How to disable particular rule by its ID from GitHub workflow? #7937
Comments
|
There is no simple way to do this. You could create a custom query suite. In your workflow's codeql init step, you would specify a config file to use: - uses: github/codeql-action/init@v1
with:
config-file: ./.github/codeql/codeql-config.ymlAnd then in the config file, you specify custom queries: disable-default-queries: true
queries:
- uses: ./github/codeql/suite.qlsAnd finally, you need to create the query suite itself: - from: codeql/csharp-queries
apply: codeql-suites/csharp-security-and-quality.qls
- exclude:
query filename: MissedWhereOpportunity.qlUsing this, you will have control over exactly which queries you want to run. |
|
Understandable but I know the opposite - what queries I don't want to run, i.e. opt-out behavior instead of opt-in. |
|
I see a lof of false positives (actually all results in case of aforementioned rule) and I want to disable this particular rule and continue to review security report. |
|
With the above suggestion, you can choose to remove any single query from analysis. Alternatively, if you just want to focus on security queries, you may just want to run |
|
I understand, thanks for your explanation, but I don't want to bother with manually crafted query suites (and their combinations) and maintain them updating to be in-sync with source. Please consider adding an option in workflows to exclude particular rules. |
|
Thank you for your suggestion. We will keep this under consideration. |
|
Will be fixed here: github/codeql-action#1098 |
|
Available in next release of the codeql-action. Documentation still to come. |
|
Thanks. |
|
So you have to create a separate file just to disable / exclude a query - @aeisenberg ? |
|
That's correct. We might consider alternate syntaxes later, but this is the current behaviour. |
1. Add bat version linter for Windows user 2. Add permission setting for third-party actions in lint.yaml to limit their access 3. Did some research and discussed with @justinchuby, CodeQL **only hints on the modified file in a PR**, and the error/warning/note are all informative, and aligned with pylint/mypy which are included in out lint, so I suggest we can have it for a while, and see how it goes. (However, disable one or few rules that we don't need in CodeQL seems doable in the next release: github/codeql#7937) fixes #127 Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com>
|
@aeisenberg Hi, what is the current status of this issue? I see #1127 that reverts something, but I did not understand what exactly. So how can I disable particular rule for now? |
|
This has been implemented using a feature called query filters. See the docs. https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/customizing-code-scanning#excluding-specific-queries-from-analysis |
|
Probably I do it wrong in graphql-dotnet/parser#301. https://github.com/graphql-dotnet/parser/actions/runs/4728548769/jobs/8390195457?pr=301 : https://github.com/graphql-dotnet/parser/actions/runs/4728592373/jobs/8390280163?pr=301 |
|
See my commenton your PR. |
|
Thanks. |
Sorry but I did not find the answer in docs. For example, I want to disable
cs/linq/missed-where.#7937 (comment)
The text was updated successfully, but these errors were encountered: