EarlyBird has a rules engine for excluding false positives from the results. Each rule in false-positives.json is tied to one or more scan rules (using the Codes field).
The Pattern field is a regular expression that is evaluated against any hit that matches the Code, as long as the file containing that hit has an extension matching a value in the FileExtensions value (if that value is empty, all file extensions will be considered).
---
rules:
- Codes:
- 3013
Pattern: "(000-000-0000)"
FileExtensions: []
Description: Ignore a false positive phone number
- Codes:
- 4005
- 3022
Pattern: ".*"
FileExtensions:
- ".md"
- ".txt"
- ".doc"
- ".pdf"
- ".docx"
- ".csv"
- ".html"
- ".htm"
Description: Ignore deprecated crypto in documents
- Any hit found with rule 3013 (looking for 10-digit phone number patterns), that matches all zeroes (000-000-0000), in any type of file will be ignored
- Any hit found with in the specified rules (looking for indicators of deprecated crypto method use like 3DES or MD5) in document files will be ignored