Feature Request: False-positive suppression / baseline mechanism
Problem
SkillSpector has no mechanism to suppress known false positives or maintain a baseline
of accepted findings. Every scan re-reports the same issues, making it impractical to
use SkillSpector incrementally in CI/MR workflows where only new findings matter.
Real-world impact
We scanned 86 skills (mix of custom an framework skills) with SkillSpector v2.1.4.
Result: 428 issues, ~95% false positives caused by framework patterns.
There are architectural patterns of the skill framework, not security issues.
Without suppression, the signal-to-noise ratio makes the tool unusable for ongoing
security hygiene.
Proposed solution
A suppression file (e.g., .skillspector-baseline.yaml) that lives alongside the
scanned skills and lets users mark triaged findings as accepted. Suggested capabilities:
1. Global rules (pattern-based)
Suppress an issue ID across skills matching a glob:
suppressions:
- id: SQP-2
match: "foo-*"
reason: "Lorem Ipsum...."2. Skill-specific rules
Suppress a specific finding in a specific skill, optionally scoped to a file:
- id: PE3
skill: mr-comments
file: scripts/fetch_mr_comments.py
reason: "Reads token from env — intended behavior"3. CLI integration
# Scan with suppression file
skillspector scan ./skills/my-skill/ --baseline .skillspector-baseline.yaml
# Show suppressed findings too (for audit)
skillspector scan ./skills/my-skill/ --baseline ... --show-suppressed
# Generate initial baseline from current scan (triage helper)
skillspector baseline init --from scan-result.json
Feature Request: False-positive suppression / baseline mechanism
Problem
SkillSpector has no mechanism to suppress known false positives or maintain a baseline
of accepted findings. Every scan re-reports the same issues, making it impractical to
use SkillSpector incrementally in CI/MR workflows where only new findings matter.
Real-world impact
We scanned 86 skills (mix of custom an framework skills) with SkillSpector v2.1.4.
Result: 428 issues, ~95% false positives caused by framework patterns.
There are architectural patterns of the skill framework, not security issues.
Without suppression, the signal-to-noise ratio makes the tool unusable for ongoing
security hygiene.
Proposed solution
A suppression file (e.g.,
.skillspector-baseline.yaml) that lives alongside thescanned skills and lets users mark triaged findings as accepted. Suggested capabilities:
1. Global rules (pattern-based)
Suppress an issue ID across skills matching a glob:
2. Skill-specific rules
Suppress a specific finding in a specific skill, optionally scoped to a file:
3. CLI integration