From 8b421096ccc719ef4cae4e67e782f4603aacd2a7 Mon Sep 17 00:00:00 2001
From: farrell-m <michael.farrell@digital.justice.gov.uk>
Date: Fri, 20 Dec 2024 12:37:01 +0000
Subject: [PATCH] add false positive info, update exclude

---
 .github/workflows/pr-merge-main.yml |  2 +-
 .github/workflows/push-branch.yml   |  2 +-
 README.md                           | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-merge-main.yml b/.github/workflows/pr-merge-main.yml
index 316b31b..376ba15 100644
--- a/.github/workflows/pr-merge-main.yml
+++ b/.github/workflows/pr-merge-main.yml
@@ -65,7 +65,7 @@ jobs:
     env:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       SNYK_ORG: legal-aid-agency
-      SNYK_TEST_EXCLUDE: generated
+      SNYK_TEST_EXCLUDE: build,generated
 
     steps:
       - uses: actions/checkout@v3
diff --git a/.github/workflows/push-branch.yml b/.github/workflows/push-branch.yml
index d7e7dbb..42fba36 100644
--- a/.github/workflows/push-branch.yml
+++ b/.github/workflows/push-branch.yml
@@ -60,7 +60,7 @@ jobs:
     env:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       SNYK_ORG: legal-aid-agency
-      SNYK_TEST_EXCLUDE: generated
+      SNYK_TEST_EXCLUDE: build,generated
 
     steps:
       - uses: actions/checkout@v3
diff --git a/README.md b/README.md
index 7abbbb2..afeef13 100644
--- a/README.md
+++ b/README.md
@@ -61,3 +61,22 @@ vulnerabilities, this plugin will also report code quality issues.
 The [.snyk](.snyk) file is used to configure exclusions for scanning. If a vulnerability is not
 deemed to be a threat, or will be dealt with later, it can be added here to stop the pipeline
 failing. See [documentation](https://docs.snyk.io/manage-risk/policies/the-.snyk-file) for more details.
+
+### False Positives
+
+Snyk may report that new vulnerabilities have been introduced on a feature branch and fail the
+pipeline, even if this is not the case. As newly identified vulnerabilities are always being
+published, the report for the main branch may become outdated when a new vulnerability is published.
+
+If you think this may be the case, simply re-run the `monitor` command against the `main` branch
+to update the report on the Snyk server, then re-run your pipeline.
+
+Please ensure this matches the command used by the [pr-merge-main](.github/workflows/pr-merge.yml)
+workflow to maintain consistency.
+
+```shell
+snyk monitor --org=legal-aid-agency --all-projects --exclude=build,generated
+```
+
+You should then see the new vulnerability in the LAA Dashboard, otherwise it is a new
+vulnerability introduced on the feature branch that needs to be resolved.