38#issuecomment-1509461347

microsoft / security-devops-azdevops

Global Exclusion/Suppression File Support/Format #40