Vulnlog Suppression
The Vulnlog CLI reads the Vulnlog YAML file and generates suppression files (also called ignore files) for SCA scanners.
Not every reported finding actually affects the project — false positives and findings already mitigated by the project are common. Suppression files tell the scanner to stop flagging them. Vulnlog generates one suppression file per scanner so only the reviewed findings are silenced.
Supported Reporters
Cargo Audit
Vulnlog supports the Cargo Audit TOML suppression file format.
[advisories]
ignore = [
"RUSTSEC-2024-0001",
"RUSTSEC-2021-0073",
]
Snyk
Vulnlog supports the Snyk Open Source suppression file format.
---
ignore:
SNYK-JAVA-TOOLSJACKSONCORE-15907550:
- '*':
reason: The affected `StreamReadConstraints` is not used in the application.
Trivy
Vulnlog supports the Trivy YAML suppression file format.
---
vulnerabilities:
- id: GHSA-2m67-wjpj-xhg9
statement: The affected `StreamReadConstraints` is not used in the application.
Generic
Some scanners (such as Semgrep) have no suppression-file mechanism. Others (such as OWASP Dependency Check) do, but Vulnlog does not yet emit their format. For both cases Vulnlog writes a generic JSON file that teams can wire into their own tool chain.
You can also request this format for any reporter with --format generic, which is useful when you prefer to post-process suppressions in scripts or other tooling rather than use the native format.
{
"vulnerabilities" : [ {
"id" : "CVE-2024-5535",
"statement" : "Vulnerable OpenSSL is present in the container base image but the affected NPN/ALPN negotiation code path is never invoked by our application.\n"
}, {
"id" : "CVE-2021-002",
"statement" : "Demo project does not utilize some-dependency and therefore is not affected.\n"
} ]
}