HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Write global ignore rules

Vault Radar ignore rules allow you to ignore certain events based on a set of rules. You can create ignore rules for a path, file, or secret type. Rules can be applied across all data sources, or specific data sources.

All ignore rules support regular expressions (regex). This allows you add regex to match multiple types of events in a single ignore rule.

Ignore rule behavior

When a ignore rule is added, Vault Radar will still generate an event when sensitive data is found during a scan. Any event that matches an ignore rule will have:

  1. Severity set to INFO.
  2. An Ignore rule flag added.
  3. State set to Not important.

Vault Radar UI showing an event that matches an ignore rule

Set global ignore rules

  1. Select Settings/Global Ignore Rules.

  2. Enter the Ignore rules as YAML and update.

    Global Ignore Rules

    Types of global ignore rules you can write:

The updated ignore rules do not impact the existing events but will reflect on events from future scans. The next time you run a reconciliation scan, on-demand scan, PR webhook scan, or similar, the events will change based on the updated ignore rules.

Path ignore rules

Path based ignore rules allow you to ignore entire paths, such as directory used for documentation, or specific files within a resource.

Example path ignore rule

Ignore all files in a directory.

- paths:
  - docs/*

Ignore specific files in a directory.

- paths:
  - docs/index.mdx

Secret ignore rules

Secret ignore rules allow you ignore specific secret values that may be used in a data source, such as a example password used in documentation or as help within the application.

Example secret ignore rule

- secret_values:
  - WorstPasswordEver

Secret type ignore rules

Secret type ignore rules allow you to ignore built-in event rules that may be expected in a data source.

The secret type value must be entered in all lower case. For a full list of all event types, refer to the Event rules in the Settings section of the HCP Portal.

Note

Event types in the HCP Portal in the format of "Platform type of secret". When used for a global ignore rule, convert to all lower case and replace any spaces with underscores ( _).

Example secret type ignore rule

- secret_types:
  - aws_access_key_id

Resource ignore rules

Resource ignore rules allow you to configure one or more ignore rules on a specific resource such as a repository, instead of all resources. You could configure ignore rules on honey pot repositories or documentation repositories that may generate a high level of unimportant alerts, but do not want to ignore those events on other repositories.

Example resource ignore rule

- repo_url: https://example.com/directory/(subdirectoryA|subdirectoryB)
  rules:
    - secret_types:
      - aws_access_key_id