FAQ

How can I ignore a finding?

It is possible that something BoostSecurity found is not actually a problem. In this case, you may add a noboost comment at the end of the line to tell the scanner to ignore it.

In languages like Java, JavaScript, and TypeScript, use the following:

someLineFlaggedByBoost() // noboost

For languages like Python, Ruby, or Terraform, ignore a line by the following:

someFlaggedLine() # noboost

You can also decide to ignore specific rules by supplying each rule name separated by a space.

someLineFlaggedByBoost() // noboost rule1 rule2

If the line of code spans multiple lines, put the comment on the first line.

someLineFlaggedByBoost.someMethod(  # noboost
one, two);

Adding noboost creates a suppression; it doesn't ignore the finding. To show in practice, you can add noboost to a finding on any resource of yours, create a PR and merge the PR. In the BoostSecurity portal of your account, you will be able to see the Finding in the Findings page with the "Suppression Type" filter of Source Ignore. When looking into the details of that finding, you will see it tagged with Suppressed in Code and a tooltip of boostignore comment.

How can I ignore multiple files or entire directories?

BoostSecurity supports ignoring entire files and directories by exploring two possible solutions:

• You can go to the Boostignore page and add the files and directories you want to ignore. Please note that the Global Boostignore is formatted the same way as the .gitignore file.
• Committing a .boostignore file to the root of the project.

The format of the file is the same as .gitignore files, such as:

ignore-one-file
a/**
a/b/**/c/**

BoostSecurity recommends using the following published .boostignore file which will reduce common false positives across various languages and frameworks.

What if I want a different policy on each repository?

Warning The repository-level policy feature is still under active development.

BoostSecurity supports repository level policies by adding a sectool-config.json file to your repository. The contents of the sectool-config.json follow the exact format of the org-level policy when viewed in the code editor of the Policy page.

How do I make sure certain files are not deleted during a Diff-scan?

BoostSecurity optimizes tool runtime by scanning only modified files (where appropriate) on pull request runs. To specify critical files that should not be ignored, a .boostinclude file can be committed to the root of the project. This file tells BoostSecurity what files to always retain when preparing the working directory for a diff-scan and has the same format as the .boostignore file. An example has been provided below:

# Scripts used to run tools:
bin/**/*

# Configuration for tools:
config/**/*

How Can I Mute Notifications Generated By a Project?

Create a policy to "Drop Everything" and add that resource (project) to it.

This option is best if you want to retain the history and visibility of the project without being alerted to any subsequent findings.

Use the following steps to implement this option.

1. Create a new policy
   1. Navigate to the Policy.
   2. click on the New Policy button in the top-right corner of the page.
   3. Input the policy Name and in the policy Description enter "Drop Everything".
   4. In the Rules section click on the Select An Action dropdown and select the Drop checkbox.
   5. Click on the Save button to submit the policy.
2. Apply desired projects to the "Drop Everything" policy
   1. In the Resources page, select the project or organization you want to mute.
   2. Click on the Apply Policy button and from the displayed Select Policy dropdown, select the Drop Everything policy.
   3. Click on the Apply button.

What Permissions Does the BoostSecurity App Require From My Source Code Management System?

The required permissions for each BoostSecurity App differ slightly between each SCM provider.

How to prevent scanner failures from impacting my pipelines?

BoostSecurity Scanner may optionally be configured to ignore most exceptions and return a successful exit code in case of failure. To enable this, you may either pass the --ignore-failures command line option or set the BOOST_IGNORE_FAILURE=true environment variable.

How can I add another administrator to my account?

Please have a current administrator submit a request that includes that user’s email address.

How do I remove a resource (repo)?

Currently, only Support can remove a project (AKA resource, repo). If a user wants a repo removed from their account, they'll need to let support know. Alternatively, they can create a Policy named Drop Everything and set everything to drop.

Please have a current administrator submit a request that includes that user's email address.

How can I remove a project?

To remove a project ("resource") from your account, inform Support, and we will do it for you.

