vulnlog suppress

Generates suppression files for SCA scanners. These files contain vulnerability identifiers that instruct the scanner to exclude the corresponding findings.

vulnlog suppress <file> [flags]

Flag Description

Flag	Description
`-o, --output <file>`	Output file path, or `-` to write to stdout. Requires a single reporter (either set `--reporter`, or the input must apply to only one reporter). Mutually exclusive with `--output-dir`.
`--output-dir <dir>`	Output directory for the suppression files. Defaults to the current directory. Mutually exclusive with `-o, --output`.
`--reporter <value>`	Filter on reporter.
`--release <text>`	Filter on release, include all releases up to and including that release. A vulnerability whose `resolution` targets a release outside this range is treated as still unresolved and a suppression entry is emitted, so scanners running against the deployed release stay quiet until the fix actually ships.
`--tag <text>`	Filter on tags. Use multiple times to filter on multiple tags.
`-`	Use as the file argument to read from STDIN.

-o, --output <file>

Output file path, or - to write to stdout. Requires a single reporter (either set --reporter, or the input must apply to only one reporter). Mutually exclusive with --output-dir.

--output-dir <dir>

Output directory for the suppression files. Defaults to the current directory. Mutually exclusive with -o, --output.

--reporter <value>

Filter on reporter.

--release <text>

Filter on release, include all releases up to and including that release. A vulnerability whose resolution targets a release outside this range is treated as still unresolved and a suppression entry is emitted, so scanners running against the deployed release stay quiet until the fix actually ships.

--tag <text>

Filter on tags. Use multiple times to filter on multiple tags.

-

Use as the file argument to read from STDIN.

Create suppression files for all reporters

vulnlog suppress full-example.vl.yaml
Suppression file created at: /path/to/.snyk
Suppression file created at: /path/to/.trivyignore.yaml

Create suppression for releases up to and including 8.1.1 and reporter snyk

vulnlog suppress full-example.vl.yaml --release 8.1.1 --reporter snyk
Suppression file created at: /path/to/.snyk

Write a single reporter’s suppression file under a custom name

vulnlog suppress full-example.vl.yaml --reporter trivy -o .myTrivy
Suppression file created at: /path/to/.myTrivy

Suppress a not-yet-shipped fix when scanning the currently deployed release

vulnlog suppress vulnlog.yaml --release 8.0.0 --reporter trivy

The CVE is fixed on the dev branch and the resolution targets the next, unpublished release. Until that release ships, the scanner running against the deployed 8.0.0 image keeps flagging the CVE. Generating the suppression file with --release 8.0.0 includes the entry, so CI stays green. The vulnerability still appears as open in the HTML report under the same release. The pending-fix report needs an empty suppress: { } block on the relevant report so the entry is eligible for suppression.

Read from STDIN and write to STDOUT.

vulnlog suppress --reporter trivy - -o - < full-example.vl.yaml > .myTrivy

-o (including -o - for stdout) requires a single reporter. Set --reporter to pick one, or use an input that only applies to one reporter. To write all applicable suppression files in one go, use --output-dir <dir> instead.

Output Examples

Generated Snyk suppression file

---
ignore:
  SNYK-JAVA-TOOLSJACKSONCORE-15907550:
  - '*':
      reason: The affected `StreamReadConstraints` is not used in the application.

Generated Trivy suppression file

---
vulnerabilities:
- id: GHSA-2m67-wjpj-xhg9
  statement: The affected `StreamReadConstraints` is not used in the application.

Generated Cargo Audit suppression file

[advisories]
ignore = [
    "RUSTSEC-2024-0001",
    "RUSTSEC-2021-0073",
]