Snyk’s "ignore" feature isn’t just about hiding findings; it’s a crucial tool for managing the signal-to-noise ratio, allowing you to focus on genuine vulnerabilities.
Let’s see Snyk in action. Imagine you’ve just run snyk test and are presented with a list of vulnerabilities. You notice a dependency with a known critical vulnerability, but your team has manually verified it’s not exploitable in your specific context. Instead of letting it clutter future reports or block your CI/CD pipeline, you want to tell Snyk to ignore it.
Here’s how you’d typically do it:
First, identify the exact vulnerability identifier. This usually looks like SNYK-JS-MYPACKAGE-1234567 or npm:my-package:2023-10-01. You can find this in the Snyk UI or the CLI output.
To ignore this specific vulnerability in a particular file, you’d create a .snyk file in the root of your project (or a subdirectory if you want to scope the ignore). The content would look like this:
version: 1.1.0
ignore:
- npm:axios:2020-07-21
reason: "Manually reviewed, not exploitable in our specific network configuration."
expires: "2024-12-31" # Optional: set an expiration date
scopes:
- "build" # Optional: scope to CI/CD pipeline
- "test" # Optional: scope to local testing
If you want to ignore a vulnerability across your entire project for all Snyk scans, you can simplify it:
version: 1.1.0
ignore:
- SNYK-PYTHON-REQUESTS-1234567
reason: "Dependency is only used in development environment and not exposed externally."
The reason field is mandatory and critical for auditability. It forces you to document why you’re ignoring a finding, which is essential for compliance and team collaboration. The expires field is also a good practice, ensuring that ignored vulnerabilities are re-evaluated periodically. scopes allow you to apply ignores only to specific Snyk commands or environments, giving you granular control.
When Snyk runs, it reads this .snyk file and filters out the specified vulnerabilities from its results. Your snyk test output or Snyk UI will no longer show these as actionable issues.
The mental model here is that Snyk is a powerful but opinionated tool. It flags potential issues based on its vulnerability database. You, as the expert on your application, are the final arbiter of what constitutes a real risk. The .snyk file is your mechanism for communicating that judgment to Snyk.
Beyond simply ignoring, Snyk also offers "suppression" which is more about managing issues within the Snyk platform itself, often tied to specific projects or organizational policies, and "tracking" which relates to how Snyk monitors the lifecycle of vulnerabilities and your remediation efforts. However, the .snyk file remains the primary, code-level mechanism for managing false positives directly within your project’s repository.
What most people don’t realize is that the .snyk file is not just for ignoring. It can also be used to define custom rules or patterns for Snyk to look for, though this is a more advanced use case. For instance, you could theoretically use it to flag specific patterns within your code that you deem risky, even if they don’t map directly to a known CVE. This allows for a more tailored security posture.
The next step after managing false positives is understanding how to automate the remediation process for the actual vulnerabilities.