feat: add inline ignore support

Author: Saharsh1123

.sentinelscanignore

@@ -4,8 +4,5 @@ venv/
 # Ignore Python cache directories
 __pycache__/
 
-# Ignore fixture directory
-test_dirs/
-
 # Ignore minified Python files
 *.min.py

inline_ignore.py

@@ -0,0 +1,29 @@
+import io
+import tokenize
+
+
+INLINE_IGNORE_MARKER = "sentinelscan: ignore"
+
+
+def line_has_inline_ignore(line):
+    """
+    Return True when a source line contains a SentinelScan inline ignore comment.
+
+    Only comment tokens are checked, so string literals containing the ignore
+    marker do not suppress findings.
+    """
+    try:
+        tokens = tokenize.generate_tokens(io.StringIO(line).readline)
+    except tokenize.TokenError:
+        return False
+
+    for token in tokens:
+        token_type = token.type
+        token_value = token.string
+
+        if token_type == tokenize.COMMENT and INLINE_IGNORE_MARKER in token_value:
+            return True
+
+    return False
+    
+

scanner.py

@@ -3,6 +3,7 @@
 
 from detectors.find_secrets import detect_ast_secrets
 from ignore import filter_ignored_files, load_ignore_patterns
+from inline_ignore import line_has_inline_ignore
 
 def check_path(input_path):
     """
@@ -61,10 +62,14 @@ def scan(files):
     for file in files:
         with open(file, "r", encoding="utf-8", errors="ignore") as f:
             content = f.read()
+            lines = content.splitlines()
 
         ast_results = detect_ast_secrets(content)
 
         for finding in ast_results:
+            line = lines[finding.line_number - 1]
+            if line_has_inline_ignore(line):
+                continue
             finding_with_file = replace(finding, file_path=str(file))
             findings.append(finding_with_file)
 

test_dirs/test_repo/open_vulns.py

@@ -1,8 +1,9 @@
 api_key = "123"
 password = "abc"
 token = "xyz"
-aws_key = "AKIAEXAMPLE123456789"
+aws_key = "AKIAEXAMPLE123456789" # sentinelscan: ignore
 token = "xyzttttggfdddf"
 api_key = "12dwdqwdqwdqw3"
 token = "xyzgggggg"  # noqa: E702
 TOKEN = "abc1234567890j"
+

tests/test_cli.py

@@ -1117,4 +1117,293 @@ def test_cli_invalid_choice_fails(args, expected_error):
 def test_cli_invalid_path_prints_error():
     result = run_cli("does_not_exist")
 
-    assert "[ERROR]" in result.stdout or "[ERROR]" in result.stderr
+    assert "[ERROR]" in result.stdout or "[ERROR]" in result.stderr
+
+def test_cli_json_inline_ignore_suppresses_finding(tmp_path):
+    write_python_file(
+        tmp_path,
+        "ignored.py",
+        'password = "abcdef"  # sentinelscan: ignore\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert data == []
+
+
+def test_cli_json_inline_ignore_keeps_non_ignored_findings(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="token",
+        rule_id="TOKEN",
+        rule="Token",
+        severity="MEDIUM",
+        value="abc1234567890j",
+        reason=TOKEN_REASON,
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_unrelated_comment_does_not_suppress_finding(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # normal comment\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=1,
+        file=findings_file,
+        var_name="password",
+        rule_id="PASSWORD",
+        rule="Password",
+        severity="HIGH",
+        value="abcdef",
+        reason=PASSWORD_REASON,
+        confidence="LOW",
+    )
+
+
+def test_cli_json_inline_ignore_suppresses_multiple_findings_on_same_line(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert data == []
+
+
+def test_cli_json_inline_ignore_works_with_severity_filter(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'random_var = "AKIAEXAMPLE123456789"\n',
+    )
+
+    result = run_cli(tmp_path, "--json", "--severity", "HIGH")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="random_var",
+        rule_id="AWS_ACCESS_KEY",
+        rule="AWS Access Key",
+        severity="HIGH",
+        value="AKIAEXAMPLE123456789",
+        reason="value matched AKIA-prefixed AWS access key pattern",
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_inline_ignore_works_with_confidence_filter(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(tmp_path, "--json", "--confidence", "HIGH")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="token",
+        rule_id="TOKEN",
+        rule="Token",
+        severity="MEDIUM",
+        value="abc1234567890j",
+        reason=TOKEN_REASON,
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_inline_ignore_works_with_redaction(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(tmp_path, "--json", "--redact")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="token",
+        rule_id="TOKEN",
+        rule="Token",
+        severity="MEDIUM",
+        value="ab**********0j",
+        reason=TOKEN_REASON,
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_inline_ignore_and_sentinelscanignore_work_together(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "src/findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+    write_python_file(
+        tmp_path,
+        "ignored.py",
+        'random_var = "AKIAEXAMPLE123456789"\n',
+    )
+
+    ignore_file = tmp_path / ".sentinelscanignore"
+    ignore_file.write_text("ignored.py\n", encoding="utf-8")
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="token",
+        rule_id="TOKEN",
+        rule="Token",
+        severity="MEDIUM",
+        value="abc1234567890j",
+        reason=TOKEN_REASON,
+        confidence="HIGH",
+    )
+
+
+# -------------------------
+# CLI text inline ignore behavior
+# -------------------------
+
+
+def test_cli_text_inline_ignore_suppresses_finding(tmp_path):
+    write_python_file(
+        tmp_path,
+        "ignored.py",
+        'password = "abcdef"  # sentinelscan: ignore\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "No vulnerabilities found." in result.stdout
+    assert "abcdef" not in result.stdout
+    assert "Reason:" not in result.stdout
+    assert "Confidence:" not in result.stdout
+
+
+def test_cli_text_inline_ignore_keeps_non_ignored_findings(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "password" not in result.stdout
+    assert "abcdef" not in result.stdout
+    assert "Token" in result.stdout
+    assert "abc1234567890j" in result.stdout
+    assert "Reason:" in result.stdout
+    assert "Confidence:" in result.stdout
+
+
+def test_cli_text_unrelated_comment_does_not_suppress_finding(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # normal comment\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "[HIGH]" in result.stdout
+    assert "Password" in result.stdout
+    assert "abcdef" in result.stdout
+    assert "Reason:" in result.stdout
+    assert "Confidence:" in result.stdout
+
+
+def test_cli_text_inline_ignore_suppresses_multiple_findings_on_same_line(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "No vulnerabilities found." in result.stdout
+    assert "AWS Access Key" not in result.stdout
+    assert "API Key" not in result.stdout
+    assert "AKIAEXAMPLE123456789" not in result.stdout
+
+
+def test_cli_text_inline_ignore_works_with_redaction(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(tmp_path, "--redact")
+    assert_success(result)
+
+    assert "abcdef" not in result.stdout
+    assert "a****f" not in result.stdout
+    assert "abc1234567890j" not in result.stdout
+    assert "ab**********0j" in result.stdout
+    assert "Token" in result.stdout

tests/test_ignore.py

@@ -1,5 +1,3 @@
-from pathlib import Path
-
 from ignore import (
     filter_ignored_files,
     find_ignore_file,