Missing documentation: detailing how to write suppressions in scanned code. #63
Description
Description of the issue
Hi! I could find absolutely no documentation that explains the format of suppressions that a developer can insert in their code to silence CodeQL false positive warnings.
By searching, I found some Stack Overflow Q&A that mentions the "lgtm[query-id]" comment format, and internally as a Microsoft developer I've seen some description of the "CodeQL[query-id] Justification goes here" format in the instructions for dealing with internal policies.
I also found, via searching in the repo, mention in the release notes of CodeQL 2.12.0, which sounds like the version that added support for the latter format.
And I found the implementation of it right here (which I can only sort-of understand, as I'm not familiar with the .ql language).
This should be properly and prominently documented in the CodeQL documentation. And if it is documented somewhere in there, let this be a call for documenting it better, in a more discoverable way. Most of the documentation seems to deal with this "query language", which is fine, but completely irrelevant to the, say, C++ developer who gets a false positive from a CodeQL scan and needs to suppress it.
Thanx!