From d318bbe201ea337509a77975916c74dbefe6afdb Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Thu, 4 Apr 2024 08:41:49 -0400
Subject: [PATCH] Exclude not exploitable state from scanner SARIF results
 (#694)

## Objective

Implementation of https://github.com/bitwarden/template/pull/80.

## Before you submit

- Please add **unit tests** where it makes sense to do so
---
 .github/workflows/scan.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 4bed1380f..dea39cfd6 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -40,7 +40,10 @@ jobs:
           base_uri: https://ast.checkmarx.net/
           cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
           cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
-          additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path . ${{ env.INCREMENTAL }}
 
       - name: Upload Checkmarx results to GitHub
         uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9