Allow-listing false positives in your code

Allow-listing pragmas allow ignoring false positives when new code is committed to the repository. This workflow is suitable for developers who introduce a line which is flagged by the security pre-receive hook, but they have verified that this finding is indeed a false positive. Allow-listed lines are ignored by the security pre-receive hook as well as subsequent scans.

To mark findings as benign after they’ve been committed, without adding inline pragmas, see Reviewing Findings as False Positives or Revoked Credentials.

Python allow-listing Example

 API_KEY = "my-secret-that-is-not-a-secret"  # pragma: allowlist secret
PY

Java allow-listing Example

All language comments are supported, so for example, allow-listing in Java would look like the following:

String myApprovedSecret = "ThisIsAnExampleSecret" // pragma: allowlist-secret not actually a secret";
JAVA


Just make sure that the allow-listing is inline! Multi-line allow-listing is not supported.

Full list of supported comment containers for the pragma

  • # comment

  • //comment

  • /* comment */

  • ' comment

  • <!-- comment -->

The allowlist pragma must be introduced in the same commit as the false positive

One thing to keep in mind is that if you’re pushing multiple commits, they will all be scanned individually, and one of the older commits you’re adding may be missing the allowlist pragma. For example,

  1. git add proxy-password-file

  2. git commit proxy-password-file -m “Update proxy settings”

  3. git push => rejected due to embedded password

  4. Update proxy-password-file to add # pragma: allowlist secret

  5. git commit proxy-password-file -m “Allowlist proxy settings

  6. git push

When step 6 executes, both the commits from step 2 and step 5 will be scanned. In the #2 commit there is a failure detected, but no allowlist pragma is present, so the commit is considered in violation. The #5 commit passes all checks, but since there is one failing commit in the push, the whole push is rejected.

The per-commit scanning ensures that if a secret was added in one commit and subsequently removed in another commit, it will still be found. It’s important to catch this situation, because the secret has not been properly cleaned from history.

Allow-listing specific files / paths (since version 1.10.0)

You can also specify list of files / folders for which all found vulnerabilities should be marked as allow-listed for a specific repository.

Per-repository allowlist configuration

Allow-listed files can be also configured on a repository level in soteri-security.yml file. Just add allow_list section and add list of paths you want to allow, like in example below:

custom_rules:
  # comment
rules:
  # comment
allowlist_paths:
  - file1
  - file2.*
YAML

To make per-repository configuration files work, you need to enable it in global plugin settings. See additional details on Defining Repository-Level Detection Rules .