CodeGuru Security handle false positives

0

Hi! We are trying out CodeGuru Security. However, as expected with any tools like these, there are some false positives. How can I flag/ignore those false critical finds so we can use the github action integration without failing the checks?

fongie
asked 2 months ago161 views
3 Answers
2

From what I see, you can create suppression rules to ignore certain files.

You can find more info here

profile picture
EXPERT
Artem
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
2

Here are a few ways to handle false positives from CodeGuru Security:

  • Create a custom workflow file (typically named aws-codeguru-reviewer.yml) and place it in the root of your GitHub repository. In this file you can suppress specific recommendations, categories of findings, or entire files/directories from analysis.
  • When you integrate CodeGuru Security with your GitHub repository, you can customize the workflow to only fail the build if a certain number or severity of findings are detected. For example, only fail on critical findings but still report others.
  • For individual false positive findings, you can provide feedback on those within the CodeGuru Security console. This helps improve the accuracy of analysis over time.
  • Consider adjusting the configuration or severity levels of the specific rules/detectors that are triggering false positives. Some have configurable parameters. As with any security tool, it's best practice to manually verify findings rather than relying solely on the results. Over time you'll train the tool to better match your codebase as you provide feedback on real vs false issues.
profile picture
EXPERT
answered 2 months ago
0

Thanks for your quick replies! Unfortunately, I have tried the yml file, excluding most of my source code, and it doesn't work - same result as before.

Since that file is mentioned in the documentation for CodeGuru Reviewer not in CodeGuru Security which I am working with here, I expect that Security does not take that file into consideration?

Let me know if you know for sure that it should be used by Security too and I'll see if I'm doing something wrong with the file, but I don't think so right now. Do you have any other ideas?

fongie
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions