Suppressions & Exceptions
Suppressions and exceptions are controlled mechanisms to reduce noise while preserving accountability.
Suppressions
A suppression prevents an issue (or rule match) from appearing repeatedly when it is not meaningful to action.
Use Suppressions when:
- The same finding is repeatedly surfaced but cannot be addressed (e.g., test fixtures, non-production paths).
- The finding is a known and documented exception.
Recommended best practices:
- Always add a reason and owner.
- Prefer time-bound suppressions where possible (review every X days).
- Use suppressions sparingly—overuse hides real regressions.
Exceptions
An exception is an explicit policy decision that a finding is allowed under defined conditions. Use exceptions when:
- A team needs time to remediate and wants documented approval.
- A dependency/config must be used with compensating controls.
Recommended best practices:
- Record business justification.
- Track compensating controls (WAF, runtime policy, restricted network paths, monitoring, etc.).
- Add a review/expiry date.