SocketDev · lelia · Mar 30, 2026 · Mar 30, 2026 · Mar 31, 2026 · Mar 31, 2026
@@ -40,6 +40,7 @@ runs:
     INPUT_JAVASCRIPT_DISABLED_RULES: ${{ inputs.javascript_disabled_rules }}
     INPUT_JAVASCRIPT_ENABLED_RULES: ${{ inputs.javascript_enabled_rules }}
     INPUT_JAVASCRIPT_SAST_ENABLED: ${{ inputs.javascript_sast_enabled }}
+    INPUT_SAST_IGNORE_OVERRIDES: ${{ inputs.sast_ignore_overrides }}
     INPUT_JAVA_DISABLED_RULES: ${{ inputs.java_disabled_rules }}
     INPUT_JAVA_ENABLED_RULES: ${{ inputs.java_enabled_rules }}
     INPUT_JAVA_SAST_ENABLED: ${{ inputs.java_sast_enabled }}
@@ -96,6 +97,7 @@ runs:
     INPUT_PR_LABEL_CRITICAL: ${{ inputs.pr_label_critical }}
     INPUT_PR_LABEL_HIGH: ${{ inputs.pr_label_high }}
     INPUT_PR_LABEL_MEDIUM: ${{ inputs.pr_label_medium }}
+    INPUT_PR_LABEL_LOW: ${{ inputs.pr_label_low }}
 
 inputs:
   workspace:
@@ -246,6 +248,10 @@ inputs:
     description: "Enable JavaScript/TypeScript SAST scanning"
     required: false
     default: "false"
+  sast_ignore_overrides:
+    description: "Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format"
+    required: false
+    default: ""
   jira_api_token:
     description: "Jira Api Token"
     required: false
@@ -450,7 +456,11 @@ inputs:
     description: "Label name for medium severity findings"
     required: false
     default: "security: medium"
+  pr_label_low:
+    description: "Label name for low severity findings"
+    required: false
+    default: "security: low"
 
 branding:
   icon: "shield"
-  color: "blue"
+  color: "purple"
@@ -638,8 +638,29 @@ jobs:
           # JavaScript with custom rules
           javascript_sast_enabled: 'true'
           javascript_enabled_rules: 'eval-usage,prototype-pollution'
+
+          # Ignore one or more SAST rules globally or for exact repo-relative files
+          sast_ignore_overrides: 'js-sql-injection:index.js'
 ```
 
+`sast_ignore_overrides` supports:
+- `rule_id` to ignore a SAST rule everywhere in the repo
+- `rule_id:path` to ignore a SAST rule for one exact repo-relative file
+
+Examples:
+- `js-sql-injection`
+- `js-sql-injection:index.js`
+- `js-sql-injection:src/unsafe/demo.js`
+- `js-express-async-no-error-handler,js-sql-injection:index.js,js-missing-helmet`
+
+Notes:
+- Paths must be exact repo-relative paths using `/` separators after normalization.
+- Windows-style input such as `src\\unsafe\\demo.js` is accepted and normalized automatically.
+- Globs and directory-prefix matching are not supported in this first version.
+- A `rule_id:path` entry is an exact `rule_id AND path` match. If the path does not match, Socket Basics will not fall back to a rule-only ignore.
+- Broad dashboard rule disables such as `<language>_disabled_rules` still ignore that rule everywhere in the repo. If both are configured, the broad disabled-rule behavior can make it look like a narrow path override matched when it did not.
+- In `.socket.facts.json`, ignored alerts include `actionReason` so you can see whether the ignore came from `sast_ignore_override` or `disabled_rule`.
+
 ## Configuration Reference
 
 ### All Available Inputs
@@ -667,6 +688,7 @@ See [`action.yml`](../action.yml) for the complete list of inputs.
 **Rule Configuration (per language):**
 - `<language>_enabled_rules` — Comma-separated rules to enable
 - `<language>_disabled_rules` — Comma-separated rules to disable
+- `sast_ignore_overrides` — Comma-separated `rule_id` or `rule_id:path` SAST ignore overrides
 
 **Security Scanning:**
 - `secret_scanning_enabled` — Enable secret scanning
@@ -750,6 +772,20 @@ permissions:
 2. Check that `socket_org` and `socket_security_api_key` are set correctly
 3. Confirm API key has required permissions in Socket Dashboard
 
+### `sast_ignore_overrides` Seems Too Broad
+
+**Problem:** A `rule_id:path` override appears to ignore findings outside the specified file.
+
+**Likely cause:** The rule is also disabled more broadly in dashboard settings or other config through `<language>_disabled_rules`.
+
+**How to confirm:**
+1. Open the generated `.socket.facts.json`
+2. Find the ignored alert and inspect `actionReason`
+3. `actionReason: "sast_ignore_override"` means the exact path override matched
+4. `actionReason: "disabled_rule"` means the finding was ignored by a broad rule disable instead
+
+**Additional signal:** If the configured path does not exist under the workspace, Socket Basics logs a warning and does not fall back to rule-only matching.
+
 ### High Memory Usage
 
 **Problem:** Action runs out of memory.

@@ -236,6 +236,7 @@ Automatically tag PRs with severity-based labels **and matching colors**.
 - `security: critical` 🔴 - Red (`#D73A4A`)
 - `security: high` 🟠 - Orange (`#D93F0B`)
 - `security: medium` 🟡 - Yellow (`#FBCA04`)
+- `security: low` ⚪ - Light gray (`#E4E4E4`)
 
 **Smart color detection:**
 Labels are automatically created with colors matching the severity emojis. If you customize label names, the system intelligently detects severity keywords and applies appropriate colors:
@@ -246,7 +247,9 @@ pr_label_high: 'security-high'               # Gets orange color automatically
 ```
 
