AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-03-25 · Documentation low

File: securityagent/latest/userguide/review-code-findings-github.md

Summary

Added new section 'Filtering code review findings' that explains how to create a filtering.md file to customize AWS Security Agent code analysis by ignoring patterns and providing context hints to reduce false positives.

Security assessment

This change documents a security feature (code review filtering) that helps reduce false positives in security findings. It provides guidance on configuring the security agent to exclude files/folders and add contextual information. While this relates to security tooling, there's no evidence it addresses a specific security vulnerability or incident - it's a feature enhancement for managing security findings.

Diff

diff --git a/securityagent/latest/userguide/review-code-findings-github.md b/securityagent/latest/userguide/review-code-findings-github.md
index f55ca36db..f552e5eb2 100644
--- a//securityagent/latest/userguide/review-code-findings-github.md
+++ b//securityagent/latest/userguide/review-code-findings-github.md
@@ -5 +5 @@
-How code review works in GitHubUnderstanding code review resultsResponding to security findingsNext steps
+How code review works in GitHubUnderstanding code review resultsResponding to security findingsFiltering code review findingsNext steps
@@ -69,0 +70,74 @@ Each finding includes specific remediation guidance tailored to the security iss
+## Filtering code review findings
+
+You can customize how AWS Security Agent analyzes your code by adding a `filtering.md` file to your repository. This file allows you to reduce false positives by providing context about your codebase and excluding files or folders from analysis.
+
+### Creating the filtering file
+
+Create a file named `filtering.md` in the `.awssecurityagent` directory at the root of your repository:
+    
+    
+    .awssecurityagent/filtering.md
+
+AWS Security Agent reads this file from the main branch of your repository (for example, `main` or `mainline`) when analyzing pull requests.
+
+### File structure
+
+The `filtering.md` file uses standard Markdown formatting with specific sections that AWS Security Agent recognizes. The file must include a `Code Review` heading followed by one or both of the following sections: `IgnorePatterns` and `ContextHints` (no space).
+
+The following example shows the complete structure of a `filtering.md` file:
+    
+    
+    # filtering.md
+    
+    ## Code Review
+    
+    ### IgnorePatterns
+    
+    **/*.md
+    
+    /myapp/src/**/*.snap
+    
+    /myapp/config/README
+    
+    ### ContextHints
+    
+    - The backend is a trusted system and won't return non-standard protocols.
+    - URL is generated from server with presigned token, so no SSRF security vulnerabilities.
+    - AppSec has verified that we are allowed to use cache with an eviction policy.
+
+### Ignore patterns
+
+The `IgnorePatterns` section specifies files and folders that AWS Security Agent should skip during code review. Use `glob patterns` to define which paths to exclude from analysis.
+
+Format requirements:
+
+  * Each pattern must be on its own line.
+
+  * Separate each pattern with an empty line between them. This ensures the file renders correctly when viewed in GitHub or code review tools.
+
+  * Patterns follow the standard glob format. For example, `**/*.md` matches all markdown files, and `/myapp/src/**/*.snap` matches all `.snap` files inside the `/myapp/src/` folder at the root.
+
+  * We support upto 1000 ignore patterns in this section.
+
+
+
+
+### Context hints
+
+The `ContextHints` section provides additional context about your codebase that helps AWS Security Agent make more accurate assessments. Use context hints to explain architectural decisions, security exceptions, or other information that might affect how findings are interpreted.
+
+Format requirements:
+
+  * Each hint must start with a dash (`-`) followed by a space.
+
+  * Write each hint as a single line of free-form text limited to 500 characters.
+
+  * Each hint should describe one specific piece of context about your codebase.
+
+  * We support upto 20 context hints in this section.
+
+
+
+
+Context hints are applied after AWS Security Agent completes its initial analysis, helping to filter findings that don’t apply to your specific use case.
+