Ignore Rules

Ignore rules let you suppress specific findings from SCA scan results. Use them to filter out accepted risks, false positives, or findings that do not apply to your environment.

Rule Types

Creating an Ignore Rule

1. Go to SCA > Ignore Rules for the repository.
2. Click Add Rule.
3. Select the rule type from the dropdown.
4. Enter the match value.
5. Optionally set an expiration date. After this date the rule is automatically deactivated and suppressed findings reappear.
6. Add a justification note explaining why the finding is suppressed.
7. Click Save.

You can also create rules inline from any finding row by clicking the overflow menu and selecting Ignore.

How Suppression Works

When a scan completes, the results page shows two counts:

• Effective findings — vulnerabilities that are currently actionable.
• Suppressed findings — vulnerabilities matched by at least one active ignore rule.

Suppressed findings are hidden from the default view. Toggle Show suppressed to review them. Each suppressed finding displays the rule that matched it.

Ignore Rules vs Triage

Both features reduce noise, but they serve different purposes:

Use ignore rules when a finding will never be relevant. Use triage when you need to track progress toward remediation.

Best Practices

• Always include a justification so auditors understand why a finding was suppressed.
• Prefer expiration dates over indefinite rules. Re-evaluate suppressed findings quarterly.
• Use file path rules to exclude test and example directories rather than suppressing individual CVEs within them.
• Review the suppressed findings count regularly. A high ratio of suppressed to effective findings may indicate overly broad rules.
• Export your ignore rules before compliance audits so reviewers can verify each suppression.

API Reference

POST   /api/sca/ignore-rules          # Create a rule
GET    /api/sca/ignore-rules           # List all rules for a repo
DELETE /api/sca/ignore-rules/{rule_id} # Delete a rule