In our yaml pipeline we are using the Microsoft DevOps security extension, which is part of the Defender for cloud suite. The extension flags some json content as exposed credentials, but it's actually not. I would like to add suppressions to ignore such false positives but the documentation is limited.
There are very few examples on how to achieve that using inline comments but json doesn't allow comments in such form:
#[SuppressMessage("Microsoft.Security", "CS001:SecretInLine", Justification="... .")]
The extension uses the CredScan tool under the hood so it should be possible to pass a file with suppressions as a parameter, but the documentation doesn't show how to do that in the MicrosoftSecurityDevOps@1 task.