How to set a vulnerability exclusion

The infrastructure as code scanner supports some pre-existing methods for declaring exclusions:

From the report page

In the security assessment section find the desired vulnerability, open the Actions tab and click one of the options:

You can also exclude multiple policies at once by:

  • Selecting the from the Violated polices section

  • Or by excluding all the policies affecting a specific resource from the Resources Assessment section

From a .isaacignore file

Policy violations can be excluded locally with a .isaacignore file in the root folder of your project containing the ID(s) in question.

Here's an example showing the contents of this exclusion file.

# No impact in our settings
ISA_C220

# Ignore the misconfiguration
ISA_C208

ISA_C1070
ISA_C198

Note: a comment preceding policy IDs is then reported in the report

Policy IDs can be found in the output of the console report (generated by invoking isaac scanner with flag --report-console).

Last updated