Skip to content

Suppression rules

Suppression rules are how you tell CredWatch "any future match of pattern X at location Y should be auto-suppressed". They prevent the same noisy finding from re-appearing scan after scan.

When to reach for a rule instead of just suppressing one finding:

  • Repository-wide pattern — "ignore all matches in vendor/"
  • Test fixtures — "ignore the test_keys directory in the integration tests repo"
  • Documentation — "ignore everything under docs/examples/"
  • A specific pattern in a specific location — combine repo + path + pattern

How rules match

A rule has three optional filters:

Filter Type Example Matches
Repo glob glob acme/web-frontend Exact repo name; supports * and ? wildcards
Path glob glob test/fixtures/** File path within the repo; supports ** recursion
Pattern dropdown OpenAI Only matches this specific pattern

A finding is suppressed if it matches every filter that's set on the rule. Unfilled filters = "any value".

Examples:

  • Repo only acme/sandbox → suppress everything in that repo.
  • Path only **/*.example → suppress every .example file across all repos.
  • Pattern only OpenAI → suppress every OpenAI key match everywhere (not recommended, very broad).
  • Repo + path + pattern acme/web + tests/** + Stripe → suppress only Stripe matches in that test directory in that repo.

Glob syntax follows Python's fnmatch: * matches any sequence of non-/ chars, ** matches any sequence including /, ? matches a single char.

Create a rule

  1. Go to Suppression rules → Create rule.
  2. Fill in any combination of repo / path / pattern.
  3. Click Save.

On save, two things happen:

  • Every matching active finding is immediately marked suppressed.
  • Every future scan run checks this rule and skips matching findings before they're stored as active.

Edit or delete a rule

From the rules list:

  • Edit — change any filter; the next scan picks up the change. Already-suppressed findings stay suppressed.
  • Delete — removes the rule. Previously-suppressed findings stay suppressed (you can manually un-suppress from each finding's detail page if you want them back as active).

When not to use a rule

  • You only have one or two noisy findings — just suppress them individually.
  • The pattern is consistently wrong — that's a false-positive in the detection logic, not a suppression case. Mark them false_positive and email us with the pattern + a sample of the mis-matched text; we'll improve the regex.
  • You want to ignore an entire repo — better to disable the repo's toggle on GitHub → Repositories so it's never scanned at all. Saves quota too.

Auditing

Every rule creation, edit, and deletion is logged to your account's audit log (visible to admins under Team → Audit log). The log records who created the rule and when.