~/.codegate/config.json (global) or <scan-target>/.codegate.json (project override). List-type suppression keys are merged across both files.
suppress_findings — suppress by finding ID or fingerprint
suppress_findings — suppress by finding ID or fingerprint
suppress_findings is an array of finding IDs or fingerprints. Any finding whose finding_id matches an entry in this list is marked as suppressed and excluded from exit code calculation.codegate scan . --format json to retrieve them.Entries from the global config and project config are merged and de-duplicated.suppression_rules — structured suppression by criteria
suppression_rules — structured suppression by criteria
suppression_rules is an array of rule match objects. A finding is suppressed when it matches all specified fields in a rule. Fields that are omitted are not evaluated (AND semantics with ignored omissions).Fields
| Field | Type | Description |
|---|---|---|
rule_id | string | Exact rule ID to match (e.g., ENV_OVERRIDE) |
file_path | string | Glob pattern matched against the finding’s file path |
location | string | File path with optional line and column: path/to/file:line:column |
severity | string | Exact severity to match: critical, high, medium, low, info |
category | string | Exact category string to match |
cwe | string | Exact CWE identifier to match (e.g., CWE-78) |
fingerprint | string | Exact fingerprint to match |
file_path supports glob patterns with * (single path segment) and ** (any number of segments).location matches the finding’s file path exactly (no glob). Line and column are optional — if provided, they must match the finding’s reported location.Examples
Suppress all findings for a specific rule in a specific file:rules — per-rule policy (disable, ignore, config)
rules — per-rule policy (disable, ignore, config)
The
rules object lets you configure policy for individual rules by rule ID. Each entry supports three fields:| Field | Type | Description |
|---|---|---|
disable | boolean | When true, all findings from this rule are suppressed |
ignore | string[] | List of file:line:column locations to ignore for this rule |
config | object | Rule-specific configuration values |
ignore entries use the same file:line:column format as suppression_rules.location. Line and column are optional.Example
Disable a rule globally and ignore specific locations for another:rules entries from the global config and project config are merged. For each rule ID, scalar fields (disable) take the project value over the global value. ignore arrays are merged and de-duplicated. config objects are shallow-merged with project values overriding global values.rule_pack_paths — load extra rule packs
rule_pack_paths — load extra rule packs
rule_pack_paths is an array of paths to additional JSON rule pack files or directories containing JSON rule pack files. CodeGate loads these after the built-in rules.allowed_rules — keep only specific rule IDs
allowed_rules — keep only specific rule IDs
allowed_rules is an array of rule IDs. After all rule packs are loaded, only rules whose IDs appear in this list remain active. An empty array (the default) means all loaded rules are active.allowed_rules is evaluated before skip_rules.skip_rules — drop specific rule IDs
skip_rules — drop specific rule IDs
skip_rules is an array of rule IDs to drop after all rule packs are loaded. Applied after allowed_rules.skip_rules is a permanent drop for the lifetime of the scan. Use suppression_rules or rules.disable instead if you want to suppress specific findings rather than removing the rule entirely.Order of evaluation
When a scan completes, CodeGate applies suppression in the following order:rules[rule_id].disable— rule fully disabled, all its findings suppressed.rules[rule_id].ignore— specific file/line locations suppressed for that rule.suppression_rules— structured criteria matching (AND semantics).suppress_findings— finding ID or fingerprint exact match.
codegate run launches.