forked from anthropics/claude-code-security-review
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcustom-false-positive-filtering.txt
More file actions
22 lines (20 loc) · 1.26 KB
/
custom-false-positive-filtering.txt
File metadata and controls
22 lines (20 loc) · 1.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
HARD EXCLUSIONS - Automatically exclude findings matching these patterns:
1. Purely stylistic or formatting preferences (naming, spacing, comment wording)
2. Documentation-only issues or typos without behavioral impact
3. Refactor suggestions without a concrete bug, regression, or risk reduction
4. Test-only changes that do not affect production behavior
5. Hypothetical performance concerns without evidence in the diff
6. Security-only concerns covered by existing gateway controls (documented below)
SIGNAL QUALITY CRITERIA - For remaining findings, assess:
1. Is there a concrete failure mode or regression introduced by this PR?
2. Is the impact meaningful (data loss, outage, auth bypass, incorrect results)?
3. Is the issue reproducible from the diff and context?
4. Would this be actionable for the team to fix?
PRECEDENTS -
1. We use AWS Cognito for authentication; auth bypass must defeat Cognito
2. All APIs require valid JWTs validated at the gateway level
3. SQL injection is only valid if using raw queries (we use Prisma ORM)
4. Frontend validation is only for UX; backend validates all inputs
5. P95 latency must remain below 200ms for request handlers
6. All write APIs must be idempotent for retry safety
7. Secrets are in AWS Secrets Manager or k8s secrets, never in code