If TMAS reports a finding that is a false positive or any other finding you want to
ignore,
instruct TMAS to override these findings by defining one or more rules in an override
configuration file (for example,
~/tmas_overrides.yml
).tmas scan secrets <artifact_to_scan> --override path/to/tmas_overrides.yml
The override file uses a YAML structure, defining rules under each scan type.
Secret overrides support multiple targets:
- paths
- rules
- findings
Each override is a list of regular expression patterns, which cause the target to
be
excluded. Each list of patterns must also be accompanied by a reason for implementing
the
rule (for example, "false positive", "third party dependencies", and so on).
secrets: paths: - patterns: - node_modules - .tox reason: Third party dependencies - patterns: - .*_test.go reason: Development resources rules: - patterns: - generic_api_key reason: A descriptor specifying why the override is implemented findings: - patterns: - "*.example" reason: "Used in testing"
A given secret finding is overridden if any of the regular expression specified in
the
override file apply to the finding.
Any secret finding that matches a rule is presented in the JSON report in an
overridden
.{ "secrets": { "totalFilesScanned": 3, "unmitigatedFindingsCount": 0, "overriddenFindingsCount": 1, "findings": { "overridden": [ { "ruleID": "aws-access-token", "description": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.", "secret": "AKIAIRYLJVKMPEXAMPLE", "location": { "path": "/workdir/test-fixtures/aws_access_key", "startLine": 1, "endLine": 1, "startColumn": 1, "endColumn": 20, } } ] } } }