Acquisition complete HashiCorp officially joins the IBM family. Learn more
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Write global ignore rules

Vault Radar ignore rules allow you to ignore certain events based on a set of rules. You can create ignore rules for a path, file, or secret type. Vault Radar applies rules across all data sources, or specific data sources.

All ignore rules support regular expressions (regex). This allows you add regex to match different types of events in a single ignore rule.

Ignore rule behavior

When you add a ignore rule, Vault Radar still generates an event when it finds sensitive data during a scan. Any event that matches an ignore rule will have:

  1. Severity set to INFO.
  2. An Ignore rule flag added.
  3. State set to Not important.

Vault Radar UI showing an event that matches an ignore rule

Set global ignore rules

  1. Select Settings/Global Ignore Rules.

  2. Enter the Ignore rules as YAML and update.

    Global Ignore Rules

    Types of global ignore rules you can write:

The updated ignore rules do not affect the existing events but will reflect on events from future scans. The next time you run a reconciliation scan, on-demand scan, PR webhook scan, or similar, the events will change based on the updated ignore rules.

Path ignore rules

Path based ignore rules allow you to ignore entire paths, such as directory used for documentation, or specific files within a resource.

Example path ignore rule

Ignore all files in a directory.

- paths:
  - docs/*

Ignore specific files in a directory.

- paths:
  - docs/index.mdx

Secret ignore rules

Secret ignore rules allow you ignore specific secret values used in a data source, such as a example password used in documentation or as help within the application.

Example secret ignore rule

- secret_values:
  - WorstPasswordEver

Secret type ignore rules

Secret type ignore rules allow you to ignore built-in event rules expected in a data source.

You enter the secret type value in all lower case. For a full list of all event types, refer to the Event rules in the Settings section of the HCP Portal.

Note

Event types in the HCP Portal in the format of "Platform type of secret". When used for a global ignore rule, convert to all lower case and replace any spaces with underscores ( _).

Example secret type ignore rule

- secret_types:
  - aws_access_key_id

Resource ignore rules

Resource ignore rules allow you to configure one or more ignore rules on a specific resource such as a repository, instead of all resources. Ignore rules are useful on repositories that may generate a high level of unimportant alerts, but do not want to ignore those events on other repositories.

Example resource ignore rule

- repo_url: https://example.com/directory/(subdirectoryA|subdirectoryB)
  rules:
    - secret_types:
      - aws_access_key_id