Ignore via code with .aikido files
The .aikido file (YAML-formatted) allows you to ignore certain CVE's and exclude certain paths from being scanned by Aikido. The .aikido files are read automatically whenever a scan is initiated.
Setting up the .aikido file
Create the .aikido file within the root of your repository.
Ignore CVEs and exclude specific paths
Ignore CVEs
To ignore CVE's, add them to the .aikido yaml file with a reason. The Aikido UI will also show that these specific CVEs are ignored with reference to the .aikido file.
Exclude Paths
The exclude key and paths subkey allow you to hide specific files and directories from being scanned by Aikido code scanning. This will automatically exclude scans for secrets, SAST issues and lockfiles.
Note. Each path must be a complete path from your repository's root, and wildcards are not supported.
ignore:
cves:
CVE-2020-8203:
reason: We do not care about this CVE
exclude:
paths:
- src/useless-folder
- src/index.js
- package-lock.json
- package.json Excluding SAST findings using comments
It is possible to ignore specific SAST finding using a // nosemgrep comment at the first line or preceding line of the pattern match. By adding this comment, the finding will be ignored in the Aikido feed and marked as manually suppressed by developer.
Below you will find some examples of how a NoSQL injection issue can be ignored using comments.
Ignore by adding comment to line preceding the detected issue:
module.exports = function trackOrder () {
return (req: Request, res: Response) => {
const id = foo.a() ? String(req.params.id) : req.params.id
// nosemgrep
Solution.findOne({ _id: req.body.id })
}
}Ignore by adding comment to first (or only) of the detected issue:
module.exports = function trackOrder () {
return (req: Request, res: Response) => {
const id = foo.a() ? String(req.params.id) : req.params.id
Solution.findOne({ _id: req.body.id }) // nosemgrep
}
}