ShiftLeft allows you to suppress findings, removing them from inclusion with the remaining vulnerabilities, on a per-scan basis (completed scans are unaffected). This can be helpful if there are findings you consider false positives.
See sl remediation for detailed CLI information.
sl remediation config <filename>.yamlto create a sample config file that you can modify:# Example analysis remediation configmethods:# - method: org.slf4j.Logger.info:void(java.lang.String,java.lang.Object)# tags:# - key: category# value: Sensitive Data Leak# - pattern: Logger.debug# tags:# - key: category# value: Sensitive Data Leak
You can specify the exact methods or patterns that you want ShiftLeft to identify. You can also modify the specified methods or patterns using tags, and only results that match all of the criteria (i.e., matches the method and all tags) will be returned.
If you'd like to match all findings of a category, you can provide
.*. For example, to match all header injection findings:methods:- pattern: ".*"tags:- key: categoryvalue: Header Injection
Add the methods you want ShiftLeft to identify and suppress to the configuration file you generated. You can test the changes you make using the
sl remediation dry-run --config <filename>.yaml --app <yourApplication>
Doing so will print the methods ShiftLeft has identified as matching the parameters you defined to the command line.
When you are finished making changes, save your config file.
To run your scans using the configuration file you defined, include the
sl analyze --app <yourApplication> --remediation-config example.yaml --java <path-to-target>
You can undo any changes by updating or removing the configuration file. Subsequent scans will show the findings restored.