scanning
Suppressions
Real repos have intentional secrets in fixtures, dependencies you cannot upgrade yet, and detector self-references. Suppressions let you silence a known finding without turning off the rule everywhere — checked in as a .repoguardignore file your whole team can review in a PR.
Severities
Every finding carries one of four severities. They drive ordering, the risk score, and the SARIF level on export.
Directly exploitable or a live credential: a hardcoded secret, an injection sink reachable from user input, a public principal on a cloud policy.
Serious weakness that needs prompt attention but usually needs a condition to exploit — a known-vulnerable dependency, a dangerous misconfiguration.
Real hygiene or hardening issue worth fixing; lower blast radius or harder to reach. (Detector inputs that say “moderate” are normalized to medium.)
Informational or best-practice nudge. Anything unrecognized is treated as low rather than dropped.
The likelyTestFixture flag
A finding in a path that looks like test or example code — tests/, __tests__/, fixtures/, mocks/, examples/, samples/, testdata/, cypress/, e2e/, or a *.test.* / *.spec.* / *_test.go file — is tagged likelyTestFixture. It is not hidden: it is de-prioritized in the risk score and downgraded to note level in SARIF, so a dummy key in a fixture never blocks a merge gate but is still visible if you go looking. To remove it from the list entirely, suppress it.
.repoguardignore — where and how
Put a .repoguardignore file at the root of your repository. It is fetched best-effort at scan time, does not count against the file cap, and a missing or malformed file never fails the scan. One suppression per line; blank lines and lines starting with # are ignored.
# pathGlob [rule=glob] [reason="text"] [expires=YYYY-MM-DD] # Comments start with #
The first token (up to the first space, tab, or [) is the path glob. Everything after it is optional modifiers in square brackets. Path matching uses glob semantics (* within a segment, ** across segments, dotfiles included), so * on its own matches every path.
Modifiers
[rule=glob]— restrict the suppression to matching rule ids. Globs work here too, so[rule=secret/*]covers every secret pattern. Omit it and the suppression silences every finding under the path.[reason="text"]— a note for whoever reads the file later. Quote it if it contains spaces.[expires=YYYY-MM-DD]— an expiry date (valid through the end of that day, UTC). Forces stale suppressions to be revisited (see below). An invalid date is ignored.
Rule ids
The rulemodifier matches against the finding's rule id. The shapes:
secret/<patternId> e.g. secret/aws-access-key entropy/<id> high-entropy string findings git-history/<patternId> secret found in commit history code/<ruleId> SAST findings (also matches code/<cwe>, e.g. code/cwe-89) iac/<ruleId> IaC findings (also matches iac/<category>) sensitive-file/<kind> committed sensitive files dependency/<package> vulnerable dependency (also dependency/<ghsa>) license/<package> license/compliance findings
For dependency and license findings, the path is matched against every manifest in that ecosystem, so package.json [rule=dependency/lodash] also covers a transitive hit recorded against the lockfile.
Examples (each tested against the real parser)
Every line below was run through TriageRook's actual suppression parser and matcher while writing this page.
Silence one secret rule in one file:
src/config.ts [rule=secret/aws-access-key]
Silence everything under a directory (no rule modifier):
tests/** [reason="intentional fixtures"]
Accept one dependency CVE anywhere it appears, with a deadline to re-check:
package.json [rule=dependency/postcss] [reason="upstream Next ships old postcss"] [expires=2026-08-01]
Wildcard a whole rule family for a detector self-reference:
lib/secret-patterns.ts [rule=secret/*] [reason="detector's own pattern library"]
Suppress a SAST finding by its CWE alias:
src/db.ts [rule=code/cwe-89] [reason="parameterized elsewhere"]
How a match is chosen
A finding is suppressed when its path matches a suppression's path glob and — if a rulemodifier is present — its rule id matches too. When several lines could apply, the most specific wins: a line with a rule modifier and a literal (non-glob) path outranks a broad * line, with file order as the tiebreaker.
When a suppression expires
Expired ≠ silently ignored
Once an expires date has passed, the suppression still applies (the finding stays out of your main list), but it is flagged as expired and the scan surfaces an “expired suppressions” banner. The point is to force a deliberate decision — renew it or remove it — rather than letting a one-time exception quietly hide a finding forever.
Known limitation
Because the path glob ends at the first [, a path that itself contains a glob character class — like tests/file[123].js— is cut at the bracket and the rest is misread as a modifier. Avoid character classes in the path glob; a plain * / ** covers almost every real case.
A suppression not matching when you expect it to? Paste the line and the finding's rule id into an issue.