Suppression
codescan supports two suppression mechanisms: inline comments in source files and config-file entries in codescan.toml.
Inline Suppression
Inline suppressions are language-agnostic — they scan raw comment text regardless of the comment syntax (//, #, --, /* */, etc.).
Suppress the Next Line
Place the directive on the line before the finding:
# codescan:ignore-next-line SECRET001
password = "hunter2"// codescan:ignore-next-line:SECRET001
const password = "hunter2";Both the space-separated form (codescan:ignore-next-line SECRET001) and colon-separated form (codescan:ignore-next-line:SECRET001) are accepted. The colon form works well for languages where the comment would otherwise end at a space.
Suppress the Same Line
password = os.getenv("DB_PASS", "fallback") # codescan:ignore SECRET001const url = "http://internal.corp"; // codescan:ignore:INFRA004Suppress Multiple Rules
result = hashlib.md5(token).hexdigest() # codescan:ignore CRYPTO001,ENTROPY001Suppress All Rules on a Line
secret = "..." # codescan:ignoreBlock Suppression
# codescan:ignore-start SECRET001,SECRET002
TEST_PASSWORD = "test123"
TEST_API_KEY = "sk-test-aaabbbccc"
# codescan:ignore-endBlock suppression applies from ignore-start (exclusive) through ignore-end (exclusive). The start/end lines themselves are not suppressed.
Annotate with a Reason
You can add a reason: annotation for documentation purposes — it is parsed but does not affect suppression logic:
// codescan:ignore-next-line:SECRET001 reason:test-fixture
const password = "test_only";Language Examples
All comment styles work:
-- codescan:ignore-next-line:INFRA001
INSERT INTO config VALUES ('db_host', '192.168.1.10');# codescan:ignore-next-line CRYPTO001
openssl dgst -md5 file.bin<!-- codescan:ignore SECRET001 -->
<input type="hidden" value="...">/* codescan:ignore EXPLOIT001 */
let query = format!("SELECT * FROM users WHERE id = {}", id);Config-File Suppression
Config-file suppressions are defined as [[suppress]] entries in codescan.toml. They are more powerful than inline suppressions and are useful for whole-file, directory-wide, or category-level suppression.
By Exact File Path
[[suppress]]
file = "src/tests/fixtures/db_seed.sql"
rules = ["SECRET001", "INFRA001"]
reason = "Test fixture data"The file field accepts both exact relative paths and path suffixes (e.g. "src/auth.py" matches .../src/auth.py).
By Glob Pattern
[[suppress]]
glob = "**/*.test.ts"
categories = ["SECRET"]
reason = "Unit tests may use dummy credentials"By Line Number
[[suppress]]
file = "config/defaults.py"
line = 42
rules = ["SECRET001"]
reason = "Default placeholder only, overridden at runtime"By Category
[[suppress]]
glob = "legacy/**"
categories = ["CRYPTO", "EXPLOIT"]By Severity Ceiling
Suppress findings up to and including the specified severity:
[[suppress]]
glob = "docs/**"
max_severity = "warning"
reason = "Documentation examples are illustrative only"Suppress All Rules
Use rules = ["*"] or omit rules to suppress every rule:
[[suppress]]
file = "generated/schema.pb.go"
rules = ["*"]
reason = "Auto-generated file"Combining Conditions
All specified conditions must match (AND logic). If both rules and categories are provided, a finding matches if it satisfies either:
[[suppress]]
glob = "src/internal/**"
rules = ["SECRET001"]
categories = ["INFRA"]Viewing Suppressed Findings
Suppressed findings are hidden by default. To see them:
codescan --show-suppressed .Or set show_suppressed = true in codescan.toml. Suppressed findings are shown with a = suppressed: <reason> annotation.
Exit Code Behavior
Suppressed findings do not count toward the --fail-on exit code. Only active (non-suppressed) findings cause a non-zero exit.