Overview
Teams adopting ChainProof mid-project face a painful onboarding problem: the first scan surfaces dozens of pre-existing findings that can't all be fixed immediately. Without a suppression mechanism, the CI gate fails permanently. A baseline file lets teams acknowledge existing findings and only fail CI on newly introduced issues.
Problem Scenario
- First scan surfaces 40 pre-existing findings, 15 of which are high severity
- CI is configured to fail on high severity
- Team cannot ship anything until all 15 are fixed
- Team disables ChainProof
A baseline file solves this by saying: "These 15 issues are known. Alert me on anything new."
Proposed Design
Creating a Baseline
chainproof scan contracts/ --create-baseline .chainproof-baseline.json
{
"version": "1.0",
"createdAt": "2025-06-19T00:00:00Z",
"entries": [
{
"fingerprint": "sha256-of-ruleId+file+line+snippet",
"ruleId": "CP-107",
"file": "contracts/Vault.sol",
"line": 42,
"title": "Reentrancy vulnerability"
}
]
}
Using a Baseline
chainproof scan contracts/ --baseline .chainproof-baseline.json
- Baselined findings are marked suppressed: true in the result
- Suppressed findings appear in reports (dimmed) for transparency but do not trigger exit code 1
- Exit code 1 only fires on new (non-baselined) critical/high findings
Fingerprinting
SHA-256(ruleId + normalized_file_path + line_number + first_30_chars_of_snippet)
Stable across minor formatting changes but invalidates when vulnerable code moves or changes.
Acceptance Criteria
Overview
Teams adopting ChainProof mid-project face a painful onboarding problem: the first scan surfaces dozens of pre-existing findings that can't all be fixed immediately. Without a suppression mechanism, the CI gate fails permanently. A baseline file lets teams acknowledge existing findings and only fail CI on newly introduced issues.
Problem Scenario
A baseline file solves this by saying: "These 15 issues are known. Alert me on anything new."
Proposed Design
Creating a Baseline
{ "version": "1.0", "createdAt": "2025-06-19T00:00:00Z", "entries": [ { "fingerprint": "sha256-of-ruleId+file+line+snippet", "ruleId": "CP-107", "file": "contracts/Vault.sol", "line": 42, "title": "Reentrancy vulnerability" } ] }Using a Baseline
Fingerprinting
SHA-256(ruleId + normalized_file_path + line_number + first_30_chars_of_snippet)Stable across minor formatting changes but invalidates when vulnerable code moves or changes.
Acceptance Criteria