Suppressing issues in Snyk
Ignoring security issues shouldn’t be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), but there are still reasons why you may wish to suppress an issue – for example, if an issue doesn’t currently have a fix, you might want to snooze it until it does. Some issues are irrelevant for certain projects (e.g. a DOS attack for an internal service). Other times, an issue has a path that makes it non-exploitable.
Ignoring is a feature that’s been supported in the CLI since day one via the .snyk policy file. You’ll see this any time you run
snyk wizard on a project and a vulnerability is found. Ignoring the vulnerability adds a record to the .snyk file with the path and given reason (if one was provided).
'npm:moment:20170905': moment: reason: The reason given expires: '2017-12-29T16:10:16.946Z'
Now that we integrate with Heroku, where a policy file is not editable at runtime, it became more pressing for us to make this feature available in our UI as well.
We could have implemented this as a simple checkbox that removes the issue from view entirely, like it never happened. It would certainly make ignoring issues quick and easy. Instead, we want to encourage more responsible behaviour by making it work more like a snooze button. You can select why you want to ignore the issue, and how long you want to ignore it for. Checking “Ignore this issue until fix is available” (which is checked by default if there is currently no remediation) will resurface the vulnerability as soon as we have a fix for it, and you can optionally give additional details on why you’re ignoring the issue.
This mirrors what’s always been possible in our CLI, but we were also able to add a bit more. When you ignore an issue in our UI, it will show who ignored it, and allow you to edit or unignore it.
Since suppressing vulnerabilities carries a level of risk, we’ve added an option that lets you make this feature available to admins only. If you have access to our Reports feature, you’ll also be able to see an overview of how many issues in your organisation’s projects are ignored, along with an option to filter these so you can drill down into each one. If the issue was ignored in our UI, we include a credit for additional accountability, so you can see who initiated it.
Ignored issues will always be available to view (and edit) via the issue filter on your project, and you can continue to initiate them via the .snyk policy file. If you use our API, ignore information is also included there.
It’s a great feature that we’re excited to be able to offer, but please use it in moderation!