How to set a vulnerability exclusion
Last updated
Was this helpful?
Last updated
Was this helpful?
The infrastructure as code scanner supports some pre-existing methods for declaring exclusions:
In the security assessment section find the desired vulnerability, open the Actions tab and click one of the options:
You can also exclude multiple policies at once by:
Selecting the from the Violated polices section
Or by excluding all the policies affecting a specific resource from the Resources Assessment section
Policy violations can be excluded locally with a .isaacignore
file in the root folder of your project containing the ID(s) in question.
Here's an example showing the contents of this exclusion file.
Note: a comment preceding policy IDs is then reported in the report
Policy IDs can be found in the output of the console report (generated by invoking isaac scanner with flag --report-console
).
Resource-specific exclusions can be set via the .isaacignore
file. Given the contents of a regular .isaacignore
file like the one shown above, if you wanted to exclude policy ISA_C208
only for a specific resource you can achieve that by adding the Resource ID anywhere in a comment preceding the policy ID
The Resource ID is an identifier made by the name of a resource + @ + the relative path to the configuration file where it is defined. Meterian uses these in the ISAAC analysis. You can find these for reference in the JSON report or the console report (--report-console
).
Alternatively, you can use a regular expression to target specific resources. This is done by using a specific format: r'<your RegEx here>'. Here follows an example
In this example the policy ISA_C208 will be excluded for every aws_sns_topic.bucket_notifications
resource within the project.