fix: skip ignored SAST findings in blocking logic

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

socket_basics/core/connector/normalizer.py

@@ -11,6 +11,7 @@
 from typing import Any, Dict, List, Tuple
 import logging
 import os
+from ..config import alert_matches_sast_ignore_override
 
 logger = logging.getLogger(__name__)
 
@@ -38,6 +39,17 @@ def _normalize_alert(a: Dict[str, Any], connector: Any | None = None, default_ge
         a['severity'] = a['severity'].lower()
     # Minimal normalization: lowercase severity and ensure action exists
 
+    # Honor local SAST ignore overrides before deriving actions from severity.
+    try:
+        if connector and hasattr(connector, 'config') and hasattr(connector.config, 'get_sast_ignore_overrides'):
+            for override in connector.config.get_sast_ignore_overrides():
+                if alert_matches_sast_ignore_override(a, override):
+                    logger.debug("Alert matched sast_ignore_overrides entry %s", override)
+                    a['action'] = 'ignore'
+                    return a
+    except Exception:
+        logger.debug('Failed to check SAST ignore overrides for alert', exc_info=True)
+
     # Check if this alert's rule is in the disabled rules list for any language
     # If so, set action to 'ignore' regardless of severity
     try:

socket_basics/socket_basics.py

@@ -54,6 +54,18 @@
 logger = logging.getLogger(__name__)
 
 
+def count_blocking_alerts(results: Dict[str, Any]) -> int:
+    """Count alerts that should fail the run."""
+    blocking_alerts = 0
+    for comp in results.get('components', []):
+        for alert in comp.get('alerts', []):
+            if (alert.get('action') or '').strip().lower() == 'ignore':
+                continue
+            if alert.get('severity') in ['high', 'critical']:
+                blocking_alerts += 1
+    return blocking_alerts
+
+
 class SecurityScanner:
     """Main security scanning orchestrator using dynamic connectors"""
 
@@ -456,11 +468,7 @@ def main():
     logger.info(f"Total alerts: {total_alerts}")
 
     # Exit with non-zero code if high/critical issues found
-    high_critical_alerts = 0
-    for comp in results.get('components', []):
-        for alert in comp.get('alerts', []):
-            if alert.get('severity') in ['high', 'critical']:
-                high_critical_alerts += 1
+    high_critical_alerts = count_blocking_alerts(results)
 
     exit_code = 1 if high_critical_alerts > 0 else 0
     if high_critical_alerts > 0: