Suppressing issues in Snyk

Anna Debenham's avatar Anna Debenham

Ignoring security issues shouldn’t be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), but there are still reasons why you may wish to suppress an issue – for example, if an issue doesn’t currently have a fix, you might want to snooze it until it does. Some issues are irrelevant for certain projects (e.g. a DOS attack for an internal service). Other times, an issue has a path that makes it non-exploitable.

Ignoring is a feature that’s been supported in the CLI since day one via the .snyk policy file. You’ll see this any time you run snyk wizard on a project and a vulnerability is found. Ignoring the vulnerability adds a record to the .snyk file with the path and given reason (if one was provided).

1
2
3
4
'npm:moment:20170905':
  - moment:
    reason: The reason given
    expires: '2017-12-29T16:10:16.946Z'

Now that we integrate with Heroku, where a policy file is not editable at runtime, it became more pressing for us to make this feature available in our UI as well.

We could have implemented this as a simple checkbox that removes the issue from view entirely, like it never happened. It would certainly make ignoring issues quick and easy. Instead, we want to encourage more responsible behaviour by making it work more like a snooze button. You can select why you want to ignore the issue, and how long you want to ignore it for. Checking “Ignore this issue until fix is available” (which is checked by default if there is currently no remediation) will resurface the vulnerability as soon as we have a fix for it, and you can optionally give additional details on why you’re ignoring the issue.

Ignore dialog

This mirrors what’s always been possible in our CLI, but we were also able to add a bit more. When you ignore an issue in our UI, it will show who ignored it, and allow you to edit or unignore it.

Ignore preview

Since suppressing vulnerabilities carries a level of risk, we’ve added an option that lets you make this feature available to admins only. If you have access to our Reports feature, you’ll also be able to see an overview of how many issues in your organisation’s projects are ignored, along with an option to filter these so you can drill down into each one. If the issue was ignored in our UI, we include a credit for additional accountability, so you can see who initiated it.

Ignored issues will always be available to view (and edit) via the issue filter on your project, and you can continue to initiate them via the .snyk policy file. If you use our API, ignore information is also included there.

It’s a great feature that we’re excited to be able to offer, but please use it in moderation!

Introducing Groups – a new way to manage your teams in Snyk

March 06, 2018

We’ve just launched a new feature for our Pro and Enterprise Plan customers that adds an additional layer of hierarchy to make it possible to split your organisation in Snyk into teams, who can manage different projects. This has been a popular request from our customers and we’ve been building and refining it for months. We’re very excited to now be able to offer it.

What’s a known vulnerability?

February 06, 2018

A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and thus try to exploit it.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications