feat: add option to ignore specific result by ID (#127)

- add ignore flag
- rename filesystem `--ignore` to `--ignore-pattern`
- ignore secrets by ID

Close #35

README.md

@@ -57,15 +57,16 @@ Additional Commands:
   rules       List all rules
 
 Flags:
-      --config string          config file path
-      --exclude-rule strings   exclude rules by name or tag to apply to the scan (removes from list, starts from all)
-  -h, --help                   help for 2ms
-      --include-rule strings   include rules by name or tag to apply to the scan (adds to list, starts from empty)
-      --log-level string       log level (trace, debug, info, warn, error, fatal) (default "info")
-      --regex stringArray      custom regexes to apply to the scan, must be valid Go regex
-      --report-path strings    path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)
-      --stdout-format string   stdout output format, available formats are: json, yaml, sarif (default "yaml")
-  -v, --version                version for 2ms
+      --config string           config file path
+      --exclude-rule strings    exclude rules by name or tag to apply to the scan (removes from list, starts from all)
+  -h, --help                    help for 2ms
+      --ignore-result strings   ignore specific result by id
+      --include-rule strings    include rules by name or tag to apply to the scan (adds to list, starts from empty)
+      --log-level string        log level (trace, debug, info, warn, error, fatal) (default "info")
+      --regex stringArray       custom regexes to apply to the scan, must be valid Go regex
+      --report-path strings     path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)
+      --stdout-format string    stdout output format, available formats are: json, yaml, sarif (default "yaml")
+  -v, --version                 version for 2ms
 
 Use "2ms [command] --help" for more information about a command.
 ```

cmd/main.go

@@ -37,6 +37,7 @@ const (
 	customRegexRuleFlagName = "regex"
 	includeRuleFlagName     = "include-rule"
 	excludeRuleFlagName     = "exclude-rule"
+	ignoreFlagName          = "ignore-result"
 )
 
 var (
@@ -46,6 +47,7 @@ var (
 	customRegexRuleVar []string
 	includeRuleVar     []string
 	excludeRuleVar     []string
+	ignoreVar          []string
 )
 
 var rootCmd = &cobra.Command{
@@ -117,10 +119,10 @@ func Execute() {
 	rootCmd.PersistentFlags().StringSliceVar(&reportPathVar, reportPathFlagName, []string{}, "path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)")
 	rootCmd.PersistentFlags().StringVar(&stdoutFormatVar, stdoutFormatFlagName, "yaml", "stdout output format, available formats are: json, yaml, sarif")
 	rootCmd.PersistentFlags().StringArrayVar(&customRegexRuleVar, customRegexRuleFlagName, []string{}, "custom regexes to apply to the scan, must be valid Go regex")
-
 	rootCmd.PersistentFlags().StringSliceVar(&includeRuleVar, includeRuleFlagName, []string{}, "include rules by name or tag to apply to the scan (adds to list, starts from empty)")
 	rootCmd.PersistentFlags().StringSliceVar(&excludeRuleVar, excludeRuleFlagName, []string{}, "exclude rules by name or tag to apply to the scan (removes from list, starts from all)")
 	rootCmd.MarkFlagsMutuallyExclusive(includeRuleFlagName, excludeRuleFlagName)
+	rootCmd.PersistentFlags().StringSliceVar(&ignoreVar, ignoreFlagName, []string{}, "ignore specific result by id")
 
 	rootCmd.AddCommand(secrets.RulesCommand)
 
@@ -174,7 +176,7 @@ func preRun(cmd *cobra.Command, args []string) {
 			case item := <-channels.Items:
 				report.TotalItemsScanned++
 				channels.WaitGroup.Add(1)
-				go secrets.Detect(secretsChan, item, channels.WaitGroup)
+				go secrets.Detect(item, secretsChan, channels.WaitGroup, ignoreVar)
 			case secret := <-secretsChan:
 				report.TotalSecretsFound++
 				report.Results[secret.ID] = append(report.Results[secret.ID], secret)

plugins/filesystem.go

@@ -13,7 +13,7 @@ import (
 const (
 	flagFolder      = "path"
 	flagProjectName = "project-name"
-	flagIgnored     = "ignore"
+	flagIgnored     = "ignore-pattern"
 )
 
 var ignoredFolders = []string{".git"}

secrets/secrets.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/checkmarx/2ms/plugins"
 	"github.com/checkmarx/2ms/reporting"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules"
 	"github.com/zricethezav/gitleaks/v8/config"
@@ -84,15 +85,15 @@ func Init(includeList, excludeList []string) (*Secrets, error) {
 	}, nil
 }
 
-func (s *Secrets) Detect(secretsChannel chan reporting.Secret, item plugins.Item, wg *sync.WaitGroup) {
+func (s *Secrets) Detect(item plugins.Item, secretsChannel chan reporting.Secret, wg *sync.WaitGroup, ignoredIds []string) {
 	defer wg.Done()
 
 	fragment := detect.Fragment{
 		Raw: item.Content,
 	}
 	for _, value := range s.detector.Detect(fragment) {
 		itemId := getFindingId(item, value)
-		secretsChannel <- reporting.Secret{
+		secret := reporting.Secret{
 			ID:          itemId,
 			Source:      item.Source,
 			RuleID:      value.RuleID,
@@ -102,6 +103,11 @@ func (s *Secrets) Detect(secretsChannel chan reporting.Secret, item plugins.Item
 			EndColumn:   value.EndColumn,
 			Value:       value.Secret,
 		}
+		if !isSecretIgnored(&secret, &ignoredIds) {
+			secretsChannel <- secret
+		} else {
+			log.Debug().Msgf("Secret %s was ignored", secret.ID)
+		}
 	}
 }
 
@@ -128,6 +134,15 @@ func getFindingId(item plugins.Item, finding report.Finding) string {
 	return fmt.Sprintf("%x", sha)
 }
 
+func isSecretIgnored(secret *reporting.Secret, ignoredIds *[]string) bool {
+	for _, ignoredId := range *ignoredIds {
+		if secret.ID == ignoredId {
+			return true
+		}
+	}
+	return false
+}
+
 func selectRules(allRules []Rule, tags []string) map[string]config.Rule {
 	rulesToBeApplied := make(map[string]config.Rule)