SupportSnyk LearnAPI referenceProduct updatesSign up for free

Consistent Ignores for Snyk Code CLI

Release status

Snyk Code Consistent Ignores is in Early Access and available only with Enterprise plans. For more information, see plans and pricing.

To make sure Snyk Code Consistent Ignores Early Access meets your needs and requirements, review Known limitations and FAQ sections.

Ignores are taken into account in the Snyk CLI when snyk code test is run.

The Snyk Code CLI Upload beta feature (snyk code test --report) will not show ignored findings at the start of the Early Access program.

Minimum version required

You must have at least Snyk CLI v1.1295.3 installed for Snyk Code Consistent Ignores. See Install or update the Snyk CLI.

Set up the Organization

To take ignores into account, specify the Organization where the ignores reside.

Group-level policies also cascade down to all Organizations. See How to select the Organization to use in the CLI.

Snyk CLI default ignore behavior

The CLI display output hides ignored results by default when you run snyk code test. It displays only unignored results and a summary table with the total number of issues (open and ignored).

Snyk CLI default ignore behavior

View ignores in Snyk CLI

After running snyk code test, the CLI will display a hint about using the --include-ignores parameter to show ignored results.

Running snyk code test --include-ignores will display ignored results with their metadata below the open results.

Ignores in Snyk CLI

View JSON output

You can find the ignore metadata in the suppressions module of the SARIF output. Run snyk code test --json or snyk code test --sarif to view this output.

Access the finding identifier in JSON and SARIF output

The finding identifier is included in the JSON and SARIF output of Snyk CLI. To view it, run snyk code test --json and navigate to runs.results[n].fingerprints.snyk/assets/finding/v1 in the JSON output. See How Snyk Code identifies and tracks issues.

You can use this identifier to create new ignores using API calls.

Ignores in CI/CD pipelines

As ignores are taken into account in Snyk CLI, the same applies when Snyk CLI is integrated into CI/CD pipelines. For example, if a pipeline uses the command snyk code test –severity-threshold=high and there are no unignored high-severity results, Snyk CLI will exit with a 0 (success) status code and the build will succeed.

The following example shows how Snyk Code detected high-severity hardcoded secrets, causing a GitHub Action workflow to fail with the exit code 1.

High severity hardcoded secreted detected causing GitHub Action workflow to fail with exit code 1

In a scenario with ignores applied through Group Policies, Snyk Code has successfully completed the scan, resulting in zero open issues, with the exit code 0.

High severity issues ignored causing GitHub Action workflow to succeed with exit code 0
PreviousConsistent Ignores for Snyk Code APINextConsistent Ignores for Snyk Code IDE

Last updated

Was this helpful?