Summary
DevSkim appears to report a false positive when a rule-relevant token is only present as a partial substring inside a larger XML identifier.
In our case, the finding is triggered by DES_ANNO_SHA appearing inside the XML attribute value SCPDES_ANNO_SHAPE_1.
That match does not look semantically valid. It is part of a larger symbolic identifier, not an actual standalone secret or security-relevant token.
Example
XML snippet:
<Setting name="Label shape 1" keyWord="SCPDES_ANNO_SHAPE_1" type="string" value="" description="Name of shape representing label for automatic annotation. If not set, default shape from 'General options'->'Annotation settings'->'Default shapes' will be taken." />
The issue appears to be that DES_ANNO_SHA is detected inside SCPDES_ANNO_SHAPE_1.
Why this looks incorrect
The reported text is:
- only a partial substring
- embedded inside a larger XML keyword/identifier
- not a standalone token
- not meaningful on its own in this context
Matching partial words like this creates noise and makes the result hard to act on.
Expected behavior
DevSkim should avoid reporting this kind of partial-word match in XML attribute values unless the rule explicitly intends substring matching with clear token boundaries.
Environment
- DevSkim CLI used in Azure DevOps pipeline
- File type: XML
Request
Please confirm whether this is an expected rule behavior. If not, this looks like a false positive and the rule should likely enforce stronger token boundaries or identifier-aware matching.
Summary
DevSkim appears to report a false positive when a rule-relevant token is only present as a partial substring inside a larger XML identifier.
In our case, the finding is triggered by
DES_ANNO_SHAappearing inside the XML attribute valueSCPDES_ANNO_SHAPE_1.That match does not look semantically valid. It is part of a larger symbolic identifier, not an actual standalone secret or security-relevant token.
Example
XML snippet:
The issue appears to be that
DES_ANNO_SHAis detected insideSCPDES_ANNO_SHAPE_1.Why this looks incorrect
The reported text is:
Matching partial words like this creates noise and makes the result hard to act on.
Expected behavior
DevSkim should avoid reporting this kind of partial-word match in XML attribute values unless the rule explicitly intends substring matching with clear token boundaries.
Environment
Request
Please confirm whether this is an expected rule behavior. If not, this looks like a false positive and the rule should likely enforce stronger token boundaries or identifier-aware matching.