fix: support local SAST ignore overrides by rule id, path

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

action.yml

@@ -4,7 +4,8 @@ author: "Socket"
 
 runs:
   using: "docker"
-  image: "docker://ghcr.io/socketdev/socket-basics:2.0.2"
+  # TODO: revert to the published GHCR image before merging/releasing.
+  image: "Dockerfile"
   env:
     # Core GitHub variables (these are automatically available, but we explicitly pass GITHUB_TOKEN)
     GITHUB_TOKEN: ${{ inputs.github_token }}
@@ -40,6 +41,7 @@ runs:
     INPUT_JAVASCRIPT_DISABLED_RULES: ${{ inputs.javascript_disabled_rules }}
     INPUT_JAVASCRIPT_ENABLED_RULES: ${{ inputs.javascript_enabled_rules }}
     INPUT_JAVASCRIPT_SAST_ENABLED: ${{ inputs.javascript_sast_enabled }}
+    INPUT_SAST_IGNORE_OVERRIDES: ${{ inputs.sast_ignore_overrides }}
     INPUT_JAVA_DISABLED_RULES: ${{ inputs.java_disabled_rules }}
     INPUT_JAVA_ENABLED_RULES: ${{ inputs.java_enabled_rules }}
     INPUT_JAVA_SAST_ENABLED: ${{ inputs.java_sast_enabled }}
@@ -246,6 +248,10 @@ inputs:
     description: "Enable JavaScript/TypeScript SAST scanning"
     required: false
     default: "false"
+  sast_ignore_overrides:
+    description: "Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format"
+    required: false
+    default: ""
   jira_api_token:
     description: "Jira Api Token"
     required: false
@@ -453,4 +459,4 @@ inputs:
 
 branding:
   icon: "shield"
-  color: "blue"
+  color: "purple"

