Provide granular exemptions from SAST vulnerability findings

Problem to solve

As a user, I want to exclude parts of my application SAST detection on a per-line or per-block basis.

Intended users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

User experience goal

When using Category:SAST, we have the ability to filter out paths or files by using the SAST_EXCLUDED_PATHS environment variable. This works for a lot of cases, but it's too coarse of a control. For SAST to ignore findings, we have to filter out full files or directories of files. Any attempt to exempt parts of a file force us to bleed details from the underlying scanners about how to turn off individual rules for a given line or series of lines.

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references