This option is best if you no longer want to see the project. However, if you want to retain the project but not receive notifications about it, consider muting notifications.

How Do I Create a Google ID Using an Existing Non-Google Email Address?

To authenticate using Google ID without having a Google (Gmail) email address, follow the steps below:

1. In a browser, navigate to the Sign Up page to create a Google account.
2. On the landing page, input your first name and last name (optional) and click on the Next button.
3. On the next page, enter your basic information, which includes Birthday and Gender
4. Click the Next button after entering the correct information.
5. Click on Use existing emailon the next page.
6. Enter the non-Gmail email address you want to associate with Google.
   • NOTE: Google will validate the email address and phone number you use.
7. Click the Next button to submit the details and navigate to the next page.
8. Google sends a verification code to your registered email address. Get this verification code and submit it in the provided modal on the screen.
9. Then click on Next to complete the signup.

The account is linked successfully.

Though you cannot use Gmail, you can use the email address to log in to BoostSecurity using Google Sign-In.

A Policy Violation was found in a PR; why can't I see it in the Findings?

If the violation was resolved before it was merged into your main branch, then it never occurred, so there is no need to add it to your backlog.

BoostSecurity is designed to track existing issues (like traditional security tools do) while preventing new ones, i.e., avoiding "security debt". If a scanned Pull Request contains a security Finding, BoostSecurity will follow the related Policy, which may include commenting on a Pull Request. If the Finding in this pull request is mitigated before the code is merged, then the Finding does not exist in the main branch of code, and there is nothing for the system to track.

How Can I Get a Scan Attestation Report?

To get a report attesting as to when BoostSecurity performed recent scans:

1. Navigate to the Scans page.
2. At the top-right corner of the page, select the period of time for the report by selecting the drop-down: Last Week, 2 weeks, 4 weeks.
3. Click on the Send report button just below the dropdown, and BoostSecurity will send the report to your account's email address.
4. Check your inbox for an email from "no-reply@boostsecurity.io" titled "Boost Scans Report".

How can I know when a vulnerability was last seen?

The date shown in a finding is when it was first discovered. To learn when the finding was last seen, navigate to the Scans page and then filter by the Resource name that the finding is in. The date of the most recent scan is the date the vulnerability was last seen.

How do I update the BoostSecurity App in my SCM?

There are different ways to update your BoostSecurity App for your SCM apps. Navigate to update your BoostSecurity app to learn more about how to do this.

How can I manage Findings in bulk?

Managing your Findings can be done in multiple ways. This can include:

• Navigating to how to ignore multiple files or entire directories via Boostignore.
• Remove a rule inside of a scanner for a policy.
• Multi-select the Findings in the Findings page, then click on the Mark As dropdown at the top-right corner of the page, and finally select the desired designation.

How do I remove a rule in a scanner for a policy?

To manage your findings in bulk by adding or removing a rule inside of a Policy's Scanners, update a Policy on your BoostSecurity organization and then run a scan, a previous finding related to that rule would not be found and therefore, would not show up anymore.

To explain this further, follow the steps below:

1. Navigate to the Policy page and click on the particular policy you want to update.
2. Click on the Scanners tab on the "Policy Designer" page.
3. A list of scanners is displayed in a checklist format. Each scanner contains groups that have rules that can be unchecked to make such a rule inactive.
4. Uncheck/remove the scanner rule from the group.
5. Proceed to run the scan again, and you won't see a finding related to the rule that was removed.

What if my scan times out?

If you see a red "Time out" while on the Scans page, it could be because the scanner is taking longer than usual to complete the scan.

You can fix this by adjusting your configuration file's maximum scan time (measured in seconds). Simply add scan_timeout: 1200 to the file under the with: section, and the scanner can run for up to 20 minutes (60 seconds 20 times) as shown in Sierra Enterprise's workflow. The configuration file can be found in either your project's Pipeline/Actions folder if you're doing manual provisioning or in the .boost Project's Pipeline/Actions folder using Zero Touch Provisioning (ZTP).

