Appearance
Ignore Rules
VaultGuard provides two mechanisms to suppress findings: a .vaultguard.ignore file for persistent rules managed outside source code, and inline comments placed directly in your source files.
.vaultguard.ignore File
The ignore file uses TOML format and lives in your project root.
Create a Template
sh
vaultguard ignore initThis creates .vaultguard.ignore with a commented-out example rule.
Add a Rule
sh
vaultguard ignore add --file src/config.js --line 42 --reason "Test data, not a real secret"The --line flag is optional. Without it, the rule suppresses all findings in the specified file.
Suppress all findings in a file:
sh
vaultguard ignore add --file test/fixtures/secrets.txt --reason "Test fixtures"List Rules
sh
vaultguard ignore listOutput:
Ignore rules:
1. src/config.js:42 - Test data, not a real secret
2. test/fixtures/secrets.txt - Test fixturesFile Format
The .vaultguard.ignore file is TOML with a [[rules]] array:
toml
[[rules]]
file = "src/config.js"
line = 42
reason = "Test data, not a real secret"
[[rules]]
file = "test/fixtures/secrets.txt"
reason = "Test fixtures, not real credentials"
[[rules]]
file = "docs/examples/aws-setup.md"
reason = "Documentation example with placeholder keys"Each rule has:
| Field | Required | Description |
|---|---|---|
file | Yes | File path relative to project root. Matches if the finding's path ends with this value. |
line | No | Specific line number. If omitted, all findings in the file are suppressed. |
reason | Yes | Human-readable explanation for the suppression. |
File path matching is suffix-based
The file field matches against the end of the finding's file path. config.js will match src/config.js, lib/config.js, and any other path ending in config.js. Use a more specific path like src/config.js to target a single file.
Inline Suppression
As of core v0.6.0, you can suppress findings directly in source code with inline comments.
Suppress All Finding Types
Add a vaultguard-ignore comment on the same line as the finding, or on the line immediately above it:
python
API_KEY = "AKIAIOSFODNN7EXAMPLE" # vaultguard-ignorepython
# vaultguard-ignore
API_KEY = "AKIAIOSFODNN7EXAMPLE"Scoped Suppression
Suppress only a specific finding type by appending the type name:
python
API_KEY = "AKIAIOSFODNN7EXAMPLE" # vaultguard-ignore:secretValid scopes: secret, cve, misconfig, quality, integrity.
Prefer scoped suppression
Using vaultguard-ignore:secret instead of a bare vaultguard-ignore ensures that other finding types (like misconfigurations) on the same line are still reported. Scoped suppression is safer and more intentional.
Comment Styles
Inline suppression works with standard comment markers:
| Style | Languages |
|---|---|
// | Rust, Go, JavaScript, TypeScript, Java, C, C++ |
# | Python, Ruby, Shell, YAML, TOML |
-- | SQL, Lua, Haskell |
Examples:
javascript
const key = "sk_live_example"; // vaultguard-ignore:secretyaml
debug: true # vaultguard-ignore:misconfigsql
-- vaultguard-ignore
INSERT INTO users (password) VALUES ('test123');Viewing Suppressed Findings
Inline-suppressed findings are hidden by default. Use --show-suppressed to include them in scan output:
sh
vaultguard scan --show-suppressedThe scan summary shows suppressed counts regardless of this flag.
Choosing Between Mechanisms
| Approach | Best For |
|---|---|
.vaultguard.ignore file | Bulk suppression, test fixtures, generated files, rules managed by security teams |
| Inline comments | Developer-owned exceptions, one-off suppressions with context visible in code review |
Both mechanisms stack. A finding suppressed by either method will not appear in default scan output.
Ignore rules vs. baselines
Ignore rules are permanent, targeted exceptions. Baselines are a point-in-time snapshot of all findings for "adopt now, fix later" workflows. See Baselines for when to use each approach.