ignore

Use the ignore command to add findings to the ignore file.

Use the ignore command to add findings or vulnerability IDs to the ignore file, which is used to dismiss findings during scans. This allows developers to request exceptions directly in their pull requests and provides teams with the option to manage exceptions directly in the source code.

Note

You must enable ignore file support in Settings > SYSTEM SETTINGS > Developer Workflows for ignore files to be processed during scans.

Usage

The syntax of the endorctl ignore command is:

endorctl ignore [--finding-uuid <uuid> | --vuln-id <vuln-id>] [-i] [flags]

You must provide --finding-uuid, --vuln-id, or --interactive. If you provide a finding UUID, you must also provide --namespace.

The more fields you provide, the more specific the ignore entry is. For example, if you only provide the finding name and there are multiple findings with the same name in the same repository version, the ignore entry is applied to all of them.

Options

The command endorctl ignore uses the following flags and environment variables:

Flag	Environment Variable	Type	Description
`comments`	`ENDOR_IGNORE_COMMENTS`	string	Optional comments to add to the ignore entry.
`expiration-date`	`ENDOR_IGNORE_EXPIRATION_DATE`	string	Stop ignoring the finding on this date (format: YYYY-MM-DD).
`expire-if-fix-available`	`ENDOR_IGNORE_EXPIRE_IF_FIX_AVAILABLE`	boolean	Stop ignoring the finding if a fix becomes available.
`finding-uuid`	`ENDOR_IGNORE_FINDING_UUID`	comma-separated string	UUID of finding to ignore.
`interactive`	`ENDOR_IGNORE_INTERACTIVE`	boolean	Enter finding and/or ignore entry details interactively.
`path`	`ENDOR_IGNORE_PATH`	string	Path to the repository or file to add the ignore entry to (default `.endorignore.yaml`).
`prefix`	`ENDOR_IGNORE_PREFIX`	string	Override the default prefix for the ignore entry ID (default `endorignore-`, or project name if added by finding UUID).
`reason`	`ENDOR_IGNORE_REASON`	string	Reason for ignoring the finding. Valid values: `false-positive`, `risk-accepted`, `in-triage`, `resolved`, `other` (default `risk-accepted`).
`username`	`ENDOR_IGNORE_USERNAME`	string	Override the username associated with the ignore entry.
`vuln-id`	`ENDOR_IGNORE_VULN_ID`	comma-separated string	Vulnerability ID to ignore, such as CVE or GHSA identifiers.

Examples

Ignore a finding based on UUID

Ignore a specific finding based on the UUID and enter details such as reason and expiration-date interactively:

endorctl ignore --finding-uuid $FINDING_UUID --namespace $NAMESPACE -i

Ignore finding UUID interactive

Ignore entry based on finding UUID and interactive input

Here the user entered the reason, expiration date, and comments interactively. The rest was automatically populated based on the finding UUID. The default prefix is the finding project name.

 version: 1.0.0
 ignore:
   - id: endorlabs/app-java-demo-1
     username: bob@corp.com@google
     update_time: 2026-02-09 22:35:04 UTC
     finding_name: Unmaintained Dependency org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     parent_name: mvn://com.endor.webapp:endor-java-webapp-demo@4.0-SNAPSHOT
     dependency_name: mvn://org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     extra_key: mvn://org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     reason: other
     expiration_date: 2026-03-01
     comments: Will change to a better dependency in a separate commit

Enter all details interactively

Enter all details about which findings to ignore interactively, without the UUID:

endorctl ignore -i

Ignore interactive

Ignore entry based on interactive input only

Here the user entered the finding name, reason, expiration date, and comments interactively. The default prefix is endorignore-.

 version: 1.0.0
 ignore:
   - id: endorignore-1
     username: bob@corp.com@google
     update_time: 2026-02-09 22:36:01 UTC
     finding_name: Unmaintained Dependency org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     reason: other
     expiration_date: 2026-03-01
     comments: Will change to a better dependency in a separate commit

Automation

Use command in a script to ignore findings based on UUID with a custom prefix:

endorctl ignore \
  --path=$PATH_TO_IGNORE_FILE \
  --prefix=$CUSTOM_PREFIX \
  --namespace=$NAMESPACE \
  --finding-uuid=$FINDING_UUID \
  --username=$USERNAME \
  --reason=$REASON \
  --comments=$COMMENTS \
  --expiration-date=$EXPIRATON_DATE \
  --expire-if-fix-available=$EXPIRE_IF_FIX_AVAILABLE

Feedback

Was this page helpful?

Thanks for the feedback. Write to us at support@endor.ai to tell us more.