Overview

After carefully reviewing the Policy referenced in an Incident and its impact on your organization's infrastructure security, you may decide to apply Suppression.

There are 4 levels of Suppression available on the Incidents page:

Resource: You can Suppress a Policy for a particular Resource. For example, you may choose to waive an encryption policy for a Resource used in development and which contains no sensitive data.

Source: You can Suppress a Policy for all Resources for a specific Source. For example, you may choose to waive a specific password hardening policy for one AWS account.

Tag: You can suppress a Policy for all Resources with a specific tag.

Policy: You may choose to completely waive a Policy for all Resources across all Sources.

📘

Note

See also Suppress in Code.

Suppress by Resource

  1. Press an Incident and then Suppress.
  1. Select Suppress by Resource(s) and select one or more Resources.
  1. Add a comment and select Add Suppression.

Future scans will not create Incidents for the Suppressed resource(s) for this Policy.

📘

Suppressed Resources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress by Source

If you would like to Suppress a Policy (for all Resources) for one or more Source(s) (i.e., an AWS account, a Google Cloud project or an Azure subscription):

  1. Select Suppress by Source(s).
  2. Select one or more Source(s).
  3. Select Add Suppression.

📘

Suppressed Sources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress by Tag

  1. Select an Incident and then Suppress.
  2. Select Suppress by Tags.
  3. Select or enter one or more key value-pairs.
  4. Select Add Suppression

📘

Notes

  1. Each time Bridgecrew cloud performs a scan it stores your tags (keys and values).
  2. The dropdown lists on the Suppress by Tags page, show the stored key-value pairs.
  3. If you enter a new key-value pair, the Suppression of matching Resources will take place upon the next scan, and the new tag will be available in the dropdown lists.

Tag-based Suppressions appear in the Suppressed column on the Incident dashboard and can be edited or deleted.

Suppress Policy

If you would like to Suppress a Policy (for all Resources across all Sources):

  1. Select Disable this Policy.
  2. Select Add Suppression.

Suppress in Code

You can suppress findings in Infrastructure-as-Code files by adding a commented annotation in your source code.

Terraform and CloudFormation

To skip a check on a given Terraform definition block or CloudFormation resource, add the following comment pattern inside that resource's scope:

bridgecrew:skip=<check_id>:<suppression_comment>

<check_id> the ID of the Bridgecrew check you want to suppress
<suppression_comment> comment to be included in the output (optional)

Example:

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #bridgecrew:skip=BC_AWS_S3_2:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

Kubernetes

To suppress checks in Kubernetes manifests, annotations are used with the following format:

bridgecrew.io/skip#: <check_id>=<suppression_comment>

Example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    bridgecrew.io/skip1: bc_k8S_20=I don't care about Privilege Escalation :-O
    bridgecrew.io/skip2: bc_K8S_14
    bridgecrew.io/skip3: bc_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:

Suppress in Code Reviews

You can suppress findings that arise during a code review in a pull request. To do so, perform the following steps.

  1. Click Details in the pull request screen, or find the code review run in the Bridgecrew platform.
  2. Click Suppress on the issue you'd like to suppress, and enter a justification. Click Suppress on the justification popup.
  1. Suppress and / or fix other issues in the review until you are satisfied.
  2. Click the Submit button at the top of the page.
  3. If you did not resolve every finding in the code review, you'll be prompted to ignore or suppress the remaining findings.
  1. Click Submit.

Did this page help you?