Ignoring Issues

Ignoring issues

Ignoring security issues shouldn’t be the default action, but it is sometimes necessary. The best practice is to fix or patch vulnerabilities, or to remove the vulnerable dependency, but there may still be reasons why you would want to suppress an issue – for example, if an issue doesn’t currently have a fix, you might want to snooze it until it does.

Some issues are irrelevant for certain projects (e.g. a DDOS attack for an internal service). Other times, an issue has a path that makes it non-exploitable. In these scenarios Snyk would still recommend fixing the issue where possible, as just because the vulnerability is not exploitable today via the current code paths, it does not mean it will not be in the future if the code changes.

Issues can be ignored and viewed via the UI using the issue filter on your project, via the Snyk APIs and via the cli.

Ignoring issues in the CLI

Suppressing issues is possible via the CLI. For node.js projects you can use snyk wizard, which will give you the option of ignoring the vulnerability for a period of 30 days. If you want to ignore another supported language or if you want to specify a different duration, you can use the snyk ignore command.

 snyk ignore --id='brace-expansion@1.1.6' --expiry='2018-04-01' --reason='testing'

When using snyk wizard or snyk ignore the .snyk policy file is updated with the path and given reason (if one was provided). Here’s an example:

  - moment:
    reason: The reason given
    expires: '2017-12-29T16:10:16.946Z'

More about ignoring issues in the CLI.

Ignoring issues in the UI

Each issue card has an ignore button that opens up a dialog where you can select why you want to ignore the issue, as well as how long you want to ignore it for.

Checking “Ignore this issue until fix is available” (which is checked by default if there is currently no remediation) will resurface the vulnerability as soon as we have a fix for it, and you can optionally give additional details on why you’re ignoring the issue.

Ignore dialog

Note: an issue is ignored until ANY of the conditions happen - either the ignore period expires, OR the vuln becomes fixable

When you ignore an issue in our UI, it will show who ignored it, and allow you to edit or unignore it.

Ignore preview

Additional ignore settings

Since suppressing vulnerabilities carries a level of risk, there is a setting which allows you to decide whether this feature is available to admins only. To set this, go to your organisation settings, and select “Admin only” in the “Ignores” section. You can also choose to set the “more details” field to be a compulsory field when an issue is being ignored, requiring the user to enter a reason for each ignore.

Ignores in reports

If you have access to our Reports feature, you will also be able to see an overview of how many issues in your organisation’s projects are ignored, along with an option to filter these so you can drill down into each one. If the issue was ignored in our UI, we include a credit for additional accountability, so you can see who initiated it.