Motivation

Users nowadays can add the tag #nohusky in their code to avoid false positives in Python and in Go projects. However, this feature is not present yet for Ruby files that use Brakeman as a Security Test (and others).

It would be great if

Any Ruby line of code that has vulnerabilities be skipped by huskyCI analysis if a comment #nohusky is found. If applicable, do the same logic to all security tests? :)

What we expect

If huskyCI finds a code like this one, the following output must be ignored and be set as a NoSecHusky vuln:

 [HUSKYCI][!] Title: Vulnerable Dependency: Command Injection Possible command injection
 [HUSKYCI][!] Language: Ruby
 [HUSKYCI][!] Tool: Brakeman
 [HUSKYCI][!] Confidence: Medium
 [HUSKYCI][!] Details: https://brakemanscanner.org/docs/warning_types/command_injection/
 [HUSKYCI][!] File: app/controllers/application_controller.rb
 [HUSKYCI][!] Line: 4
 [HUSKYCI][!] Code: system("ls #{options}")
 [HUSKYCI][!] Type: Command Injection

Tips

• This is how Gosec handles false-positive tag (the tool already outputs nosec vulns in JSON this data)
• This is how Python handles false-positive tag