Overview
Your development team can directly suppress code findings identified by Mend Code Security Checks as false positives right within your GitHub repository. This eliminates the need to switch contexts to the Mend AppSec Platform, enabling developers to work uninterrupted within their familiar workflow. Suppressing false-positive findings directly from your repository ensures that your Pull Requests (PRs) do not get blocked unnecessarily. Additionally, optional two-way communication is supported: comments posted in the Mend AppSec Platform appear on the corresponding GitHub issue, and comments made on the GitHub issue are reflected back in the Mend Platform.
Note: For more about suppressing findings within the Mend AppSec Platform, please refer to our Triage your Code Security Findings documentation.
Prerequisites
-
Make sure you are subscribed to the Issue comment event in your existing GitHub app.
Click here for a full list of permissions and events required for the GitHub.com integration.
Getting it done
Enabling the Suppression Feature in your Repository
To enable and manage suppression directly from your GitHub repository, introduce the findingSuppressions parameter within the scanSettingsSAST section of your .whitesource file:
"scanSettingsSAST": {
"findingSuppressions": "enabled"
}
Available options for the findingSuppressions parameter:
-
enabled(default) - Suppressions are available through the repository and are applied immediately once selected. -
requireApproval- If this option is selected, a Developer can mark Security Findings for Suppressions and wait for an Approver to Approve / Reject the action (to learn more about this option, navigate to the Mend Platform Approval/Rejection Process section). -
disabled- Suppressions are not available through the repository scans.
Scope: The main use case for suppressions from the repo is on Pull Requests because this is where a false positive could really be a blocker for a developer.
In addition, suppressions are also supported from the Code Security Report Issue and from GitHub issues created for individual findings.
Defining the Issue Type Scope in your Repository
The SAST scan produces a single report issue for the entire repo by default to minimize noise. However, the issueType parameter allows to control that. Setting it to “finding” or “findingIncludingPullRequests” will change the behavior, so an issue will be created for each finding.
The available parameter values are:
-
repo- Generate one scan report issue for the entire repo (default). -
finding- Generate an issue per finding for base branches. -
findingIncludingPullRequests- Generate an issue per finding for both base and feature branches. -
none- Scans will be silenced, and no Issues or Check Runs will be created. The results of the scans will still be visible in the Mend AppSec Platform.
Note: When the issue type scope is configured to findingIncludingPullRequests and not repo, all actions, such as remediation and suppression of a finding, will be accessible only via the issue per finding (Mend Code Security Finding), and not via the Pull Request (Mend Code Security Check).
This setting is configured within the issueSettingsSAST section of your .whitesource file:
"issueSettingsSAST": {
"issueType": "findingIncludingPullRequests"
}
Suppress Findings From a Check Run
When a GitHub check run identifies a code security issue, Mend automatically creates inline comments on the PR, highlighting the specific finding directly in the new code at the identified line:
To suppress a finding, you should add a comment with potential reasons for the suppression:
-
To suppress as a false positive, comment on the GitHub issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
In this example:/mend code suppress false-positive 1e5e745e-ff85-401a-a5e8-6e1195c8b056 Optional Comment -
To suppress as an acceptable risk, comment on the GitHub issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
In this example:/mend code suppress acceptable-risk 1e5e745e-ff85-401a-a5e8-6e1195c8b056 Optional Comment
Once commented with the appropriate reason, and based on the Suppressions parameter settings, the finding will either immediately be suppressed in the Mend AppSec Platform or requested for approval in the Mend AppSec Platform.
Once the suppression request is approved, the finding will be removed from the Mend Code Security Check and if this was the only finding, the check run will pass successfully.
Suppress Findings From a Code Security Finding
When a GitHub check run completes, and an issue per finding is configured, Mend automatically creates a GitHub Issue for each code finding.
To suppress a finding, expand the corresponding section. Once commented with the appropriate reason, and based on the Suppressions parameter settings, the finding will either immediately be suppressed in the Mend AppSec Platform or requested for approval in the Mend AppSec Platform.
It contains two comment options with possible suppression reasons. Comment on the GitHub Issue using the provided syntax. You may add an extra comment saved as a “User comment” on the feedback comment.
-
/mend code suppress false-positive Optional comment -
/mend code suppress acceptable-risk Optional comment
Two-Way Comments Between Mend AppSec Platform and GitHub
The Mend AppSec Platform supports bi-directional communication between developers and approvers through synchronized comments.
-
When an approver adds a comment or question to a finding in the Mend AppSec Platform, the comment is automatically posted to the corresponding GitHub issue.
-
Conversely, when a developer adds a comment to the GitHub issue using the format:
/mend comment <content>The comment is automatically posted back to the associated finding in the Mend AppSec Platform.
This functionality enables seamless two-way communication between reviewers and developers, allowing both parties to collaborate effectively without switching contexts between tools.
Once the suppression request has been approved, the GitHub issue will be automatically closed.
Re-running Checks after Suppression
Suppressing a finding does not automatically trigger a re-scan or update of the existing GitHub check run. Due to the potential duration of scans, developers may prefer to suppress multiple findings before re-scanning.
To manually trigger a re-scan:
-
Click the Re-run button on the relevant GitHub check run.
-
A status of "In Progress" will appear temporarily.
-
After completion, the results of the check run will reflect the updated status, removing all suppressed findings.
Note: A built-in 5-minute delay prevents excessive re-running of scans. If an immediate update is necessary, you can trigger a scan quickly by committing a trivial code change, such as modifying whitespace or adding a comment.
Mend Platform Approval/Rejection Process
After the suppression request is submitted through the repo, it will be visible in the Mend Platform for the security persona via the Suppression Request screen within a specific Application/Project:
To approve or reject a suppression request, you can either select a specific suppression request and then click Approve Suppression or Reject Suppression, or click on the relevant finding and choose whether to approve or reject the request. After making your choice, confirm by approving or rejecting the suppression request.
Comment on a Suppression Request in the Mend AppSec Platform
You can comment on a suppression request if the developer team needs more information or feedback. To do this, click the suppression request, go to the Comments tab (1), click Add a Comment (2), then, after writing your comment, click the “V” mark (3):
-
If approved, the code finding will have the “Suppressed” status within the Mend Platform and will disappear from the Mend Code Security Check.
-
If rejected, the code finding will have the “Unreviewed” status and will remain as an active finding detected. The indication for the rejection will be visible through the Mend Code Security Check in the repo integration, with a comment on the reason.
Suppression Visibility after Merging a PR
After merging the PR and scanning the base branch, all suppressed findings become visible in the Mend AppSec Platform with a suppressed status. The suppression details—including the reason and the GitHub username of the developer who performed the suppression—are clearly displayed for audit and tracking purposes: