TABLE OF CONTENTS

Overview

You can create a suppression rule on any check to acknowledge the security issues detected and allow you to continue building the application. You may create a suppression rule for many reasons. For example, you can acknowledge all the misconfigurations that were detected after applying a specific check and fix all the under-development codes to create safe artifacts.


To create suppression rules, navigate to the Suppression Rules page from the left menu. From this page, you can create suppression rules on the checks, which can be applied to:

  • All the repositories
  • A specific repository
  • A specific branch in a repository
  • A specific "Organization" in the repository
  • A specific provider such as GitHub, Azure
  • A specific topic which categorizes the repositories

In the Code Repositories page > a specific Code Repository > Misconfigurations tab > a specific misconfiguration detailed view, you can also suppress the misconfiguration for a specific check, on the specific or all repositories, branch, or topic.


Suppression rules list view

When you navigate to the Suppression Rules page, you can see the suppression rules which were already. The following details are displayed for each suppression rule:

  • Name: of the suppression rule
  • Scope properties: defined in the suppression rule. For more information, refer to the Scope section below.
  • Reason: to create the rule (if added)
  • Updated by: the user who updated rule the last time
  • Updated: last updated date and time
  • Enabled toggle: to enable or disable any suppression rule from the list view



Suppression rule components

A suppression rule consists of:

  • Scope: defines which assets should be part of the suppression rule. This allows you to select resource type, property, and value
  • Controls: define the type of findings the rule will exclude in displaying the security issues and allow you to continue building the application



Scope

Scope defines which assets should be part of the suppression rule. You can optionally configure a suppression rule with a scope (for that rule only).


For example: A rule can be created to suppress a misconfiguration detected in a specific code repository after applying the selected check.


The scope definition includes the following components:

  • One or more terms. Each term consists of a resource type, a property, and its value.
  • The available resource types and properties in each resource type are explained in the Specific Scope Definition below.
  • Values cannot contain embedded spaces. If you do not know the exact value name, you can enter a few letters in the value so that all the values that match the combination of letters are added to the scope.
  • The operator AND is applied between multiple scope terms.


To define scope criteria when configuring a suppression rule:

  1. In the "Scope" section, define a scope term by using the drop-down lists, and the text boxes to enter the related value(s). Refer to the Specific Scope Definition below for all the available resource types and properties.
  2. Click Add to add multiple scope terms.


When you add each scope term, it will be added to the box shown under the scope selection. You can add multiple scope terms; operator AND will be applied between them by default. You can also see the complete scope definition in the syntax view by clicking the </> icon in the box shown under the scope selection.



Specific scope definition

The scope of a suppression rule can include the following properties against the resource type:

  • Resource type: Repository
  • Property: Branch, Name, Organization, Provider Type, Topic


Controls

You can include the following controls in a suppression rule:


ControlDescription
IaC Misconfigurations by ServiceSuppresses the IaC misconfigurations detected in the selected service of a specific provider (e.g. S3 in AWS). You can add multiple provider and service combinations to this control.
IaC Misconfigurations SeveritySuppresses the IaC misconfigurations that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically. For example, if you select "High" severity, "Low" and "Medium" severities are selected automatically in the control.
Pipeline Misconfiguration SeveritySuppresses the misconfiguration detected in the pipelines that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.
Sensitive data PatternAdd the sensitive data patterns to this control by referring customized Golang regular expressions. On detecting the patterns added, those instances of sensitive data will be suppressed.
Sensitive Data SeveritySuppresses the instances of sensitive data that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.  
Specific IaC MisconfigurationSuppresses the specific IaC misconfigurations detected after performing the selected checks for a specific provider and service combination. You can select one or multiple checks for each provider and service combination (e.g. S3 in AWS). You can add multiple combinations of provider, service, and checks in the control.
Specific Pipeline Misconfiguration CheckSuppresses the misconfigurations detected after performing the selected checks in the control. 
Specific Sensitive Data Check

Suppresses the instances of sensitive data after performing the selected checks in the control.
Specific VulnerabilitySuppresses the vulnerabilities added in the control.
Vulnerability SeveritySuppresses the vulnerabilities that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.

There is another checkbox to suppress the vulnerabilities with a known vendor fix. 

Create a new suppression rule

  1. At the top right of the Suppression Rules page, click Create Suppression Rule. New Suppression Rule page appears.
  2. Enter the name of the policy. Upper and lowercase letters, digits, dashes, and underscores are allowed.
  3. Enter a reason for the policy.
  4. (Optional) Select the "Disable rule" checkbox and define the number of days after which the suppression rule should be disabled automatically. If you do not select this checkbox, the suppression rule will be disabled in one day automatically.
  5. To add scope, select resource type, property, and value and click Add. You can add multiple scope terms as required. For more information, refer to the Scope section above.
  6. In the Controls section, click controls from the list on the left pane, to include them in the suppression rule. For more information, refer to the Controls section above.
  7. Click Save.