docker
Annotation to turn off false positive SecretsUsedInArgOrEnv
Description
I am getting a SecretsUsedInArgOrEnv warning on non-sensitive data.
The variables are named instance_types_file_key and static_variables_file_key. Since this is a refactor I can't rename them just like that and will have to live with the warning.
It would be great if there was a way to annotate the line to acknowledge the false positive. For instance, some linters let you use # noqa at the minimum to disable these warnings, while some others are more specific e.g. # noqa: ignore[index-error]
It would be great if there was a way to annotate the line to acknowledge the false positive. For instance, some linters let you use
# noqaat the minimum to disable these warnings, while some others are more specific e.g.# noqa: ignore[index-error]
@colinhemmings Recall we discussed about it internally with smth like a nolint directive similar to https://golangci-lint.run/usage/false-positives/#nolint-directive
Or like shellcheck behavior.
A comment on top of a file disable the rule globally, whereas above a line of code it only ignores the LoC.
- https://github.com/koalaman/shellcheck/wiki/Ignore
Right now it's just noise because we don't enforce clean checks, but eventually, CI should fail when these come up. Being able to ignore a specific check at the line level is important to retain the ability of flagging new contributions (vs ignoring the whole file, which would silence the warning on the new contribution).
Is there a way to suppress the warning for a specific ENV or ARG variable if it's a false positive? If not, is there any existing solution or a feature planned to address this?
Of all the checks, I think this is the only one I completely disagree with. I understand its good intentions, but 99% of cases will be false-positives. All of our variables that start with SECRET_ actually point to a file path that is expected to be mounted at runtime.
