Skip to content

feat: add --ignore-file for path-based finding suppression#14

Merged
elfrost merged 1 commit into
mainfrom
feat/ignore-file
May 15, 2026
Merged

feat: add --ignore-file for path-based finding suppression#14
elfrost merged 1 commit into
mainfrom
feat/ignore-file

Conversation

@elfrost
Copy link
Copy Markdown
Owner

@elfrost elfrost commented May 15, 2026

Summary

New `scanner/ignore.py` module + `--ignore-file PATH` CLI flag for `.gitignore`-style suppression of findings by repo-relative path. Closes the recurring backlog item observed across all four public scans:

Scan FPs that would benefit
gptme `tests/test_onboard.py` (sk-test placeholder)
openllmetry `packages//tests/cassettes/` (25 cassette "secrets")
agentic_security `tests/**/test_pii_detector.py`, `tests/unit_tests/test_security.py` (detector fixtures)
Upsonic `tests/unit_tests/safety_engine/`, `tests/smoke_tests/integrations/langfuse/`

How it works

  • Patterns are matched against the rebased repo-relative POSIX path, so `tests/**` works as expected regardless of where the temp clone landed.
  • Standard `.gitignore` syntax via `pathspec` (`#` comments, `!` negation, `**` recursive).
  • Findings with an empty `file` field (info-level "tool not installed" placeholders) are never suppressed — they describe infrastructure state, not file content, and a `**` pattern should not silently drop them.

Validation

Re-scanned Upsonic with an ignore file targeting their safety-engine + smoke-test fixtures:

  • Before: 21 high, 19 medium = 40 findings
  • After: 13 high, 19 medium = 32 findings (8 FPs suppressed, 4 real items preserved)

Test plan

  • 11 new tests in `tests/test_ignore.py` covering: comment parsing, negation, deep `**` matching, order preservation, empty-file safety
  • Full suite: 264 passed, ruff clean, black clean
  • End-to-end re-scan on Upsonic confirms 8 FPs suppressed without losing real items

🤖 Generated with Claude Code

@elfrost @claude
feat: add --ignore-file for path-based finding suppression
d738705 
New scanner/ignore.py module provides .gitignore-style path suppression
of findings via the `--ignore-file PATH` CLI flag. Patterns match against
repo-relative POSIX paths (post-rebase). Comments (`#`) and negation
(`!`) supported per gitignore spec. Findings with empty `file` field
(info-level infrastructure signals) are never suppressed.

Validated on a re-scan of Upsonic with an ignore file targeting their
safety-engine and smoke-test fixture directories: 8 high-severity FPs
suppressed (40 -> 32 findings), without losing the 4 real items.

Closes the recurring backlog item observed across all 4 scans
(gptme test_onboard.py, openllmetry tests/cassettes/**, agentic_security
tests/unit_tests/safety_engine, Upsonic tests/unit_tests/safety_engine).

Adds pathspec>=0.12.0 as a dependency. 11 new tests in tests/test_ignore.py.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@elfrost elfrost merged commit 59cd39d into main May 15, 2026
@elfrost elfrost deleted the feat/ignore-file branch May 15, 2026 16:34
@elfrost elfrost mentioned this pull request May 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elfrost