Sometimes, Soteri Scanning can flag things which are not actually of concern. Though Soteri is always working to reduce false positives, in the meantime, you can disposition these false positives in your content by using an in-line allow-list pragma. These pragmas will not hide the finding in your scanning service results, but will set the
allowlisted boolean in the finding to true.
List of supported pragmas
# pragma: allowlist-secret
// pragma: allowlist-secret
/* pragma: allowlist-secret */
' pragma: allowlist-secret
<!-- pragma: allowlist-secret -->
To construct an allowlist pragma, insert one of the above lines exactly as shown as part of a comment that resides on the same line as the false positive.
There must also be a space between the code and either side of the pragma.
For ease of use, the pragma delimiters are chosen to be comment delimiters for a wide variety of environments.
Python allow-listing example
API_KEY = "a0b1c2d3e4f5g6h7i8j9k0lMnOpQrStUvW" # pragma: allowlist-secret
Java allow-listing example
String myApprovedSecret = "ThisIsAnExampleSecret"; // pragma: allowlist-secret not actually a secret
C++ allow-listing example
int key = theSecretCredential; /* pragma: allowlist-secret */
HTML allow-listing example
<input type='hidden' name='key' value='theSecretCredential' /> <!-- pragma: allowlist-secret -->
MySQL allow-listing example
select * from users where cred='theSecretCredential'; -- # pragma: allowlist-secret
In this example, we’re using the
# approved pragma delimiter but embedding it in a single-line SQL comment delimited by
--, so that this line is still functional. (Note the space between the
-- and the
XML example with embedded character data representing an executable MySQL command
<sometext> <![CDATA[ select * from salaries where salary < theSecretCredential; -- # pragma: allowlist-secret ]]> </sometext>
Make sure that the allow-listing is inline! Multi-line allow-listing is not supported.