Comments (6)
Hello,
We are planning on adding options to specify baseline / suppression files to this task soon. For the time being, you can take advantage of the fact that the /.gdn/.gdnsuppress file is automatically loaded and used, without specifying it. In the case of Azure Devops, since MSDO runs one level above the Build.SourcesDirectory, you will need to copy the suppression file from your source(
As for credscan, can you please provide an example / file of something you'd expect to trigger a failure?
Thanks!
from security-devops-azdevops.
Hi @boAndron ,
You can find the example Python file with the password hardcoded in the below screenshot
Looking forward to your suggestions.
from security-devops-azdevops.
Hello @rahul-subash! I will send this to the CredScan team, but if I remember correctly this is by design. Some strings like "test_password" (and variants) are intentionally ignored to avoid false positives on test data. Try a random string and see if you get a hit. I'll circle back when I have a response from CredScan.
from security-devops-azdevops.
Hi @boAndron,
It worked fine now after changing the password.
Regarding the suppression file, I have followed your instruction by renaming our suppression file from credscan-suppressions.json
to .gdnsuppress
and created a folder (Build.SourcesDirectory)/../.gdn
and moved the suppression file .gdnsuppress
to (Build.SourcesDirectory)/../.gdn
. It didn't work.
When I checked the pipeline console I noticed this,
where the yellow highlighted path is the Build.SourcesDirectory
then I came to know that the .gdn
folder is in the root path. So I moved the .gdnsuppress
file to (Build.SourcesDirectory)/.gdn
, but then too it didn't work.
All I doubt is the format of the suppression file. We have the suppression file in JSON
format. May I know whether the JSON format is fine for the .gdnsuppress
file?
Looking forward to your suggestions.
from security-devops-azdevops.
@rahul-subash @boAndron - Hey, are you able to suppress cred scan false positives?
Im using ADO task - MicrosoftSecurityDevOps@1
are you also using the same task and did you also try suppressing the cred scan results?
Can you pls share how are you suppressing it?
Thanks
from security-devops-azdevops.
I'm able to suppress the credscan results. You have to create a folder named .gdn
at the root of your repository and create a file named .gdnsuppress
Please follow the instructions in this comment to configure the gdnsuppress
file content.
The tool will by default check for this file /.gdn/.gdnsuppress
, if present it will consider this as a suppression file.
Welcome
from security-devops-azdevops.
Related Issues (20)
- Credscan: Support suppression in files that does not allow comments, such as JSON documents HOT 1
- Template analyzer Azure DevOps pipeline HOT 2
- [Q] How to configure suppressions file for CredScanner and use it? HOT 2
- Having a 'packageVersion' variable causes the task to fail HOT 2
- Trivy version is very out of date HOT 2
- TemplateAnalyzer missing an report format argument in wiki HOT 3
- Installing Microsoft Security DevOps Cli: Not supported error (v1.7.1) HOT 6
- Microsoft Security DevOps - Error calling url: Error: connect ECONNREFUSED 13.107.246.67:443
- Build not failing even if there are some bugs detected HOT 5
- Error: Failed to install the MSDO CLI nuget package while running behind proxy HOT 3
- Pipeline Run Successful But Results not Visible HOT 5
- Eslint is not installing in the self hosted agent HOT 2
- Microsoft security DevOps task is breaking when we use 3rd party modules/private repositories. HOT 1
- Path is undefined in release pipeline HOT 2
- Improve Task Documentation HOT 7
- Unknown header detected while attempting to read CredScan Tsv output HOT 5
- Antimalware Scan not Supported on Linux Build Agents HOT 1
- Slowness in task completion HOT 4
- Wrong paths for files in scan results with multi-checkouts. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-devops-azdevops.