Vulnlog Suppression

The Vulnlog CLI reads the Vulnlog YAML file and generates suppression files (also called ignore files) for SCA scanners.

Not every reported finding actually affects the project — false positives and findings already mitigated by the project are common. Suppression files tell the scanner to stop flagging them. Vulnlog generates one suppression file per scanner so only the reviewed findings are silenced.

Vulnlog workflow: SCA scanners report findings, the engineer documents the verdict in vulnlog.yaml, and the Vulnlog CLI generates one ignore file per scanner that feeds back to the scanners

Supported Reporters

Cargo Audit

Vulnlog supports the Cargo Audit TOML suppression file format.

Cargo Audit toml-based suppression file example.
[advisories]
ignore = [
    "RUSTSEC-2024-0001",
    "RUSTSEC-2021-0073",
]

Snyk

Vulnlog supports the Snyk Open Source suppression file format.

Snyk yaml-based suppression file example.
---
ignore:
  SNYK-JAVA-TOOLSJACKSONCORE-15907550:
  - '*':
      reason: The affected `StreamReadConstraints` is not used in the application.

Trivy

Vulnlog supports the Trivy YAML suppression file format.

Trivy yaml-based suppression file example.
---
vulnerabilities:
- id: GHSA-2m67-wjpj-xhg9
  statement: The affected `StreamReadConstraints` is not used in the application.

Generic

Some scanners (such as Semgrep) have no suppression-file mechanism. Others (such as OWASP Dependency Check) do, but Vulnlog does not yet emit their format. For both cases Vulnlog writes a generic JSON file that teams can wire into their own tool chain.

You can also request this format for any reporter with --format generic, which is useful when you prefer to post-process suppressions in scripts or other tooling rather than use the native format.

Generic json-based suppression file example.
{
  "vulnerabilities" : [ {
    "id" : "CVE-2024-5535",
    "statement" : "Vulnerable OpenSSL is present in the container base image but the affected NPN/ALPN negotiation code path is never invoked by our application.\n"
  }, {
    "id" : "CVE-2021-002",
    "statement" : "Demo project does not utilize some-dependency and therefore is not affected.\n"
  } ]
}