- Newest
- Most votes
- Most comments
From what I see, you can create suppression rules to ignore certain files.
You can find more info here
Here are a few ways to handle false positives from CodeGuru Security:
- Create a custom workflow file (typically named aws-codeguru-reviewer.yml) and place it in the root of your GitHub repository. In this file you can suppress specific recommendations, categories of findings, or entire files/directories from analysis.
- When you integrate CodeGuru Security with your GitHub repository, you can customize the workflow to only fail the build if a certain number or severity of findings are detected. For example, only fail on critical findings but still report others.
- For individual false positive findings, you can provide feedback on those within the CodeGuru Security console. This helps improve the accuracy of analysis over time.
- Consider adjusting the configuration or severity levels of the specific rules/detectors that are triggering false positives. Some have configurable parameters. As with any security tool, it's best practice to manually verify findings rather than relying solely on the results. Over time you'll train the tool to better match your codebase as you provide feedback on real vs false issues.
Thanks for your quick replies! Unfortunately, I have tried the yml file, excluding most of my source code, and it doesn't work - same result as before.
Since that file is mentioned in the documentation for CodeGuru Reviewer not in CodeGuru Security which I am working with here, I expect that Security does not take that file into consideration?
Let me know if you know for sure that it should be used by Security too and I'll see if I'm doing something wrong with the file, but I don't think so right now. Do you have any other ideas?
I'm having this issue too. My projects have config file "templates" that have password fields with replacement macro placeholders. These are NOT hardcoded passwords, the files are not even real config files holding any config info. I would like to exclude such files from the CodeGuru Security scanning but there is no way to do so.
Relevant content
- asked 3 years ago
- asked 3 years ago
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
The content in this response is for CodeGuru Reviewer. For CodeGuru security the proposed method does not work, you cannot flag a false positive using the exclusion YAML.