If TMAS reports a finding that is a false positive or any other finding you want to
ignore,
instruct TMAS to override these findings by defining one or more rules in an override
configuration file (for example,
~/tmas_overrides.yml).tmas scan secrets <artifact_to_scan> --override path/to/tmas_overrides.yml
The override file uses a YAML structure, defining rules under each scan type.
Secret overrides support multiple targets:
- paths
- rules
- findings
Each override is a list of regular expression patterns, which cause the target to
be
excluded. Each list of patterns must also be accompanied by a reason for implementing
the
rule (for example, "false positive", "third party dependencies", and so on).
secrets:
paths:
- patterns:
- node_modules
- .tox
reason: Third party dependencies
- patterns:
- .*_test.go
reason: Development resources
rules:
- patterns:
- generic_api_key
reason: A descriptor specifying why the override is implemented
findings:
- patterns:
- "*.example"
reason: "Used in testing"
A given secret finding is overridden if any of the regular expression specified in
the
override file apply to the finding.
Any secret finding that matches a rule is presented in the JSON report in an
overridden.{
"secrets": {
"totalFilesScanned": 3,
"unmitigatedFindingsCount": 0,
"overriddenFindingsCount": 1,
"findings": {
"overridden": [
{
"ruleID": "aws-access-token",
"description": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
"secret": "AKIAIRYLJVKMPEXAMPLE",
"location": {
"path": "/workdir/test-fixtures/aws_access_key",
"startLine": 1,
"endLine": 1,
"startColumn": 1,
"endColumn": 20,
}
}
]
}
}
}