Open rahul-subash opened 1 year ago
Hello,
We are planning on adding options to specify baseline / suppression files to this task soon. For the time being, you can take advantage of the fact that the
As for credscan, can you please provide an example / file of something you'd expect to trigger a failure? Thanks!
Hi @boAndron ,
You can find the example Python file with the password hardcoded in the below screenshot
Looking forward to your suggestions.
Hello @rahul-subash! I will send this to the CredScan team, but if I remember correctly this is by design. Some strings like "test_password" (and variants) are intentionally ignored to avoid false positives on test data. Try a random string and see if you get a hit. I'll circle back when I have a response from CredScan.
Hi @boAndron,
It worked fine now after changing the password.
Regarding the suppression file, I have followed your instruction by renaming our suppression file from credscan-suppressions.json
to .gdnsuppress
and created a folder (Build.SourcesDirectory)/../.gdn
and moved the suppression file .gdnsuppress
to (Build.SourcesDirectory)/../.gdn
. It didn't work.
When I checked the pipeline console I noticed this,
where the yellow highlighted path is the Build.SourcesDirectory
then I came to know that the .gdn
folder is in the root path. So I moved the .gdnsuppress
file to (Build.SourcesDirectory)/.gdn
, but then too it didn't work.
All I doubt is the format of the suppression file. We have the suppression file in JSON
format. May I know whether the JSON format is fine for the .gdnsuppress
file?
Looking forward to your suggestions.
@rahul-subash @boAndron - Hey, are you able to suppress cred scan false positives? Im using ADO task - MicrosoftSecurityDevOps@1 are you also using the same task and did you also try suppressing the cred scan results? Can you pls share how are you suppressing it? Thanks
Hi @aakanshaverma1310,
I'm able to suppress the credscan results. You have to create a folder named .gdn
at the root of your repository and create a file named .gdnsuppress
Please follow the instructions in this comment to configure the gdnsuppress
file content.
The tool will by default check for this file /.gdn/.gdnsuppress
, if present it will consider this as a suppression file.
Welcome
Previously when using the Microsoft Security Code Analysis (MSCA) extension for Cred Scan it fails to detect the passwords in Python (*.py) files, so we planned to migrate the
MicrosoftSecurityDevOps
extension but it still fails to detect the password in Python files.Also is there any option to specify the suppressions file path which was available in Microsoft Security Code Analysis (MSCA)?
Looking forward for your suggestions.