docs/github-action.md

@@ -638,8 +638,25 @@ jobs:
           # JavaScript with custom rules
           javascript_sast_enabled: 'true'
           javascript_enabled_rules: 'eval-usage,prototype-pollution'
+
+          # Ignore a specific SAST rule globally or for one exact file
+          sast_ignore_overrides: 'js-sql-injection:index.js'
 ```
 
+`sast_ignore_overrides` supports:
+- `rule_id` to ignore a SAST rule everywhere in the repo
+- `rule_id:path` to ignore a SAST rule for one exact repo-relative file
+
+Examples:
+- `js-sql-injection`
+- `js-sql-injection:index.js`
+- `js-sql-injection:src/unsafe/demo.js`
+
+Notes:
+- Paths must be exact repo-relative paths using `/` separators after normalization.
+- Windows-style input such as `src\\unsafe\\demo.js` is accepted and normalized automatically.
+- Globs and directory-prefix matching are not supported in this first version.
+
 ## Configuration Reference
 
 ### All Available Inputs
@@ -667,6 +684,7 @@ See [`action.yml`](../action.yml) for the complete list of inputs.
 **Rule Configuration (per language):**
 - `<language>_enabled_rules` — Comma-separated rules to enable
 - `<language>_disabled_rules` — Comma-separated rules to disable
+- `sast_ignore_overrides` — Comma-separated `rule_id` or `rule_id:path` SAST ignore overrides
 
 **Security Scanning:**
 - `secret_scanning_enabled` — Enable secret scanning

docs/parameters.md

@@ -241,6 +241,25 @@ socket-basics --go --go-enabled-rules "error-handling,sql-injection"
 - `--rust-enabled-rules` / `--rust-disabled-rules`
 - `--elixir-enabled-rules` / `--elixir-disabled-rules`
 
+### `--sast-ignore-overrides SAST_IGNORE_OVERRIDES`
+Comma-separated list of SAST ignore overrides in `rule_id` or `rule_id:path` format.
+
+**Environment Variable:** `INPUT_SAST_IGNORE_OVERRIDES`
+
+**Examples:**
+```bash
+# Ignore a rule everywhere in the repo
+socket-basics --javascript --sast-ignore-overrides "js-sql-injection"
+
+# Ignore a rule only for one exact repo-relative file
+socket-basics --javascript --sast-ignore-overrides "js-sql-injection:index.js"
+```
+
+Notes:
+- Paths must be exact repo-relative paths.
+- Paths are normalized to forward-slash form, so Windows-style input such as `src\\unsafe\\demo.js` is accepted.
+- Globs and directory-prefix matching are not supported in this first version.
+
 ### `--opengrep-notify OPENGREP_NOTIFY`
 Notification method for OpenGrep SAST results (e.g., console, slack).
 
@@ -520,6 +539,7 @@ All notification integrations support environment variables as alternatives to C
 | Variable | Description |
 |----------|-------------|
 | `INPUT_OPENGREP_RULES_DIR` | Custom directory containing SAST rules |
+| `INPUT_SAST_IGNORE_OVERRIDES` | Comma-separated `rule_id` or `rule_id:path` SAST ignore overrides |
 
 ## Configuration File
 
@@ -537,6 +557,7 @@ You can provide configuration via a JSON file using `--config`:
   "python_sast_enabled": true,
   "javascript_sast_enabled": true,
   "go_sast_enabled": true,
+  "sast_ignore_overrides": "js-sql-injection:index.js",
 
   "secrets_enabled": true,
   "trufflehog_exclude_dir": "node_modules,vendor,dist,.git",

socket_basics/connectors.yaml

@@ -191,6 +191,12 @@ connectors:
         env_variable: INPUT_JAVASCRIPT_DISABLED_RULES
         type: str
         default: ""
+      - name: sast_ignore_overrides
+        option: --sast-ignore-overrides
+        description: "Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format"
+        env_variable: INPUT_SAST_IGNORE_OVERRIDES
+        type: str
+        default: ""
 
       # Go rule configuration
       - name: go_enabled_rules

socket_basics/core/config.py

@@ -15,6 +15,107 @@
 logger = logging.getLogger(__name__)
 
 
+def normalize_repo_relative_path(path_value: str | None) -> str | None:
+    """Normalize a repo-relative path to the POSIX form emitted by SAST alerts."""
+    if path_value is None:
+        return None
+
+    path_str = str(path_value).strip()
+    if not path_str:
+        return None
+
+    # Accept common local input styles but keep the final format strict.
+    path_str = path_str.replace('\\', '/')
+    while path_str.startswith('./'):
+        path_str = path_str[2:]
+    path_str = path_str.lstrip('/')
+
+    normalized_parts: List[str] = []
+    for part in path_str.split('/'):
+        if not part or part == '.':
+            continue
+        if part == '..':
+            return None
+        normalized_parts.append(part)
+
+    normalized = '/'.join(normalized_parts)
+    return normalized or None
+
+
+def parse_sast_ignore_overrides(raw_value: str | None) -> List[Dict[str, str | None]]:
+    """Parse `rule_id` and `rule_id:path` ignore override entries."""
+    overrides: List[Dict[str, str | None]] = []
+    seen: set[tuple[str, str | None]] = set()
+
+    if not raw_value:
+        return overrides
+
+    for raw_entry in str(raw_value).split(','):
+        entry = raw_entry.strip()
+        if not entry:
+            continue
+
+        rule_id = entry
+        path = None
+
+        if ':' in entry:
+            rule_id, path_part = entry.split(':', 1)
+            rule_id = rule_id.strip()
+            path_part = path_part.strip()
+
+            if not rule_id or not path_part:
+                logger.warning("Ignoring malformed SAST ignore override: %r", entry)
+                continue
+
+            if any(ch in path_part for ch in ('*', '?', '[')):
+                logger.warning(
+                    "Ignoring unsupported SAST ignore override with glob syntax: %r",
+                    entry,
+                )
+                continue
+
+            path = normalize_repo_relative_path(path_part)
+            if not path:
+                logger.warning("Ignoring invalid repo-relative path in SAST override: %r", entry)
+                continue
+        else:
+            rule_id = rule_id.strip()
+            if not rule_id:
