You can run a scan, and choose to ignore results, possibly because they're known issues, or should be addressed later, in either way -- you want to take control of your risk yourself and explicitly ignore findings.
There are 3 main ways to perform ignores:
- Glob ignores - don't process the files, skip completely
- Rule ignores - don't process file contents with regard to specified rules, skip
- Match ignores - ignore actual matches by file name, content, rule, and more
You might want the same experience as working with a
.gitignore file, ignoring an entire folder, a glob of a file structure or a specific file, regardless of any scan.
A good example might be a Tensorflow model, which weighs gigabytes, and you have reasonable certainty there couldn't be any security issues there (a fairly reasonable assumption).
To ignore using this technique, add a special
.ignore file to your repo, and set its content much like a regular
When using Spectral Scan, these files will not be considered at all, when Spectral is compiling its execution plan.
There might be a case where you want to ignore a specific rule, and under that rule, ignore a specific set of files.
For example, you want to ignore all credit cards showing under a "test" folder. In that case, you want to specify the
PCI rule and under it specify a file glob such as
tests/.*. In this case we use a regular expression which is a bit more costly than a glob but much more powerful and expressive.
An example for how to ignore a specific file under a particular rule can be found here: ignores.yaml
Lastly, you have the option of ignoring matches. This ignore feature is the most powerful, and you're able to specify actual finding text to ignore such as test keys, demo keys, and more.
Ignoring matches after they were found, is called "match_ignores" in Spectral. Example: .spectral/spectral.yaml
Adding ignores is done by editing your main spectral configuration file (
spectral.yaml), like below:
You can specify a list of ignores, and each ignore can have the following fields:
When you want to ignore a secret, or a piece of confidential text, it doesn't make sense to specify it verbatim as an ignore because you'd be duplicating the secret. For this case, we use a cryptographically secure digest fingerprinting. To fingerprint your piece of text, you can use Spectral itself:
Then, you can safely add this fingerprint to your ignore rule, which will ignore the content behind the fingerprint.