Skip to main content
Skip to main content

Suppressing findings

Not every finding is a bug. When a flag is deliberate β€” a genuinely public API, a deny-policy you meant to write β€” you can dismiss it. CDK Insights keeps the suppression reason in the report, so reviewers see why it was acknowledged rather than finding it silently missing.

Suppressing vs. filtering. Suppression hides a finding you’ve reviewed and accepted. To control which rules run in the first place, use rule filtering instead.

ignoreRules β€” by rule ID

Suppress a rule everywhere it fires. Use the object form to record why, so the report can show the justification.

{
  "ignoreRules": [
    {
      "id": "api-gateway-method-auth-missing",
      "reason": "Public status API β€” intentionally unauthenticated"
    }
  ]
}

Supports trailing-* wildcards (e.g. "s3-*"). A plain string ("api-gateway-method-auth-missing") also works when you don’t need a reason.

ignorePaths β€” by construct path

Suppress every finding at or under a construct path. Best when one specific resource is reviewed-and-intentional and you want it fully exempt.

{
  "ignorePaths": [
    "MyStack/PublicApi/*"
  ]
}

Matches the CDK construct path (the same path shown in findings). Trailing-* wildcards supported. This is location-based, so it dismisses all rules on that construct, not just one.

Validations.acknowledge() β€” inline in CDK

The most surgical option: dismiss one rule on one construct subtree, recorded next to the code it concerns, and honoured at synth time too.

import { Validations } from 'aws-cdk-lib';

Validations.of(publicApi).acknowledge({
  id: 'cdk-insights::api-gateway-method-auth-missing',
  reason: 'Public status API β€” intentionally unauthenticated',
});

Prefix the rule ID with cdk-insights:: . Requires aws-cdk-lib β‰₯ 2.252. Works for both cdk-insights scan and the synth-time Validations plugin.

Use the internal rule ID, not the SARIF ID

Suppression matches the internal kebab-case rule ID β€” e.g. s3-bucket-public-access. This is the ID shown in --output json and on every rule page. The ID surfaced in SARIF / GitHub code scanning is a different display form (CDK-CRITICAL-…) β€” putting that in ignoreRules silently matches nothing.

Find the rule you want to suppress

Every rule has a page with its exact ID and a ready-to-paste suppression snippet.