Sometimes, Soteri Scanning can flag things which are not actually of concern. Though Soteri is always working to reduce false positives, in the meantime, you can disposition these false positives in your content by using an in-line allow-list pragma. These pragmas will not hide the finding in your scanning service results, but will set the allowlisted boolean in the finding to true.

List of supported pragmas

  • # pragma: allowlist-secret

  • // pragma: allowlist-secret

  • /* pragma: allowlist-secret */

  • ' pragma: allowlist-secret

  • <!-- pragma: allowlist-secret -->

To construct an allowlist pragma, insert one of the above lines exactly as shown as part of a comment that resides on the same line as the false positive.

There must also be a space between the code and either side of the pragma.

For ease of use, the pragma delimiters are chosen to be comment delimiters for a wide variety of environments.

Python allow-listing example

API_KEY = "my-secret-that-is-not-a-secret" # pragma: allowlist-secret
CODE

Java allow-listing example

String myApprovedSecret = "ThisIsAnExampleSecret"; // pragma: allowlist-secret not actually a secret
CODE

C++ allow-listing example

int key = theSecretCredential; /* pragma: allowlist-secret */
CODE

HTML allow-listing example

<input type='hidden' name='key' value='theSecretCredential' /> <!-- pragma: allowlist-secret -->
CODE

MySQL allow-listing example

select * from users where cred='theSecretCredential'; -- # pragma: allowlist-secret
CODE

In this example, we’re using the # approved pragma delimiter but embedding it in a single-line SQL comment delimited by --, so that this line is still functional. (Note the space between the -- and the #.)

XML example with embedded character data representing an executable MySQL command

<sometext>
    <![CDATA[
        select * from salaries where salary < theSecretCredential; -- # pragma: allowlist-secret
    ]]>
</sometext>
CODE

 

Make sure that the allow-listing is inline! Multi-line allow-listing is not supported.