FAQ¶
How can I ignore a finding?¶
It is possible that something BoostSecurity found is not actually a problem. In this case, you may add a noboost
comment at the end of the line to tell the scanner to ignore it.
In languages like Java, JavaScript, and TypeScript, use the following:
someLineFlaggedByBoost() // noboost
For languages like Python, Ruby, or Terraform, ignore a line by the following:
someFlaggedLine() # noboost
You can also decide to ignore specific rules by supplying each rule name separated by a space.
someLineFlaggedByBoost() // noboost rule1 rule2
How can I ignore multiple files or entire directories?¶
BoostSecurity supports ignoring entire files and directories by simply committing a .boostignore
file to the root of the project.
The format of the file is the same as .gitignore
files such as:
ignore-one-file
a/**
a/b/**/c/**
BoostSecurity recommends using the following published .boostignore
file which will reduce common false positives across various languages and frameworks.
What if I want a different policy on each repository?¶
Warning The repository-level policy feature is still under active development.
BoostSecurity supports repository level policies by adding a sectool-config.json
file to your repository. The contents of the sectool-config.json
follow the
exact format of the org-level policy when viewed in the code editor of the Policy page.
How do I make sure certain files are not deleted during a Diff-scan?¶
BoostSecurity optimizes tool runtime by scanning only modified files (where appropriate) on pull request runs. In order to specify critical files that should not be ignored, a .boostinclude
file can be committed to the root of the project. This file tells BoostSecurity what files to always retain when preparing the working directory for a diff-scan and has the same format as the .boostignore
file. An example has been provided below:
# Scripts used to run tools:
bin/**/*
# Configuration for tools:
config/**/*
How to prevent scanner failures from impacting my pipelines?¶
BoostSecurity Scanner may optionally be configured to ignore most exceptions and return a successful exit code in case of failure. To enable this, you may either pass the --ignore-failures
command line option or set the BOOST_IGNORE_FAILURE=true
environment variable.
How can I add another administrator to my account?¶
Please have a current administrator submit a request that includes that user’s email address.