This feature is not Generally Available yet. You can refer to this document only if your Aqua environment is enabled with the feature, Suppression Rules for image vulnerabilities. If you are interested to experience this, please contact Aqua Support for enabling the feature.


The Images screen > Suppression Rules tab displays all the suppression rules created on the image vulnerabilities. You can create a new suppression rule in this tab to suppress the specific vulnerabilities automatically as soon as they are detected after scanning the images. The vulnerabilities eligible for suppression are determined based on the criteria and scope set in the suppression rule. After you create the suppression rules, you can disable or delete them to stop suppressing new image vulnerabilities in future which meet the suppression criteria and scope set in the rule.

Suppression applicability

When you create a suppression rule, vulnerabilities for suppression will be determined based on the following configurations:

  • Suppression Criteria: On setting this, the vulnerabilities which meet the criteria will be suppressed
  • Suppression scope: Application scopes and Additional scope criteria define the vulnerabilities to which the suppression rule will be applied

If a vulnerability is suppressed by a rule, the same vulnerability detected in other images in the same repository will also be suppressed with the same expiration.

Suppression expiration

When you create a suppression rule for the image vulnerabilities, you can optionally set an expiration (between 1 and 999 days from the present time) for the suppressions. Suppression expiration can give image developers a "grace period" for providing a more durable solution for mitigating the risk of vulnerabilities.

Create a suppression rule

  1. Navigate to the Images page > Suppression Rules tab.

        2. At the top right side of the page, click Create Suppression Rule. The Create new vulnerability suppression dialog appears.

        3. Suppression Criteria: In the Suppression Criteria section, enable the required options and enter the values to set the criteria:

  • All vulnerabilities with CVSS score: Enable it if required and select the vulnerability score range between 1 and 10
  • All vulnerabilities with fix available: Enable it if required to filter the vulnerabilities which have a fix available from the software vendor
  • Specific vulnerability with CVE ID: Enable it if required and to add multiple CVE IDs, add each CVE ID and press the Enter button
  • All vulnerabilities with severity: Enable it if required and select one or multiple severities from the dropdown menu

The AND operator is applied between the options selected above.

       4. Suppression Scope: To add application scopes and (optional) additional scope criteria: see Policy scope editing.

       5. Suppression Properties: Enter the following details for the suppression rule:

  • Suppression Rule Name
  • Reason

       6. Suppression period: Enable the checkbox and select the number of days that you want to apply the suppression rule.

       7. Click Create.

Other actions

In the Suppression Rules tab, you can perform the following actions on the suppression rules that were created earlier:

  • Disable: In the Enable/Disable column, you can disable any suppression rule. You can also disable multiple suppression rules by selecting the required suppression rules and click Disable at the top right side of the page. This action will stop suppressing any new vulnerabilities meeting the criteria set in the rules. Vulnerabilities suppressed earlier as per the disabled rule will continue to be suppressed until the expiration period.
  • Delete: Select the required suppression rules and click Delete at the top right side of the page. This action will stop suppressing any new vulnerabilities and delete the suppression rules and their configurations permanently. Vulnerabilities suppressed earlier as per the deleted rule will be unsuppressed.


  1. What is the relationship between suppressions and suppression rules?
    • Suppressions provide the ability to accept risk and specify a grace period for developers to fix the security risks uncovered by Aqua.
    • Suppression Rules allow automatic suppression of vulnerabilities that match the specified criteria within a specified scope 
    • For every image scan, the Suppression Rules will be compared, and any matching CVEs will automatically be suppressed and reflected as part of the image compliance
  2. What is difference between suppressions and acknowledgments?
    • "Suppressions" is simply a new term for "Acknowledgments," with no difference in meaning or functionality.
    • This will allow Aqua to have consistent nomenclature across the Aqua portfolio
  3. What is the expiration in suppression rules used for?
    • Any suppressions that are triggered automatically via the rules will inherit the expiration period
    • This enables you to set a grace period at the rule level for all matching vulnerability suppressions
    • The expiration does NOT apply to the rule itself
  4. When does the Suppression Rule expire?
    • Today you cannot set an expiration to apply to the Rule
    • There is a capability to temporarily disable a Rule or permanently delete it