Suppressions
Suppress known findings that are accepted risks. Suppressions are defined in .cloud-audit.yml and tracked in version control.
suppressions:
- check_id: aws-vpc-001
resource_id: vpc-abc123
reason: "Legacy VPC, migration planned for Q3"
accepted_by: "jane@example.com"
expires: "2026-09-30"
Fields
| Field | Required | Description |
|---|---|---|
check_id |
Yes | Check ID to suppress (e.g., aws-vpc-001) |
resource_id |
Yes | Specific resource to suppress |
reason |
Yes | Why this finding is accepted |
accepted_by |
No | Who approved the suppression |
expires |
No | Expiry date (YYYY-MM-DD). Finding reappears after this date |
How It Works
Suppressed findings are filtered from results AFTER the scan completes. The scan still runs all checks - suppressions only affect the output. Suppressed count is shown in the scan summary.
Suppressions match on check_id + resource_id combination. A check_id alone does not suppress all findings for that check - you must specify the resource.