 **How it works:**
-- First scan checks for critical → high → medium (highest severity wins)
+- Each run keeps only the current highest-severity managed PR label: critical → high → medium → low
+- Stale managed severity labels from earlier runs are removed automatically
+- If a later run has no active findings, the managed severity label is removed
 - Labels are created automatically if they don't exist
 - Existing labels are not modified (preserves your customizations)
 - Requires a token with `repo` scope to create new labels; without it, label creation may fail (comments still post)
@@ -257,6 +260,7 @@ pr_labels_enabled: 'true'
 pr_label_critical: 'vulnerability: critical'
 pr_label_high: 'vulnerability: high'
 pr_label_medium: 'vulnerability: medium'
+pr_label_low: 'vulnerability: low'
 ```
 
 **Disable:**
@@ -280,6 +284,22 @@ The logo is a 32px PNG rendered at 24x24 for retina-crisp display, with a transp
 
 ---
 
+### 9. All-Clear Comment Updates
+
+When a later Socket Basics run no longer has active findings for a previously-reported scanner section, the existing PR comment section is updated in place instead of being left stale or deleted.
+
+**Behavior:**
+- Existing Socket-managed sections are preserved for auditability
+- Stale findings content is replaced with a short all-clear message
+- This keeps the PR history readable while making it obvious that the latest run is clean
+
+**Example all-clear message:**
+```text
+✅ Socket Basics found no active findings in the latest run.
+```
+
+---
+
 ## 📋 Configuration Reference
 
 ### All Options
@@ -295,6 +315,7 @@ The logo is a 32px PNG rendered at 24x24 for retina-crisp display, with a transp
 | `pr_label_critical` | `"security: critical"` | string | Label name for critical findings |
 | `pr_label_high` | `"security: high"` | string | Label name for high findings |
 | `pr_label_medium` | `"security: medium"` | string | Label name for medium findings |
+| `pr_label_low` | `"security: low"` | string | Label name for low findings |
 
 ### Configuration Methods
 

@@ -241,6 +241,32 @@ socket-basics --go --go-enabled-rules "error-handling,sql-injection"
 - `--rust-enabled-rules` / `--rust-disabled-rules`
 - `--elixir-enabled-rules` / `--elixir-disabled-rules`
 
+### `--sast-ignore-overrides SAST_IGNORE_OVERRIDES`
+Comma-separated list of SAST ignore overrides in `rule_id` or `rule_id:path` format.
+
+**Environment Variable:** `INPUT_SAST_IGNORE_OVERRIDES`
+
+**Examples:**
+```bash
+# Ignore a rule everywhere in the repo
+socket-basics --javascript --sast-ignore-overrides "js-sql-injection"
+
+# Ignore a rule only for one exact repo-relative file
+socket-basics --javascript --sast-ignore-overrides "js-sql-injection:index.js"
+
+# Mix rule-only and rule+path overrides in one comma-separated list
+socket-basics --javascript --sast-ignore-overrides "js-express-async-no-error-handler,js-sql-injection:index.js,js-missing-helmet"
+```
+
+Notes:
+- Paths must be exact repo-relative paths.
+- Paths are normalized to forward-slash form, so Windows-style input such as `src\\unsafe\\demo.js` is accepted.
+- Globs and directory-prefix matching are not supported in this first version.
+- A `rule_id:path` entry uses exact `rule_id AND path` matching. A bad path does not degrade into a rule-only ignore.
+- If the configured path does not exist under the current workspace, Socket Basics logs a warning to help catch typos or copied paths from another repo.
+- If the same rule is also disabled via `<language>-disabled-rules` or dashboard policy, that broader ignore still applies across the repo.
+- Ignored alerts in `.socket.facts.json` include `actionReason` so you can distinguish `sast_ignore_override` from `disabled_rule`.
+
 ### `--opengrep-notify OPENGREP_NOTIFY`
 Notification method for OpenGrep SAST results (e.g., console, slack).
 
@@ -520,6 +546,7 @@ All notification integrations support environment variables as alternatives to C
 | Variable | Description |
 |----------|-------------|
 | `INPUT_OPENGREP_RULES_DIR` | Custom directory containing SAST rules |
+| `INPUT_SAST_IGNORE_OVERRIDES` | Comma-separated `rule_id` or `rule_id:path` SAST ignore overrides |
 
 ## Configuration File
 
@@ -537,6 +564,7 @@ You can provide configuration via a JSON file using `--config`:
   "python_sast_enabled": true,
   "javascript_sast_enabled": true,
   "go_sast_enabled": true,
+  "sast_ignore_overrides": "js-sql-injection:index.js",
 
   "secrets_enabled": true,
   "trufflehog_exclude_dir": "node_modules,vendor,dist,.git",

@@ -191,6 +191,12 @@ connectors:
         env_variable: INPUT_JAVASCRIPT_DISABLED_RULES
         type: str
         default: ""
+      - name: sast_ignore_overrides
+        option: --sast-ignore-overrides
+        description: "Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format"
+        env_variable: INPUT_SAST_IGNORE_OVERRIDES
+        type: str
+        default: ""
 
       # Go rule configuration
       - name: go_enabled_rules