After investigating a code scanning alert related to injection, you determine that the input is properly sanitized using custom logic. What should be your next step?
A.
Draft a pull request to update the open-source query.
B.
Ignore the alert.
C.
Open an issue in the CodeQL repository.
D.
Dismiss the alert with the reason "false positive."
When you identify that a code scanning alert is a false positive—such as when your code uses a custom sanitization method not recognized by the analysis—you should dismiss the alert with the reason "false positive." This action helps improve the accuracy of future analyses and maintains the relevance of your security alerts.
As per GitHub's documentation:
"If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis."
By dismissing the alert appropriately, you ensure that your codebase's security alerts remain actionable and relevant.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit