-
Notifications
You must be signed in to change notification settings - Fork 33
Conversation
Why not be more general and just let people filter the JSON with whatever they want (jq, python comprehension, whatever)? |
First, as context, here's my earlier response to this from Slack:
Now, a more specific list of reasons against that solution:
|
Thoughts on naming this semgrep.yml? I feel like we have an opportunity grow this into semgrep’s version of package.json or Dockerfile so we should choose wisely on the name. I would not do .hidden since want people to see that semgrep is installed when running ls |
I'd be okay with it. I just wanted the solution to work from the get-go and iterate in the PR. Should I update the PR to name it |
@underyx is/will this be documented in semgrep-docs? |
Depends on the reaction here, really. Currently I'm not even sure if this PR will be accepted. If there's very good reception from users and r2seers, then we can add it in semgrep-docs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO we should plan out more what pain point this is solving and if adding more fields and complexity to semgrep-action is the best solution for those problems.
4c07dfd
to
59a26be
Compare
You can add a
.semgrepconfig.yml
that looks like this:Every finding will be checked against these override definitions one by one.
The override definitions will run in the same order you have them in your config file.
An override's actions are applied when all
if.
conditions are true. If an override applies, it'll take actions as described by keys not starting withif.*
.Available conditions
True
if the finding's…if.path
"tests/*"
if.rule_id
"secrets.*aws*"
if.ruleset_id
"secrets"
if.finding_id
"1fd8aac00"
syntactic_id
starts with this valueif.policy_slug
"security*"
if.severity_in
["INFO", "WARNING"]
Available actions
mute
true
# nosemgrep
commentunmute
true
# nosemgrep
commentsset_severity
"INFO"