Skip to main content
Skip table of contents

Suppress Findings from your GitHub.com Repository

Overview

Your development team can directly suppress code findings identified by Mend Code Security Checks as false positives right within your GitHub repository. This eliminates the need to switch contexts to the Mend AppSec Platform, enabling developers to work uninterrupted within their familiar workflow. Suppressing false-positive findings directly from your repository ensures that your Pull Requests (PRs) do not get blocked unnecessarily.

Note: For more about suppressing findings within the Mend AppSec Platform, please refer to our Triage your Code Security Findings documentation.

Getting it done

Enabling the Suppression Feature in Your Repository

To enable and manage suppression directly from your GitHub repository, introduce the findingSuppressions parameter within the scanSettingsSAST section of your .whitesource file:

CODE 
"scanSettingsSAST": {
  "findingSuppressions": "enabled"
}

Available options for the findingSuppressions parameter:

  • enabled (default) - Suppressions are available through the repository and are applied immediately once selected.

  • disabled - Suppressions are not available through the repository scans.

Scope: The main use case for suppressions from the repo is on Pull Requests because this is where a false positive could really be a blocker for a developer.

In addition, suppressions are also supported from the Code Security Report Issue and from GitHub issues created for individual findings.

Suppress Findings From a Check Run

When a GitHub check run identifies a code security issue, Mend automatically creates inline comments on the PR, highlighting the specific finding directly in the new code at the identified line:

image-20250326-015439.png

To suppress a finding, the corresponding section has to be expanded. It includes two checkboxes with potential reasons for the suppression:

image-20250326-014337.png

Once selected, the finding will immediately be suppressed in the Mend AppSec Platform, and the inline comment will disappear from the view.

Re-running Checks after Suppression

Suppressing a finding does not automatically trigger a re-scan or update of the existing GitHub check run. Due to the potential duration of scans, developers may prefer to suppress multiple findings before re-scanning.

To manually trigger a re-scan:

  1. Click the Re-run button on the relevant GitHub check run.

  2. A status of "In Progress" will appear temporarily.

  3. After completion, the results of the check run will reflect the updated status, removing all suppressed findings.

image-20250326-015917.png

Note: A built-in 5-minute delay prevents excessive re-running of scans. If an immediate update is necessary, you can trigger a scan quickly by committing a trivial code change, such as modifying whitespace or adding a comment.

Suppression Visibility after Merging a PR

After merging the PR and scanning the base branch, all suppressed findings become visible in the Mend AppSec Platform with a suppressed status. The suppression details—including the reason and the GitHub username of the developer who performed the suppression—are clearly displayed for audit and tracking purposes:

image-20250326-020315.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close