trufflesecurity
How to ignore certain Detectors
We are frequently getting FP for Float detector. How can we ignore it in our scan? We are using Trufflehog GitHub action to scan out the repository. Pointers to documentation will also help.
Same here, just got a bunch of alerts on strings like these:
../../../.cache/yarn/v6/npm-axe-core-4.1.2-7cf783331320098bfbef620df3b3c770147bc224-integrity/node_modules/axe-core/lib/commons/dom/reduce-to-elements-below-floating.js
../../../.cache/yarn/v6/npm-axe-core-4.1.2-7cf783331320098bfbef620df3b3c770147bc224-integrity/node_modules/axe-core/lib/commons/dom/is-skip-link.js
(notice the match is across two lines).
I think Float regex incorrectly matches these because of the use of PrefixRegex, which could match a sequence of any characters 0-40 in length, before the match group.
Here's a simple reproduction, based on Float detector code: https://go.dev/play/p/svSte7jTTnJ
Fixing the regex is one thing, but I would like to ignore some of the detectors. Not all of them are applicable and flexibility is required.
In our case at least, we're able to ignore certain detectors by using TH as a Go library, not as a CLI tool. Though I understand there's no promise of internal API compatibility, so this may be more fragile than most folks would want.
I'm finding the want to filter out SlackWebhook for example. I can filter the JSON results with JQ, but having a --skip option would rock
@anjuls i'm going to close this issue as you can now include/exclude detectors using the --include-detectors and --exclude-detectors flags.
https://github.com/trufflesecurity/trufflehog/releases/tag/v3.28.3
