feat: implement rule specific inline ignore

Saharsh1123 · Saharsh1123 · commit f93289515e40 · 2026-05-19T22:06:12.000-04:00
diff --git a/inline_ignore.py b/inline_ignore.py
@@ -5,12 +5,12 @@
 INLINE_IGNORE_MARKER = "sentinelscan: ignore"
 
 
-def line_has_inline_ignore(line):
+def finding_has_inline_ignore(line, finding):
     """
     Return True when a source line contains a SentinelScan inline ignore comment.
 
-    Only comment tokens are checked, so string literals containing the ignore
-    marker do not suppress findings.
+    Generic ignores suppress all findings on the line.
+    Rule-specific ignores suppress only listed rule IDs.
     """
     try:
         tokens = tokenize.generate_tokens(io.StringIO(line).readline)
@@ -21,7 +21,19 @@ def line_has_inline_ignore(line):
         token_type = token.type
         token_value = token.string
 
-        if token_type == tokenize.COMMENT and INLINE_IGNORE_MARKER in token_value:
+        if token_type != tokenize.COMMENT:
+            continue
+
+        if INLINE_IGNORE_MARKER not in token_value:
+            continue
+
+        after_ignore = token_value.partition(INLINE_IGNORE_MARKER)[2].strip()
+        ignored_rules = after_ignore.split()
+
+        if not ignored_rules:
+            return True
+
+        if finding.rule_id in ignored_rules:
             return True
 
     return False
diff --git a/scanner.py b/scanner.py
@@ -3,7 +3,7 @@
 
 from detectors.find_secrets import detect_ast_secrets
 from ignore import filter_ignored_files, load_ignore_patterns
-from inline_ignore import line_has_inline_ignore
+from inline_ignore import finding_has_inline_ignore
 
 def check_path(input_path):
     """
@@ -68,7 +68,7 @@ def scan(files):
 
         for finding in ast_results:
             line = lines[finding.line_number - 1]
-            if line_has_inline_ignore(line):
+            if finding_has_inline_ignore(line, finding):
                 continue
             finding_with_file = replace(finding, file_path=str(file))
             findings.append(finding_with_file)
diff --git a/test_dirs/test_repo/open_vulns.py b/test_dirs/test_repo/open_vulns.py
@@ -1,7 +1,7 @@
 api_key = "123"
 password = "abc"
 token = "xyz"
-aws_key = "AKIAEXAMPLE123456789" # sentinelscan: ignore
+aws_key = "AKIAEXAMPLE123456789" # sentinelscan: ignore AWS_ACCESS_KE
 token = "xyzttttggfdddf"
 api_key = "12dwdqwdqwdqw3"
 token = "xyzgggggg"  # noqa: E702
diff --git a/tests/test_cli/test_cli_inline_ignore.py b/tests/test_cli/test_cli_inline_ignore.py
@@ -291,4 +291,184 @@ def test_cli_text_inline_ignore_works_with_redaction(tmp_path):
     assert "a****f" not in result.stdout
     assert "abc1234567890j" not in result.stdout
     assert "ab**********0j" in result.stdout
-    assert "Token" in result.stdout
+    assert "Token" in result.stdout
+
+
+def test_cli_json_rule_specific_ignore_suppresses_only_matching_rule(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore AWS_ACCESS_KEY\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=1,
+        file=findings_file,
+        var_name="api_key",
+        rule_id="API_KEY",
+        rule="API Key",
+        severity="HIGH",
+        value="AKIAEXAMPLE123456789",
+        reason="variable name matched api_key/apikey pattern and value met minimum length",
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_rule_specific_ignore_can_keep_aws_match(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore API_KEY\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=1,
+        file=findings_file,
+        var_name="api_key",
+        rule_id="AWS_ACCESS_KEY",
+        rule="AWS Access Key",
+        severity="HIGH",
+        value="AKIAEXAMPLE123456789",
+        reason=AWS_REASON,
+        confidence="HIGH",
+    )
+
+
+def test_cli_json_rule_specific_ignore_suppresses_multiple_listed_rules(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  '
+        '# sentinelscan: ignore AWS_ACCESS_KEY API_KEY\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert data == []
+
+
+def test_cli_json_unknown_rule_specific_ignore_does_not_suppress(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore FAKE_RULE\n',
+    )
+
+    result = run_cli(tmp_path, "--json")
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=1,
+        file=findings_file,
+        var_name="password",
+        rule_id="PASSWORD",
+        rule="Password",
+        severity="HIGH",
+        value="abcdef",
+        reason=PASSWORD_REASON,
+        confidence="LOW",
+    )
+
+
+def test_cli_text_rule_specific_ignore_suppresses_only_matching_rule(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore AWS_ACCESS_KEY\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "API Key" in result.stdout
+    assert "AWS Access Key" not in result.stdout
+    assert "AKIAEXAMPLE123456789" in result.stdout
+    assert "Confidence:" in result.stdout
+    assert "Reason:" in result.stdout
+
+
+def test_cli_text_rule_specific_ignore_can_keep_aws_match(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  # sentinelscan: ignore API_KEY\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "AWS Access Key" in result.stdout
+    assert "API Key" not in result.stdout
+    assert "AKIAEXAMPLE123456789" in result.stdout
+    assert "Confidence:" in result.stdout
+    assert "Reason:" in result.stdout
+
+
+def test_cli_text_rule_specific_ignore_suppresses_multiple_listed_rules(tmp_path):
+    write_python_file(
+        tmp_path,
+        "findings.py",
+        'api_key = "AKIAEXAMPLE123456789"  '
+        '# sentinelscan: ignore AWS_ACCESS_KEY API_KEY\n',
+    )
+
+    result = run_cli(tmp_path)
+    assert_success(result)
+
+    assert "No vulnerabilities found." in result.stdout
+    assert "AWS Access Key" not in result.stdout
+    assert "API Key" not in result.stdout
+    assert "AKIAEXAMPLE123456789" not in result.stdout
+
+
+def test_cli_json_rule_specific_ignore_works_with_filters_and_redaction(tmp_path):
+    findings_file = write_python_file(
+        tmp_path,
+        "findings.py",
+        'password = "abcdef"  # sentinelscan: ignore PASSWORD\n'
+        'token = "abc1234567890j"\n',
+    )
+
+    result = run_cli(
+        tmp_path,
+        "--json",
+        "--severity",
+        "MEDIUM",
+        "--confidence",
+        "HIGH",
+        "--redact",
+    )
+    assert_success(result)
+
+    data = parse_json_output(result)
+
+    assert_single_json_finding(
+        data,
+        line=2,
+        file=findings_file,
+        var_name="token",
+        rule_id="TOKEN",
+        rule="Token",
+        severity="MEDIUM",
+        value="ab**********0j",
+        reason=TOKEN_REASON,
+        confidence="HIGH",
+    )
diff --git a/tests/test_inline_ignore.py b/tests/test_inline_ignore.py
