Suppressing SCA Findings
If an advisory is known to be unexploitable in your application, or if you have a vendored dependency that cannot be updated right now, you can suppress specific SCA findings using an ignore file.
Always provide a reason when suppressing a finding. This makes it easier to review and audit suppressed vulnerabilities later.
Ignore File Location
By default, SAFE looks for .safe/sca_ignore.json in the same directory as your lock file. For most projects, this means committing the file at .safe/sca_ignore.json alongside your existing .safe/config.json.
To use a different path, pass --ignore-file:
safe sca --ignore-file /path/to/sca_ignore.json
File Format
The ignore file is a JSON object with two optional keys:
{
"ignored_dependencies": [
{
"package": "package_a",
"advisory_ids": ["*"],
"reason": "Not reachable in our deployment"
},
{
"package": "package_b",
"advisory_ids": ["GHSA-xxxx-xxxx-xxxx"],
"reason": "Mitigated by..."
}
],
"ignored_non_hex_packages": [
"my_internal_lib",
"my_path_dep"
]
}
ignored_dependencies
An array of objects, each suppressing one or more advisories for a specific package.
| Field | Type | Required | Description |
|---|---|---|---|
package | string | Yes | The package name as it appears in the lock file |
advisory_ids | array of strings | Yes | Advisory IDs to suppress, or ["*"] to suppress all advisories for the package |
reason | string | No | A human-readable justification for the suppression |
Suppress all advisories for a package:
{
"package": "hackney",
"advisory_ids": ["*"],
"reason": "Vendored version, scheduled for upgrade in Q3"
}
Suppress a specific advisory only:
{
"package": "oidcc",
"advisory_ids": ["GHSA-c74n-32xx-b3a5"],
"reason": "We do not use the affected code path"
}
Suppress multiple specific advisories for the same package:
{
"package": "some_package",
"advisory_ids": ["GHSA-xxxx-xxxx-0001", "GHSA-xxxx-xxxx-0002"],
"reason": "Both issues are mitigated by our configuration"
}
ignored_non_hex_packages
An array of package names to suppress non-Hex dependency warnings for. By default, any dependency sourced from Git, a local path, or another non-Hex source triggers a warning because it cannot be checked against the advisory database.
{
"ignored_non_hex_packages": [
"my_internal_lib",
"my_fork_of_some_lib"
]
}
Use this when you have internal or forked dependencies that you actively manage and do not need to scan.
Output When Findings Are Suppressed
Suppressed advisories are not shown in the vulnerability list. A summary line is printed at the end of the scan:
Ignored: 2 advisory(ies) for: hackney, oidcc (see .safe/sca_ignore.json)
Packages listed in ignored_non_hex_packages are excluded from the non-Hex dependency warning entirely.
Full Example
{
"ignored_dependencies": [
{
"package": "hackney",
"advisory_ids": ["*"],
"reason": "Transitional dependency; scheduled for removal in next release"
},
{
"package": "oidcc",
"advisory_ids": ["GHSA-c74n-32xx-b3a5"],
"reason": "The affected endpoint is not exposed in our deployment"
}
],
"ignored_non_hex_packages": [
"my_internal_analytics",
"legacy_adapter"
]
}