Whitelisting vulnerabilities in your code
If you have a particular secret that you would like to whitelist, you can do so using the following inline comment:
Python Whitelisting Example
API_KEY = "my-secret-that-is-not-a-secret" # pragma: allowlist secret
Java Whitelisting Example
All language comments are supported, so for example, whitelisting in Java would look like the following:
String myApprovedSecret = "ThisIsAnExampleSecret" // pragma: allowlist-secret not actually a secret";
Just make sure that the whitelisting is inline! Multi-line whitelisting is not supported.
Full list of supported comment containers for the pragma
Whitelist pragma must be introduced in the same commit as the false positive
One thing to keep in mind is that if you’re pushing multiple commits, they will all be scanned individually, and one of the older commits you’re adding may be missing the whitelist pragma. For example,
git add proxy-password-file
git commit proxy-password-file -m “Update proxy settings”
git push=> rejected due to embedded password
Update proxy-password-file to add
# pragma: allowlist secret
git commit proxy-password-file -m “Whitelist proxy settings
When step 6 executes, both the commits from step 2 and step 5 will be scanned. In the #2 commit there is a failure detected, but no whitelist pragma is present, so the commit is considered in violation. The #5 commit passes all checks, but since there is one failing commit in the push, the whole push is rejected.
The per-commit scanning ensures that if a secret was added in one commit and subsequently removed in another commit, it will still be found. It’s important to catch this situation, because the secret has not been properly cleaned from history.
Whitelisting specific files / paths (since version 1.10.0)
You can also specify list of files / folders for which all found vulnerabilities should be marked as whitelisted for a specific repository.
Per-repository Allowlist configuration
Whitelisted files can be also configured on a repository level in
soteri-security.yml file. Just add
allow_list section and add list of paths you want to whitelist, like in example below:
custom_rules: # comment rules: # comment allowlist_paths: - file1 - file2.*
To make pre-repository configuration files work, you need to enable it in global plugin settings. See additional details here: