Skip to content

FAQ

How can I ignore a finding?

It is possible that something BoostSecurity found is not actually a problem. In this case, you may add a noboost comment at the end of the line to tell the scanner to ignore it.

In languages like Java, JavaScript, and TypeScript, use the following:

someLineFlaggedByBoost() // noboost

For languages like Python, Ruby, or Terraform, ignore a line by the following:

someFlaggedLine() # noboost

You can also decide to ignore specific rules by supplying each rule name separated by a space.

someLineFlaggedByBoost() // noboost rule1 rule2

How can I ignore multiple files or entire directories?

BoostSecurity supports ignoring entire files and directories by simply committing a .boostignore file to the root of the project.

The format of the file is the same as .gitignore files such as:

ignore-one-file
a/**
a/b/**/c/**

BoostSecurity recommends using the following published .boostignore file which will reduce common false positives across various languages and frameworks.

What if I want a different policy on each repository?

Warning The repository-level policy feature is still under active development.

BoostSecurity supports repository level policies by adding a sectool-config.json file to your repository. The contents of the sectool-config.json follow the

exact format of the org-level policy when viewed in the code editor of the Policy page.

How do I make sure certain files are not deleted during a Diff-scan?

BoostSecurity optimizes tool runtime by scanning only modified files (where appropriate) on pull request runs. In order to specify critical files that should not be ignored, a .boostinclude file can be committed to the root of the project. This file tells BoostSecurity what files to always retain when preparing the working directory for a diff-scan and has the same format as the .boostignore file. An example has been provided below:

# Scripts used to run tools:
bin/**/*

# Configuration for tools:
config/**/*

How to prevent scanner failures from impacting my pipelines?

BoostSecurity Scanner may optionally be configured to ignore most exceptions and return a successful exit code in case of failure. To enable this, you may either pass the --ignore-failures command line option or set the BOOST_IGNORE_FAILURE=true environment variable.

How can I add another administrator to my account?

Please have a current administrator submit a request that includes that user’s email address.