.snyk Ignore Policy Standards

Intermediate

Enforce standards for Snyk ignore entries — every ignored vulnerability must have a documented reason, expiration date, and compensating controls in the .snyk policy file.

File Patterns

**/.snyk

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# .snyk Ignore Policy Standards

## Rule
Every ignored vulnerability in .snyk MUST include: reason, expiration date (max 90 days), and compensating controls. Permanent ignores are prohibited.

## Format
```yaml
# .snyk
version: v1.25.0
ignore:
  SNYK-JS-PACKAGE-1234567:
    - '*':
        reason: '<clear justification>'
        expires: 2026-06-01T00:00:00.000Z
        created: 2026-03-11T00:00:00.000Z
```

## Examples

### Good
```yaml
ignore:
  SNYK-JS-MINIMIST-2429795:
    - '*':
        reason: 'Transitive dependency via dev-only tool. Not reachable in production builds. Compensated by input validation middleware.'
        expires: 2026-06-01T00:00:00.000Z
        created: 2026-03-11T00:00:00.000Z
```

### Bad
```yaml
ignore:
  SNYK-JS-MINIMIST-2429795:
    - '*':
        reason: 'not important'
        # No expiration — permanent ignore
```

## CLI Usage
```bash
# Ignore with reason and expiry (correct)
snyk ignore --id=SNYK-JS-MINIMIST-2429795 \
  --reason="Dev dependency, not in production" \
  --expiry=2026-06-01

# Bad — no reason or expiry
snyk ignore --id=SNYK-JS-MINIMIST-2429795
```

## Review Process
1. .snyk file changes require security team approval in PR review
2. Monthly audit: check for expired entries, re-evaluate active ignores
3. When a fix becomes available, remove the ignore and upgrade

## Anti-Patterns
- Ignoring vulnerabilities from the CLI without --reason
- Expiration dates more than 90 days out
- Copying .snyk files between projects without re-evaluation
- One developer approving their own ignore entries

FAQ

Discussion

Loading comments...

# .snyk Ignore Policy Standards ## Rule Every ignored vulnerability in .snyk MUST include: reason, expiration date (max 90 days), and compensating controls. Permanent ignores are prohibited. ## Format ```yaml # .snyk version: v1.25.0 ignore: SNYK-JS-PACKAGE-1234567: - '*': reason: '<clear justification>' expires: 2026-06-01T00:00:00.000Z created: 2026-03-11T00:00:00.000Z ``` ## Examples ### Good ```yaml ignore: SNYK-JS-MINIMIST-2429795: - '*': reason: 'Transitive dependency via dev-only tool. Not reachable in production builds. Compensated by input validation middleware.' expires: 2026-06-01T00:00:00.000Z created: 2026-03-11T00:00:00.000Z ``` ### Bad ```yaml ignore: SNYK-JS-MINIMIST-2429795: - '*': reason: 'not important' # No expiration — permanent ignore ``` ## CLI Usage ```bash # Ignore with reason and expiry (correct) snyk ignore --id=SNYK-JS-MINIMIST-2429795 \ --reason="Dev dependency, not in production" \ --expiry=2026-06-01 # Bad — no reason or expiry snyk ignore --id=SNYK-JS-MINIMIST-2429795 ``` ## Review Process 1. .snyk file changes require security team approval in PR review 2. Monthly audit: check for expired entries, re-evaluate active ignores 3. When a fix becomes available, remove the ignore and upgrade ## Anti-Patterns - Ignoring vulnerabilities from the CLI without --reason - Expiration dates more than 90 days out - Copying .snyk files between projects without re-evaluation - One developer approving their own ignore entries