Overview

After carefully reviewing a specific Policy referenced and its impact on your organization's infrastructure security, you may decide to apply Suppression.
Suppressions can be applied at various levels and from various points in Bridgecrew Cloud.

Suppression Levels

Suppression can be applied at various levels: for all cases (Disable Policy), for a specific Source, for a Specific Resource or by tag.

Disable Policy: This option suppresses a Policy in all cases (regardless of Source, Resource or Tag)

Resource: You can Suppress a Policy for a particular Resource. For example, you may choose to waive an encryption policy for a Resource used in development and which contains no sensitive data.

Source: You can Suppress a Policy for all Resources for a specific Source. For example, you may choose to waive a specific password hardening policy for one AWS account.

Tag: You can suppress a Policy for all Resources with a specific tag.

📘

Note

Depending on where in Bridgecrew you set a Suppression, you may have an option to set an Expiration Date. After this date, the Suppression will no longer be in effect.

Where?

Suppressions can be set and managed from these pages:

• Incidents
• Projects
• Policies
• In Code - see details below

📘

Note

Regardless of where in Bridgecrew you initially set a Suppression, you can always inspect, modify or delete Suppressions from the Projects and Policies pages.

What Roles Can Apply Suppressions?

Only users with these roles can apply Suppressions:

• Owner
• Admin
• Member
• Developer

📘

Note on Suppression by Developer

Developers can only Suppress by Resource, and only if Developer Suppression is enabled in Code Repository Settings.

Suppress on Incident Page

Suppress Incident by Resource

1. Press an Incident and then Suppress.

2. Select Suppress by Resource(s) and select one or more Resources.

3. Add a comment and select Add Suppression.

Future scans will not create Incidents for the Suppressed resource(s) for this Policy.

📘

Suppressed Resources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress Incident by Source

If you would like to Suppress a Policy (for all Resources) for one or more Source(s) (i.e., an AWS account, a Google Cloud project or an Azure subscription):

1. Select Suppress by Source(s).
2. Select one or more Source(s).
3. Select Add Suppression.

📘

Suppressed Sources appear in the Suppressed column on the Incident dashboard.
You can edit the comment or remove the Suppression.

Suppress Incident by Tag

1. Select an Incident and then Suppress.
2. Select Suppress by Tags.
3. Select or enter one or more key value-pairs.
4. Select Add Suppression

📘

Notes

1. Each time Bridgecrew cloud performs a scan it stores your tags (keys and values).
2. The dropdown lists on the Suppress by Tags page, show the stored key-value pairs.
3. If you enter a new key-value pair, the Suppression of matching Resources will take place upon the next scan, and the new tag will be available in the dropdown lists.

Tag-based Suppressions appear in the Suppressed column on the Incident dashboard and can be edited or deleted.

Disable Policy (via Incident Page)

If you would like to Suppress a Policy (for all Resources across all Sources):

1. Select Disable this Policy.
2. Select Add Suppression.

Suppress on Projects Page

On the Projects page, select Suppress to open the Suppression dialogue.
You can now choose to:

• Disable the Policy
• Suppress by Source
• Suppress by Resource
• Suppress by Tag
• Set an Expiration Date (optional)

Disable Policy

To disable this Policy across all sources and all resources:

1. Select More Options.

2. Select Disable.
3. Enter a Justification.
4. Select Save.

Suppress by Source

To Suppress by Source:

1. Select More Options.

2. Select Suppress by Sources.

3. Choose Sources.

The number of affected resources will appear.

4. Select Save.

Suppress by Resource

To Suppress by resource:

1. Select More Options.

2. Enter Justification.
3. Choose Resources.
4. Select Save.

Suppress by Tag

To Suppress by Tag:

1. Select Suppress by Tag.
2. Enter Justification.
3. Choose Tags.
   The number of affected resources will appear.

4. Select Save.

Calculate Number of Resources Affected

After selecting an option (Disable, Suppress by Source or Suppress by Resource), the number of affected Resources is displayed.

Set Expiration Date

For each type of Suppression, you have the option of setting an Expiration Date. After the Expiration date, the Suppression will no longer apply.
This Expiration Date can be edited later.
If no Expiration Date is set, the Suppression will be applied in all applicable cases, ongoing, unless it is later modified.

Save

Files with Suppressions applied, appear collapsed and with SUPPRESS highlighted.
Expand the file to inspect and modify the Suppression.

Inspect and Modify Suppression

Open a collapsed file to see Suppression details or modify Suppression Settings.

Suppress on Policies Page

On the Policies page, you can view any Suppressions associated with a Policy.

📘

Note

Details will appear for Suppressions applied to specific Resources, but not for Resources which are suppressed due to a higher level Suppression (for example, by Tag).

You can add a Suppression for the Policy.

You can delete an existing Suppression.

Suppress in Code

You can suppress findings in Infrastructure-as-Code files by adding a commented annotation in your source code.
These In-Code Skips will be applied if the parameter Developer Suppressions is enabled in Code Repository Settings.

Terraform and CloudFormation

To skip a check on a given Terraform definition block or CloudFormation resource, add the following comment pattern inside that resource's scope:

bridgecrew:skip=<check_id>:<suppression_comment>

<check_id> the ID of the Bridgecrew check you want to suppress
<suppression_comment> comment to be included in the output (optional)

Example:

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #bridgecrew:skip=BC_AWS_S3_2:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

Kubernetes

To suppress checks in Kubernetes manifests, annotations are used with the following format:

bridgecrew.io/skip#: <check_id>=<suppression_comment>

Example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    bridgecrew.io/skip1: bc_k8S_20=I don't care about Privilege Escalation :-O
    bridgecrew.io/skip2: bc_K8S_14
    bridgecrew.io/skip3: bc_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:

}

]
}