I was recently working with a customer and we flipped on the
security-and-quality query suite and received a a lot of results, mostly in our tests. We wanted a way to ignore these files for the purposes of the CodeQL analysis. One could argue that these should be scanned and acted on too, but you have to start somewhere, right? And there are plenty of use cases where might want to ignore a file for the purposes of the CodeQL analysis.
There are a few ways to do this, one through a filter in the UI, and another with actions. I will show you both below!
You might notice that some of the queries have the phrase (Test) before the file name. CodeQL tries to determine which files are tests and which are application code automatically:
CodeQL result found in a test file
You can filter out Test results in the UI by adding the
autofilter:true filter in the search bar:
Filtering out CodeQL vulnerabilities in test files with autofilter
You cannot use
autofilter:false to filter only test results, however.
I found the filter-sarif action that did just what the team wanted to do - filter out all
**/*test*.js files! The action isn’t published on the marketplace (yet!), but it is a public GitHub repository, therefore we can use it just like we can any other action that is published to the marketplace.
The docs reference some cool patterns you can use - such as ignoring all tests, but even inside of those tests, still report
sql-injection vulnerabilities. You can find the ID for this by referencing the CodeQL Query Help page, selecting your language, selecting the query, and find the
ID reference. Alternatively, you can dig into the CodeQL GitHub repoistory to find the query and reference the
Here’s an example:
If you couldn’t tell by the design of the workflow, this isn’t necessarily skipping these files as part of the scan - it simply strips them out from the
.sarif that’s being uploaded to GitHub.
After running, you will see that the vulnerability in the excluded test file is now marked automatically as closed:
CodeQL result marked as closed after we are excluding test files
If we click into the vulnerability, we also see the history. For example, I was testing this workflow so it opened and closed a few times:
CodeQL result history - when it was opened, closed, and reappeared
You can either filter out non-application code in the UI or using an action to exclude certain files based on a pattern. Happy scanning!