Skip to content

feat: Baseline file support to suppress known findings in CI pipelines #10

Description

@Nanle-code

Overview

Teams adopting ChainProof mid-project face a painful onboarding problem: the first scan surfaces dozens of pre-existing findings that can't all be fixed immediately. Without a suppression mechanism, the CI gate fails permanently. A baseline file lets teams acknowledge existing findings and only fail CI on newly introduced issues.

Problem Scenario

  1. First scan surfaces 40 pre-existing findings, 15 of which are high severity
  2. CI is configured to fail on high severity
  3. Team cannot ship anything until all 15 are fixed
  4. Team disables ChainProof

A baseline file solves this by saying: "These 15 issues are known. Alert me on anything new."

Proposed Design

Creating a Baseline

chainproof scan contracts/ --create-baseline .chainproof-baseline.json
{
  "version": "1.0",
  "createdAt": "2025-06-19T00:00:00Z",
  "entries": [
    {
      "fingerprint": "sha256-of-ruleId+file+line+snippet",
      "ruleId": "CP-107",
      "file": "contracts/Vault.sol",
      "line": 42,
      "title": "Reentrancy vulnerability"
    }
  ]
}

Using a Baseline

chainproof scan contracts/ --baseline .chainproof-baseline.json
  • Baselined findings are marked suppressed: true in the result
  • Suppressed findings appear in reports (dimmed) for transparency but do not trigger exit code 1
  • Exit code 1 only fires on new (non-baselined) critical/high findings

Fingerprinting

SHA-256(ruleId + normalized_file_path + line_number + first_30_chars_of_snippet)

Stable across minor formatting changes but invalidates when vulnerable code moves or changes.

Acceptance Criteria

  • --create-baseline CLI flag
  • --baseline CLI flag
  • ScanConfig.baselinePath?: string field
  • Fingerprinting algorithm deterministic and documented
  • Suppressed findings marked in all report formats
  • GitHub Action supports baseline-file input
  • VS Code extension has chainproof.baselineFile setting
  • Stale baseline entries (no longer matching any finding) reported as warnings

Metadata

Metadata

Assignees

No one assigned

    Labels

    GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official CampaignenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions