Some of the audit issues are false positives. What’s the recommended action to handle them?
Some of the security issues detected by DeepSource are explicitely marked as Audit.
Our main concern with secrity is to avoid false negatives. In order to do that, DeepSource raises security issues even if the confidence is a bit on the lower side. Therefore, we have classified some of these issues as Audit issues.
The idea behind this is to let the developers know about it, so that they can review it and take an action on the issue.
If a security issue, which requires an audit is not valid, it is recommended to ignore the issue via the UI or silence it permanently by placing #skipcq: <issue-code> on the line where the issue is raised.
1 Like