CodeGuru Security handle false positives

0

Hi! We are trying out CodeGuru Security. However, as expected with any tools like these, there are some false positives. How can I flag/ignore those false critical finds so we can use the github action integration without failing the checks?

asked 7 months ago471 views
4 Answers
2

From what I see, you can create suppression rules to ignore certain files.

You can find more info here

profile picture
EXPERT
answered 7 months ago
profile picture
EXPERT
reviewed 7 months ago
profile picture
EXPERT
reviewed 7 months ago
  • The content in this response is for CodeGuru Reviewer. For CodeGuru security the proposed method does not work, you cannot flag a false positive using the exclusion YAML.

2

Here are a few ways to handle false positives from CodeGuru Security:

  • Create a custom workflow file (typically named aws-codeguru-reviewer.yml) and place it in the root of your GitHub repository. In this file you can suppress specific recommendations, categories of findings, or entire files/directories from analysis.
  • When you integrate CodeGuru Security with your GitHub repository, you can customize the workflow to only fail the build if a certain number or severity of findings are detected. For example, only fail on critical findings but still report others.
  • For individual false positive findings, you can provide feedback on those within the CodeGuru Security console. This helps improve the accuracy of analysis over time.
  • Consider adjusting the configuration or severity levels of the specific rules/detectors that are triggering false positives. Some have configurable parameters. As with any security tool, it's best practice to manually verify findings rather than relying solely on the results. Over time you'll train the tool to better match your codebase as you provide feedback on real vs false issues.
profile picture
EXPERT
answered 7 months ago
0

Thanks for your quick replies! Unfortunately, I have tried the yml file, excluding most of my source code, and it doesn't work - same result as before.

Since that file is mentioned in the documentation for CodeGuru Reviewer not in CodeGuru Security which I am working with here, I expect that Security does not take that file into consideration?

Let me know if you know for sure that it should be used by Security too and I'll see if I'm doing something wrong with the file, but I don't think so right now. Do you have any other ideas?

answered 7 months ago
0

I'm having this issue too. My projects have config file "templates" that have password fields with replacement macro placeholders. These are NOT hardcoded passwords, the files are not even real config files holding any config info. I would like to exclude such files from the CodeGuru Security scanning but there is no way to do so.

answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions