semgrep

how to ignore a single rule globally with semgrep


we are using semgrep to validate our C# in CI - the calling of it is managed by the larger enterprise and we have no control over it - or adding command line parameters etc.

There's a rule we very much don't agree with. We can embed a comment in the code to ignore the rule every time it comes up - and that works - but is onerous. We can ignore a whole file by putting the name in .semgrepignore and that works.

What we'd like to do is put a rule in something like an ignore file and ignore that rule everywhere in the project. Is that possible?


Solution

  • There are 5 options here:

    1. Add comment //nosemgrep in the code (you mentioned it).
    2. Add exclude paths/files to the .semgrepignore file (you mentioned it).
    3. You can add the flag: --exclude-rule (But I understand it is not an option for you as you cannot control the command line). Example: semgrep ci --exclude-rule csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization
    4. You can remove that rule from Rule Board (it will not apply that rule in following scans for all projects). Taking into account that in the next semgrep version (coming this quarter), you will be able to manage rulesets per project. You may need permission to manage policies in Semgrep App.
    5. You can fork the rule and add exclude patterns in the rule: https://semgrep.dev/docs/writing-rules/rule-syntax/#paths

    Note: Semgrep Community Slack is very active with questions like this.