Ignores

You can run a scan, and choose to ignore results, possibly because they're known issues, or should be addressed later, in either way -- you want to take control of your risk yourself and explicitly ignore findings.

There are 3 main ways to perform ignores:

  • Glob ignores - don't process the files, skip completely
  • Rule ignores - don't process file contents with regard to specified rules, skip
  • Match ignores - ignore actual matches by file name, content, rule, and more
🦸‍♀️
Why more than one way to ignore?
Match ignores will work most of the time. If you don't want to scan a large model file because it's a waste, you can use a glob ignore to skip it completely.

Glob Ignores

You might want the same experience as working with a .gitignore file, ignoring an entire folder, a glob of a file structure or a specific file, regardless of any scan.

A good example might be a Tensorflow model, which weighs gigabytes, and you have reasonable certainty there couldn't be any security issues there (a fairly reasonable assumption).

To ignore using this technique, add a special .ignore file to your repo, and set its content much like a regular .gitignore

tf-models/*

When using Spectral Scan, these files will not be considered at all, when Spectral is compiling its execution plan.

Rule Ignores

There might be a case where you want to ignore a specific rule, and under that rule, ignore a specific set of files.

For example, you want to ignore all credit cards showing under a "test" folder. In that case, you want to specify the PCI rule and under it specify a file glob such as tests/.*. In this case we use a regular expression which is a bit more costly than a glob but much more powerful and expressive.

An example for how to ignore a specific file under a particular rule can be found here: ignores.yaml

Match Ignores

Lastly, you have the option of ignoring matches. This ignore feature is the most powerful, and you're able to specify actual finding text to ignore such as test keys, demo keys, and more.

Ignoring matches after they were found, is called "match_ignores" in Spectral. Example: .spectral/spectral.yaml

Adding ignores is done by editing your main spectral configuration file (spectral.yaml), like below:

.spectral/spectral.yaml
match_ignores:
ignores:
- match_text: MYSQL_ROOT_PASSWORD
- rule_id: <rule id, regex>
rule_name: <rule name, regex>
match_text: <rule id, regex>
path: <path, regex>
match_fingerprint: b76fe610abe3bdaa92d4002dc0516dfa21c2dbf520373c6203469d0dee369888

You can specify a list of ignores, and each ignore can have the following fields:

Fingerprinting

When you want to ignore a secret, or a piece of confidential text, it doesn't make sense to specify it verbatim as an ignore because you'd be duplicating the secret. For this case, we use a cryptographically secure digest fingerprinting. To fingerprint your piece of text, you can use Spectral itself:

$ spectral fingerprint --text AKIAXXXXXXXXXXXXXXXX
b76fe610abe3bdaa92d4002dc0516dfa21c2dbf520373c6203469d0dee369888

Then, you can safely add this fingerprint to your ignore rule, which will ignore the content behind the fingerprint.