semgrep-action
semgrep-action copied to clipboard
False positives management
Is your feature request related to a problem? Please describe. Maybe its something that is already built but i have not seen t documented anywhere. I would like to have the ability to ignore a specific false positive. I dont want to ignore a rule completely as there might be a scenario where it is a valid finding in a file, but not in another in the same project Also, i dont think it is a good idea to have that control in the source code as it opens a big door to abuse this feature. Any developer might flag as false positive anything they want https://semgrep.dev/docs/ignoring-findings/
Describe the solution you'd like Have the ability to exclude a specific false positive in a file and a line of code
Describe alternatives you've considered Findsecuritybugs do exclusion at class level and sonar do it at line of code+file level
In this connection, I'm seeing a false positive with this line:
if Redis.current.eval(LUA_ACQUIRE, [key, ttl.to_i]) == 1
Semgrep thinks that this is a Ruby #eval
, but really it's just a normal Redis EVAL with no user input. It would be nice to disable this warning in a comment in the same way that this is done with Rubocop.