Suppress
Overview
After carefully reviewing a specific Policy referenced and its impact on your organization's infrastructure security, you may decide to apply Suppression.
Suppressions can be applied at various levels and from various points in Bridgecrew Cloud.
Suppression Levels
Suppression can be applied at various levels: for all cases (Disable Policy), for a specific Source, for a Specific Resource or by tag.
Disable Policy: This option suppresses a Policy in all cases (regardless of Source, Resource or Tag)
Resource: You can Suppress a Policy for a particular Resource. For example, you may choose to waive an encryption policy for a Resource used in development and which contains no sensitive data.
Source: You can Suppress a Policy for all Resources for a specific Source. For example, you may choose to waive a specific password hardening policy for one AWS account.
Tag: You can suppress a Policy for all Resources with a specific tag.
Note
Depending on where in Bridgecrew you set a Suppression, you may have an option to set an Expiration Date. After this date, the Suppression will no longer be in effect.
Where?
Suppressions can be set and managed from these pages:
Note
Regardless of where in Bridgecrew you initially set a Suppression, you can always inspect, modify or delete Suppressions from the Projects and Policies pages.
What Roles Can Apply Suppressions?
Only users with these roles can apply Suppressions:
- Owner
- Admin
- Member
- Developer
Note on Suppression by Developer
Developers can only Suppress by Resource, and only if Developer Suppression is enabled in Code Repository Settings.
Suppress on Incident Page
Suppress Incident by Resource
- Press an Incident and then Suppress.

- Select Suppress by Resource(s) and select one or more Resources.

- Add a comment and select Add Suppression.
Future scans will not create Incidents for the Suppressed resource(s) for this Policy.
Suppressed Resources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress Incident by Source
If you would like to Suppress a Policy (for all Resources) for one or more Source(s) (i.e., an AWS account, a Google Cloud project or an Azure subscription):
- Select Suppress by Source(s).
- Select one or more Source(s).
- Select Add Suppression.

Suppressed Sources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress Incident by Tag
- Select an Incident and then Suppress.
- Select Suppress by Tags.
- Select or enter one or more key value-pairs.
- Select Add Suppression

Notes
- Each time Bridgecrew cloud performs a scan it stores your tags (keys and values).
- The dropdown lists on the Suppress by Tags page, show the stored key-value pairs.
- If you enter a new key-value pair, the Suppression of matching Resources will take place upon the next scan, and the new tag will be available in the dropdown lists.
Tag-based Suppressions appear in the Suppressed column on the Incident dashboard and can be edited or deleted.
Disable Policy (via Incident Page)
If you would like to Suppress a Policy (for all Resources across all Sources):
- Select Disable this Policy.
- Select Add Suppression.

Suppress on Projects Page
On the Projects page, select Suppress to open the Suppression dialogue.
You can now choose to:
- Disable the Policy
- Suppress by Source
- Suppress by Resource
- Suppress by Tag
- Set an Expiration Date (optional)

Disable Policy
To disable this Policy across all sources and all resources:
- Select More Options.

- Select Disable.
- Enter a Justification.
- Select Save.

Suppress by Source
To Suppress by Source:
- Select More Options.

- Select Suppress by Sources.

- Choose Sources.

The number of affected resources will appear.
- Select Save.
Suppress by Resource
To Suppress by resource:
- Select More Options.

- Enter Justification.
- Choose Resources.
- Select Save.
Suppress by Tag
To Suppress by Tag:
- Select Suppress by Tag.
- Enter Justification.
- Choose Tags.
The number of affected resources will appear.

- Select Save.
Calculate Number of Resources Affected
After selecting an option (Disable, Suppress by Source or Suppress by Resource), the number of affected Resources is displayed.

Set Expiration Date
For each type of Suppression, you have the option of setting an Expiration Date. After the Expiration date, the Suppression will no longer apply.
This Expiration Date can be edited later.
If no Expiration Date is set, the Suppression will be applied in all applicable cases, ongoing, unless it is later modified.

Save
Files with Suppressions applied, appear collapsed and with SUPPRESS highlighted.
Expand the file to inspect and modify the Suppression.

Inspect and Modify Suppression
Open a collapsed file to see Suppression details or modify Suppression Settings.


Suppress on Policies Page
On the Policies page, you can view any Suppressions associated with a Policy.

Note
Details will appear for Suppressions applied to specific Resources, but not for Resources which are suppressed due to a higher level Suppression (for example, by Tag).
You can add a Suppression for the Policy.

You can delete an existing Suppression.

Suppress in Code
You can suppress findings in Infrastructure-as-Code files by adding a commented annotation in your source code.
These In-Code Skips will be applied if the parameter Developer Suppressions is enabled in Code Repository Settings.

Terraform and CloudFormation
To skip a check on a given Terraform definition block or CloudFormation resource, add the following comment pattern inside that resource's scope:
bridgecrew:skip=<check_id>:<suppression_comment>
<check_id> the ID of the Bridgecrew check you want to suppress
<suppression_comment> comment to be included in the output (optional)
Example:
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
#bridgecrew:skip=BC_AWS_S3_2:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = "public-read"
}
Kubernetes
To suppress checks in Kubernetes manifests, annotations are used with the following format:
bridgecrew.io/skip#: <check_id>=<suppression_comment>
Example:
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
bridgecrew.io/skip1: bc_k8S_20=I don't care about Privilege Escalation :-O
bridgecrew.io/skip2: bc_K8S_14
bridgecrew.io/skip3: bc_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
containers:
}
]
}
Updated almost 2 years ago