Add per-VM whitelist to suppress known-safe findings

2026-04-17 23:07:38 +01:00
parent dc299e4262
commit 101fe444b1
3 changed files with 27 additions and 4 deletions
--- a/setup.sh
+++ b/setup.sh
@@ -35,6 +35,17 @@ chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
 # ── Create logs directory ──────────────────────────────────────────────────────
 mkdir -p "$SCRIPT_DIR/logs"

+# ── Create whitelist if absent ─────────────────────────────────────────────────
+if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then
+    cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF'
+# whitelist.conf — one entry per line, exact match against package names or file paths
+# Example:
+#   ua-parser-js
+#   /tmp/my-known-safe-script.sh
+EOF
+    echo "whitelist.conf created — add known-safe items to suppress false positives."
+fi
+
 # ── Cron jobs ──────────────────────────────────────────────────────────────────
 CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
 CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"