Allow-listing Detected Secrets
Allow-listing false positives in your code
Allow-listing pragmas allow ignoring false positives when new code is committed to the repository. This workflow is suitable for developers who introduce a line which is flagged by the security pre-receive hook, but they have verified that this finding is indeed a false positive. Allow-listed lines are ignored by the security pre-receive hook as well as subsequent scans.
To mark findings as benign after they’ve been committed, without adding inline pragmas, see Hiding false positives, revoked credentials, etc..
Python allow-listing Example
API_KEY = "my-secret-that-is-not-a-secret" # pragma: allowlist secret
Java allow-listing Example
All language comments are supported, so for example, allow-listing in Java would look like the following:
String myApprovedSecret = "ThisIsAnExampleSecret" // pragma: allowlist-secret not actually a secret";
Just make sure that the allow-listing is inline! Multi-line allow-listing is not supported.
Full list of supported comment containers for the pragma
#
comment//
comment/*
comment*/
'
comment<!--
comment-->
The allowlist pragma must be introduced in the same commit as the false positive
One thing to keep in mind is that if you’re pushing multiple commits, they will all be scanned individually, and one of the older commits you’re adding may be missing the allowlist pragma. For example,
git add proxy-password-file
git commit proxy-password-file -m “Update proxy settings”
git push
=> rejected due to embedded passwordUpdate proxy-password-file to add
# pragma: allowlist secret
git commit proxy-password-file -m “Allowlist proxy settings”
git push
When step 6 executes, both the commits from step 2 and step 5 will be scanned. In the #2 commit there is a failure detected, but no allowlist pragma is present, so the commit is considered in violation. The #5 commit passes all checks, but since there is one failing commit in the push, the whole push is rejected.
The per-commit scanning ensures that if a secret was added in one commit and subsequently removed in another commit, it will still be found. It’s important to catch this situation, because the secret has not been properly cleaned from history.
Allow-listing specific files / paths (since version 1.10.0)
You can also specify list of files / folders for which all found vulnerabilities should be marked as allow-listed for a specific repository.
Per-repository allowlist configuration
Allow-listed files can be also configured on a repository level in soteri-security.yml
file. Just add allow_list
section and add list of paths you want to allow, like in example below:
custom_rules:
# comment
rules:
# comment
allowlist_paths:
- file1
- file2.*
To make per-repository configuration files work, you need to enable it in global plugin settings. See additional details on Defining Repository-Level Detection Rules .