How to set a vulnerability exclusion

The infrastructure as code scanner supports some pre-existing methods for declaring exclusions:

From the report page

In the security assessment section find the desired vulnerability, open the Actions tab and click one of the options:

You can also exclude multiple policies at once by:

  • Selecting the from the Violated polices section

  • Or by excluding all the policies affecting a specific resource from the Resources Assessment section

From a .isaacignore file

Policy violations can be excluded locally with a .isaacignore file in the root folder of your project containing the ID(s) in question.

Here's an example showing the contents of this exclusion file.

# No impact in our settings
ISA_C220

# Ignore the misconfiguration
ISA_C208

ISA_C1070
ISA_C198

Note: a comment preceding policy IDs is then reported in the report

Policy IDs can be found in the output of the console report (generated by invoking isaac scanner with flag --report-console).

Set resource-specific exclusions

Resource-specific exclusions can be set via the .isaacignore file. Given the contents of a regular .isaacignore file like the one shown above, if you wanted to exclude policy ISA_C208 only for a specific resource you can achieve that by adding the Resource ID anywhere in a comment preceding the policy ID

# Ignore the misconfiguration for [email protected]
ISA_C208

ISA_C1070
ISA_C198

The Resource ID is an identifier made by the name of a resource + @ + the relative path to the configuration file where it is defined. Meterian uses these in the ISAAC analysis. You can find these for reference in the JSON report or the console report (--report-console).

Alternatively, you can use a regular expression to target specific resources. This is done by using a specific format: r'<your RegEx here>'. Here follows an example

# Ignore the misconfiguration for r'aws_sns_topic.bucket_notifications@.*'
ISA_C208

ISA_C1070
ISA_C198

In this example the policy ISA_C208 will be excluded for every aws_sns_topic.bucket_notifications resource within the project.

Last updated

Was this helpful?