DevSkim icon indicating copy to clipboard operation
DevSkim copied to clipboard
verified publisher icon microsoft

Include Suppressed Results in SARIF Output

Open quasarea opened this issue 6 months ago • 1 comments

Is your feature request related to a problem? Please describe.

In SARIF output generated by DevSkim, only active findings are included. Suppressed results (for example, findings ignored via .devskimignore) are entirely omitted. This limits traceability and makes it difficult to maintain a clear audit trail of which issues were reviewed and intentionally suppressed.

Several established static analysis tools, including Roslyn Analyzers and ESLint (with SARIF plugins), support inclusion of suppressed results in their SARIF output. This provides full visibility into both active and suppressed findings, which is important for security reviews and compliance requirements.

Describe the solution you'd like

Add an optional flag (e.g., --include-suppressed) or equivalent configuration that enables inclusion of suppressed results in the SARIF output. Suppressed results should be clearly marked according to the SARIF specification, using fields such as "baselineState": "suppressed" or "suppressions". The default behaviour should remain unchanged to avoid impacting existing users.

Describe alternatives you've considered

  • Manually parsing .devskimignore and the source code to reconstruct suppressed results, but this is fragile, time-consuming, and prone to errors.
  • Maintaining separate manual suppression records, but that fragments reporting and reduces the usefulness of SARIF as a single, authoritative output format.

Additional context

In DevSecOps pipelines, SARIF is often used as a unified reporting format, aggregating results from multiple tools into centralized dashboards. Including suppressed results improves transparency, simplifies auditing, and aligns DevSkim's output with industry practices for SARIF-producing tools.

quasarea avatar Jul 04 '25 16:07 quasarea

Thanks for the suggestion. There is no .devskimignore file that the DevSkim CLI looks for, but perhaps you meant you're using the .gitignore feature? As a workaround to get suppressed issues in your results, you can disable suppressions entirely but that won't record that the issue is suppressed in the file in the same manner as requested.

To accomplish this would require

  1. updating AnalyzeCommand to not skip when an issue is suppressed (https://github.com/microsoft/DevSkim/blob/7cd3d845f3d4bf3fb12f2449eec8ebb2e02d12d0/DevSkim-DotNet/Microsoft.DevSkim.CLI/Commands/AnalyzeCommand.cs#L443). The issue itself is contained in the issue record so this can be grabbed in the write method.
  2. However, then the Writer classes need to handle when an issue is suppressed by populating the suppressions field of the result for sarif (around here https://github.com/microsoft/DevSkim/blob/7cd3d845f3d4bf3fb12f2449eec8ebb2e02d12d0/DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs#L166).

For the text and json writers perhaps it would need to a new check to skip suppressed issues inside the write command.

gfs avatar Jul 08 '25 20:07 gfs