+                logger.warning("Ignoring malformed SAST ignore override: %r", entry)
+                continue
+
+        key = (rule_id, path)
+        if key in seen:
+            continue
+        seen.add(key)
+        overrides.append({'rule_id': rule_id, 'path': path})
+
+    return overrides
+
+
+def alert_matches_sast_ignore_override(
+    alert: Dict[str, Any],
+    override: Dict[str, str | None],
+) -> bool:
+    """Return True when an alert matches a parsed SAST ignore override."""
+    props = alert.get('props', {}) or {}
+    rule_id = props.get('ruleId') or alert.get('title') or alert.get('ruleId')
+    if not rule_id or rule_id != override.get('rule_id'):
+        return False
+
+    override_path = override.get('path')
+    if not override_path:
+        return True
+
+    alert_path = (
+        props.get('filePath')
+        or (alert.get('location') or {}).get('path')
+        or ''
+    )
+    normalized_alert_path = normalize_repo_relative_path(alert_path)
+    return normalized_alert_path == override_path
+
+
 class Config:
     """Configuration object that provides unified access to all settings"""
 
@@ -112,6 +213,13 @@ def get_action_for_severity(self, severity: str) -> str:
         else:
             # Default action for unknown severities
             return 'monitor'
+
+    def get_sast_ignore_overrides(self) -> List[Dict[str, str | None]]:
+        """Return parsed SAST ignore overrides from config."""
+        if not hasattr(self, '_sast_ignore_overrides_cache'):
+            raw_value = self.get('sast_ignore_overrides', '')
+            self._sast_ignore_overrides_cache = parse_sast_ignore_overrides(raw_value)
+        return self._sast_ignore_overrides_cache
 
     @property
     def repo(self) -> str:

socket_basics/core/connector/opengrep/__init__.py

@@ -720,6 +720,9 @@ def generate_notifications(self, components: List[Dict[str, Any]]) -> Dict[str,
 		groups: Dict[str, List[Dict[str, Any]]] = {}
 		for c in comps_map.values():
 			for a in c.get('alerts', []):
+				alert_action = (a.get('action') or '').strip().lower()
+				if alert_action == 'ignore':
+					continue
 				# Filter by severity - only include alerts that match allowed severities
 				alert_severity = (a.get('severity') or '').strip().lower()
 				if alert_severity and hasattr(self, 'allowed_severities') and alert_severity not in self.allowed_severities:

tests/test_sast_ignore_overrides.py

@@ -0,0 +1,110 @@
+from socket_basics.core.config import (
+    Config,
+    parse_sast_ignore_overrides,
+)
+from socket_basics.core.connector.normalizer import _normalize_alert
+from socket_basics.core.connector.opengrep import OpenGrepScanner
+from socket_basics.socket_basics import count_blocking_alerts
+
+
+class _DummyConnector:
+    def __init__(self, config: Config):
+        self.config = config
+
+
+def _build_alert(path: str = 'index.js') -> dict:
+    return {
+        'title': 'js-sql-injection',
+        'severity': 'critical',
+        'props': {
+            'ruleId': 'js-sql-injection',
+            'filePath': path,
+            'startLine': 14,
+            'endLine': 14,
+        },
+        'location': {
+            'path': path,
+            'start': 14,
+            'end': 14,
+        },
+    }
+
+
+def test_parse_sast_ignore_overrides_supports_rule_and_exact_path():
+    parsed = parse_sast_ignore_overrides(
+        'js-sql-injection, js-sql-injection:./src/db/query.js'
+    )
+
+    assert parsed == [
+        {'rule_id': 'js-sql-injection', 'path': None},
+        {'rule_id': 'js-sql-injection', 'path': 'src/db/query.js'},
+    ]
+
+
+def test_parse_sast_ignore_overrides_skips_glob_paths(caplog):
+    parsed = parse_sast_ignore_overrides('js-sql-injection:src/**/*.js')
+
+    assert parsed == []
+    assert 'glob syntax' in caplog.text
+
+
+def test_normalize_alert_ignores_rule_only_override():
+    connector = _DummyConnector(Config({'workspace': '.', 'sast_ignore_overrides': 'js-sql-injection'}))
+
+    alert = _normalize_alert(_build_alert(), connector=connector)
+
+    assert alert['action'] == 'ignore'
+
+
+def test_normalize_alert_ignores_matching_rule_and_path_override():
+    connector = _DummyConnector(
+        Config({'workspace': '.', 'sast_ignore_overrides': 'js-sql-injection:index.js'})
+    )
+
+    alert = _normalize_alert(_build_alert(), connector=connector)
+
+    assert alert['action'] == 'ignore'
+
+
+def test_normalize_alert_accepts_windows_style_override_paths():
+    connector = _DummyConnector(
+        Config({'workspace': '.', 'sast_ignore_overrides': r'js-sql-injection:src\unsafe\demo.js'})
+    )
+
+    alert = _normalize_alert(_build_alert('src/unsafe/demo.js'), connector=connector)
+
+    assert alert['action'] == 'ignore'
+
+
+def test_normalize_alert_does_not_ignore_non_matching_path_override():
+    connector = _DummyConnector(
+        Config({'workspace': '.', 'sast_ignore_overrides': 'js-sql-injection:src/index.js'})
+    )
+
+    alert = _normalize_alert(_build_alert(), connector=connector)
+
+    assert alert['action'] == 'error'
+
+
+def test_count_blocking_alerts_skips_ignored_findings():
+    results = {
+        'components': [
+            {'id': 'ignored.js', 'alerts': [{**_build_alert('ignored.js'), 'action': 'ignore'}]},
+            {'id': 'active.js', 'alerts': [{**_build_alert('active.js'), 'action': 'error'}]},
+        ]
+    }
+
+    assert count_blocking_alerts(results) == 1
+
+
+def test_opengrep_notifications_skip_ignored_findings():
+    scanner = OpenGrepScanner(Config({'workspace': '.'}))
+    component = {
+        'id': 'index.js',
+        'qualifiers': {'scanner': 'opengrep', 'type': 'javascript'},
+        'alerts': [{**_build_alert(), 'action': 'ignore', 'subType': 'sast-javascript'}],
+    }
+
+    notifications = scanner.generate_notifications([component])
+
+    assert notifications == {}