Note: Manual changes made to a boost.yml file created by ZTP will be overwritten the next time the ZTP configuration is changed.

Why is my SBOM empty?

To successfully use Trivy FS SBOM, you must provide a lockfile (.lock file). However, if you're dealing with a container, it's best to seek assistance from your Customer Success representative for a Trivy Image scan without needing the lockfile file.

How long does BoostSecurity retain data?

We value your privacy and follow a strict data retention policy. To learn more about how long we retain customer data and the guidelines we adhere to, please refer to our Data Retention Policy.

How can I uninstall BoostSecurity?

To uninstall BoostSecurity for each supported Source Code Management (SCM) app, follow the steps below:

GitHub

1. Navigate to your organization's Installed GitHub Apps page, e.g., https://github.com/organizations/YOUR-ORGANIZATION/settings/installations.
2. Click "Configure" for the BoostSecurity.io GitHub App.
3. Scroll down the page to the "Danger Zone" tab.
4. Click on Uninstall and then ok to confirm the uninstallation.
5. If necessary, uninstall BoostSecurity Zero Touch Provisioning (ZTP) by clicking "uninstall" to remove the application.

GitLab

1. Navigate to your organization's project integrations page, e.g., https://gitlab.com/YOUR-ORGANIZATION/project/repository/-/settings/integrations.
2. Click on the Revoke button for "BoostSecurity.io CI provisioning" in the Authorized applications tab of the page.
3. Click "confirm", and BoostSecurity will be successfully removed from your GitLab applications.

Bitbucket

1. Navigate to your integration settings page, e.g., https://bitbucket.org/YOUR-ORGANIZATION/workspace/settings/addon-management.
2. Click on the remove button for the BoostSecurity BitBucket App named "BoostSecurity" to uninstall the application.
3. If necessary, you can also uninstall BoostSecurity Zero Touch Provisioning by clicking on the remove button for ZTP.

How to Generate Scan History Reports

Using the Scan History PDF Report feature is straightforward:

1. Navigate to the Scans page.

2. Click on the Send Report button located at the top-right of the screen.

3. A column picker will appear for selecting scan history columns to include in the report. The columns to choose from include Result(Violations), Status, Scanner, Duration, and Date.

4. The PDF report will be sent to your registered email address within a few minutes.

How to snooze Findings

To snooze Findings, follow the steps below:

1. Navigate to the Findings Page.
2. Select a Finding(s) from the list of Findings.
3. Click on the "Mark As" dropdown button and select "Snooze".
4. Select a duration, enter a justification, and click on the "submit" button.

How can I Integrate Webhooks?

1. Navigate to the Integrations page.
2. Scroll down to the Available section of the page and select the Webhook card.
3. Click on "Install" and fill in the following details:
   • Channel Name: Name of your channel.
   • Webhook URL: The URL to receive webhook notifications.
   • Header Name: e.g., x-token.
   • Header Value: e.g., token123.
4. Click on the "Install" button, and your new webhook will be available shortly.

How to update Azure DevOps SCM's Personal Access Token (PAT)?

To update your ADO account-wide integration Personal Access Token (PAT):

1. Navigate to the Integrations page and select the Azure DevOps Account integration card from the Installed section.
2. Click on the installed resource.
3. Select the option to update the PAT of the resource.
4. Proceed to enter the new PAT on the next provided page.
5. Click "Save" to confirm the update.

How to update GitLab Account Personal Access Token (PAT)?

1. Navigate to the Integrations page and select the GitLab Account integration card from the Installed section.
2. Select the option to update the PAT of the installed resource.
3. Proceed to enter the new PAT on the next page.
4. Click the Update button to save.

How do I deprovision a repository that I provisioned with ZTP?

On the Provisioning page:

1. Select the repositories to deprovision.
2. Click on the Provision button (top right).
3. Proceed through the modal and when able, deselect all the scanners.
4. Complete the modal.
5. Upon completion, the selected repositories should be in a state of Pending Deprovisioning and after a short time, they should be deprovisioned entirely.