Provide granular exemptions from SAST vulnerability findings
Problem to solve
As a user, I want to exclude parts of my application SAST detection on a per-line or per-block basis.
Intended users
- Cameron (Compliance Manager)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
User experience goal
When using Category:SAST, we have the ability to filter out paths or files by using the SAST_EXCLUDED_PATHS
environment variable. This works for a lot of cases, but it's too coarse of a control. For SAST to ignore findings, we have to filter out full files or directories of files. Any attempt to exempt parts of a file force us to bleed details from the underlying scanners about how to turn off individual rules for a given line or series of lines.