Support Exception Management Workflow

[abhisek]

Requirement

As a security engineer, I want to adopt vet in CI/CD as a security gate to prevent introduction of new packages that violate my policy so that I can prevent increasing security & technical debt while I work on mitigating the existing problem

This basically means we need to provide a way to add the existing findings at the time of adoption into an exception list. The filters can ignore packages in exception list to prevent vet failing in CI for existing packages.

Proposed Workflow

Use vet query command to generate exception list

vet query --from /path/to/json-dump --exception-add --exception-file /path/to/exceptions.yml

Subsequently, when filter query is executed, the packages in exception list should be ignored. vet should also load a default exceptions file if available from:

1. $PWD/.vet/exceptions.yml
2. $scanDirectory/.vet/exceptions.yml

CI Integration

The generated exceptions.yml should be pushed to repository in a standard path for autoload such as .vet/exceptions.yml or explicitly passed as param during scan

vet scan -D /path/to/repo --exception-file /path/to/exception.yml --filter '...' --filter-fail

[abhisek]

@jchauhan Can you review this and add your suggestion?

[jchauhan-fc]

Can we just make a small change ?

vet query --generate-exception --from /path/to/json-dump  --exception-out-file /path/to/exceptions.yml
OR 
vet generate-exception  --from /path/to/json-dump  --exception-out-file /path/to/exceptions.yml

we can also suggest it as a step while generating github action or even generate it?