TABLE OF CONTENTS

Overview

ou can create a suppression rule on any check to acknowledge the security issues automatically as and when they are detected and allow you to continue building the application. You may create a suppression rule for many reasons. For example, you may create a suppression rule to acknowledge all the misconfigurations that were detected after applying a specific check and fix all the under-development codes to create safe artifacts.


The following security issues can be suppressed by a suppression rule automatically as configured in the rule:

  • Vulnerabilities, sensitive data, IaC misconfigurations, and SAST checks detected in the code repositories
  • Pipeline misconfigurations detected in the build pipelines

  • Suspicious behavior findings detected in the build pipelines


To create suppression rules, navigate to the Suppression Rules page from the left menu. From this page, you can create suppression rules on the checks, which can be applied to:

  • All the repositories
  • A specific repository
  • A specific branch in a repository
  • A specific "Organization" in the repository
  • A specific provider such as GitHub, Azure
  • A specific topic which categorizes the repositories


You can also suppress each of the following security issues manually in different Aqua UI pages:

  • Vulnerabilities, sensitive data, SAST checks, and IaC misconfigurations in the respective code repository and Risks page
  • Pipeline misconfigurations in the respective build pipeline page, associated code repository page, and Risks page
  • Suspicious behavior findings in the respective build pipeline page


Suppression rules list view

When you navigate to the Suppression Rules page, you can see the suppression rules which were already. The following details are displayed for each suppression rule:

  • Name: of the suppression rule
  • Scope properties: defined in the suppression rule. For more information, refer to the Scope section below.
  • Reason: to create the rule (if added)
  • Updated by: the user who updated rule the last time
  • Updated: last updated date and time
  • Enabled toggle: to enable or disable any suppression rule from the list view



Suppression rule components

A suppression rule consists of:

  • Scope: defines which assets should be part of the suppression rule. This allows you to select resource type, property, and value
  • Controls: define the type of findings the rule will exclude in displaying the security issues and allow you to continue building the application



Scope

Scope defines which assets should be part of the suppression rule. You can optionally configure a suppression rule with a scope (for that rule only).


For example: A rule can be created to suppress a misconfiguration detected in a specific code repository after applying the selected check.


The scope definition includes the following components:

  • One or more terms. Each term consists of a resource type, a property, and its value.
  • The available resource types and properties in each resource type are explained in the Specific Scope Definition below.
  • Values cannot contain embedded spaces. If you do not know the exact value name, you can enter a few letters in the value so that all the values that match the combination of letters are added to the scope.
  • The operator AND is applied between multiple scope terms.


To define scope criteria when configuring a suppression rule:

  1. In the "Scope" section, define a scope term by using the drop-down lists, and the text boxes to enter the related value(s). Refer to the Specific Scope Definition below for all the available resource types and properties.
  2. Click Add to add multiple scope terms.


When you add each scope term, it will be added to the box shown under the scope selection. You can add multiple scope terms; operator AND will be applied between them by default. You can also see the complete scope definition in the syntax view by clicking the </> icon in the box shown under the scope selection.



Specific scope definition

The scope of a suppression rule can include the following properties against the resource type:

  • Resource type: Repository
  • Property: Branch, Name, Organization, Provider Type, Topic


If you select "Branch" for property in the scope definition, you should enter either the branch name or glob pattern in the value field whereas if you select any property other than "Branch", you can select property value from the drop-down menu.


Controls

You can include the following controls in a suppression rule:


ControlDescription
Dependency Name

 Suppresses the security issues detected in the selected dependencies in this control. You should enter the exact dependency name or specific keywords to see all the dependencies matching the text with different versions in the dropdown menu. The dependencies which are displayed in the dropdown menu were used in one of the code repositories added to Aqua. Select the required dependency with version that you want to add to the control.


