Annotation to turn off false positive SecretsUsedInArgOrEnv

[jonapich]

Description

I am getting a SecretsUsedInArgOrEnv warning on non-sensitive data.

The variables are named instance_types_file_key and static_variables_file_key. Since this is a refactor I can't rename them just like that and will have to live with the warning.

It would be great if there was a way to annotate the line to acknowledge the false positive. For instance, some linters let you use # noqa at the minimum to disable these warnings, while some others are more specific e.g. # noqa: ignore[index-error]

[crazy-max]

It would be great if there was a way to annotate the line to acknowledge the false positive. For instance, some linters let you use # noqa at the minimum to disable these warnings, while some others are more specific e.g. # noqa: ignore[index-error]

@colinhemmings Recall we discussed about it internally with smth like a nolint directive similar to https://golangci-lint.run/usage/false-positives/#nolint-directive

[tonistiigi]

You can set #check=skip=SecretsUsedInArgOrEnv on top of Dockerfile

[ggjulio]

Or like shellcheck behavior.

A comment on top of a file disable the rule globally, whereas above a line of code it only ignores the LoC.

• https://github.com/koalaman/shellcheck/wiki/Ignore

[jonapich]

Right now it's just noise because we don't enforce clean checks, but eventually, CI should fail when these come up. Being able to ignore a specific check at the line level is important to retain the ability of flagging new contributions (vs ignoring the whole file, which would silence the warning on the new contribution).

[KK-Repos]

Is there a way to suppress the warning for a specific ENV or ARG variable if it's a false positive? If not, is there any existing solution or a feature planned to address this?