CodeGuru Security handle false positives

From what I see, you can create suppression rules to ignore certain files.

You can find more info here

Here are a few ways to handle false positives from CodeGuru Security:

• Create a custom workflow file (typically named aws-codeguru-reviewer.yml) and place it in the root of your GitHub repository. In this file you can suppress specific recommendations, categories of findings, or entire files/directories from analysis.
• When you integrate CodeGuru Security with your GitHub repository, you can customize the workflow to only fail the build if a certain number or severity of findings are detected. For example, only fail on critical findings but still report others.
• For individual false positive findings, you can provide feedback on those within the CodeGuru Security console. This helps improve the accuracy of analysis over time.
• Consider adjusting the configuration or severity levels of the specific rules/detectors that are triggering false positives. Some have configurable parameters. As with any security tool, it's best practice to manually verify findings rather than relying solely on the results. Over time you'll train the tool to better match your codebase as you provide feedback on real vs false issues.

Thanks for your quick replies! Unfortunately, I have tried the yml file, excluding most of my source code, and it doesn't work - same result as before.

Since that file is mentioned in the documentation for CodeGuru Reviewer not in CodeGuru Security which I am working with here, I expect that Security does not take that file into consideration?

Let me know if you know for sure that it should be used by Security too and I'll see if I'm doing something wrong with the file, but I don't think so right now. Do you have any other ideas?