Example: "graphql-relay@2.0.1"

Notes:
  • You can also add a dependency name without version as a keyword to the control to consider adding all the dependencies matching the text.
  • Make sure that you use proper casing (upper or lower case) of the letters in the keyword to add correct dependency to the control.
IaC Misconfigurations by ServiceSuppresses the IaC misconfigurations detected in the selected service of a specific provider (e.g. S3 in AWS). You can add multiple provider and service combinations to this control.
IaC Misconfigurations SeveritySuppresses the IaC misconfigurations that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically. For example, if you select "High" severity, "Low" and "Medium" severities are selected automatically in the control.
Pipeline Container ActivityAdd the image name patterns in this control by referring customized Golang regular expressions. This control suppresses the "images with run commands" included in the pipeline configurations which match with the pattern added in this control. Presence of these images with run commands will be considered for calculating the suspicious behavior findings.
Pipeline File Changes ActivitySelect the file change type: Added, Deleted, or Modified and enter file path pattern. This control suppresses these file changes observed in the code repository associated with the pipeline which will be considered for calculating the suspicious behavior findings.
Pipeline Misconfiguration SeveritySuppresses the misconfiguration detected in the pipelines that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.
Pipeline Network Call Port ActivityAdd the network call ports, e.g., 8080, 4646, 1313. This control suppresses the detected instances of the network call ports entered in this control which will be considered for calculating the suspicious behavior findings.
Pipeline Network Call URL ActivityAdd the network call URL or IP address patterns in this control by referring customized Golang regular expressions. This control suppresses the detected instances of the network call or IP address patterns added in this control which will be considered for calculating the suspicious behavior findings.
SAST SeveritySuppresses the instances of SAST security issues, severities of which match with any of the selected severities in this control. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.

Supported severities: Low, Medium, High, or Critical
Sensitive data PatternAdd the sensitive data patterns to this control by referring customized Golang regular expressions. On detecting the patterns added, those instances of sensitive data will be suppressed.
Sensitive Data SeveritySuppresses the instances of sensitive data that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.  
Specific IaC MisconfigurationSuppresses the specific IaC misconfigurations detected after performing the selected checks for a specific provider and service combination. You can select one or multiple checks for each provider and service combination (e.g. S3 in AWS). You can add multiple combinations of provider, service, and checks in the control.
Specific Pipeline Misconfiguration CheckSuppresses the misconfigurations detected after performing the selected checks in the control. 
Specific SAST CheckSuppresses the SAST security issues detected by the selected SAST checks in the control.

Example: Java : No null
Specific Sensitive Data Check

Suppresses the instances of sensitive data after performing the selected checks in the control.
Specific VulnerabilitySuppresses the vulnerabilities added in the control.
Suspicious Behavior in PipelinesYou can select one or multiple checks for suspicious behaviors in the pipelines.

Example: Crypto Mining Detected

This control suppresses the suspicious behavior findings detected by the selected checks.
Suspicious Behavior in Pipelines by SeveritySuppresses the suspicious behavior findings, severities of which match with any of the selected severities in this control. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.

Supported severities: Low, Medium, High, or Critical
Vulnerability SeveritySuppresses the vulnerabilities that match with any of the selected severities. If you select a specific severity, other severities that are lower than the selected severity are selected automatically in the control.

There is another checkbox to suppress the vulnerabilities with a known vendor fix. 



Create a new suppression rule

  1. At the top right of the Suppression Rules page, click Create Suppression Rule. New Suppression Rule page appears.
  2. Enter the name of the policy. Upper and lowercase letters, digits, dashes, and underscores are allowed.
  3. Enter a reason for the policy.
  4. (Optional) Select the "Disable rule" checkbox and define the number of days after which the suppression rule should be disabled automatically. If you do not select this checkbox, the suppression rule will be disabled in one day automatically.
  5. To add scope, select resource type, property, and value and click Add. You can add multiple scope terms as required. For more information, refer to the Scope section above.
  6. In the Controls section, click controls from the list on the left pane, to include them in the suppression rule. For more information, refer to the Controls section above.
  7. Click Save.