> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # Exception policy templates > Learn about the predefined exception policy templates and how to customize them. export const YamlTable = ({children, data: propData, content}) => { const KV_RE = /^([A-Za-z][A-Za-z0-9_()/#\s-]+?):\s*(.+)$/; const INLINE_MD_RE = /(\[([^\]]+)\]\(([^)]+)\))|(`([^`]+)`)|(\*\*([^*]+)\*\*)|(\*([^*]+)\*)/g; const YES_RE = /^-yes-$/i; const NO_RE = /^-no-$/i; const LIMITED_RE = /^-(limited|partial)-$/i; const NA_RE = /^-(na|none)-$/i; const NA2_RE = /^-na2-$/i; const SIMPLE_TAG_RE = /()|()|(-note-)|(-warning-)/gi; const tryParseKV = trimmed => { const m = KV_RE.exec(trimmed); return m ? { key: m[1], value: m[2].trim() } : null; }; const registerKey = (key, seenKeys, orderedKeys) => { if (!seenKeys.has(key)) { orderedKeys.push(key); seenKeys.add(key); } }; const flushEntry = (currentEntry, entries) => { if (Object.keys(currentEntry).length > 0) entries.push(currentEntry); }; const parseDashPrefixed = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed.startsWith('- ')) { if (inEntry) entries.push(currentEntry); currentEntry = {}; inEntry = true; const kv = tryParseKV(trimmed.substring(2).trim()); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } else if (inEntry && trimmed !== '') { const kv = tryParseKV(trimmed); if (kv) { registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; } } } flushEntry(currentEntry, entries); }; const parseBlankSeparated = (lines, entries, orderedKeys, seenKeys) => { let currentEntry = {}; let inEntry = false; for (const line of lines) { const trimmed = line.trim(); if (trimmed === '') { if (inEntry) { flushEntry(currentEntry, entries); currentEntry = {}; inEntry = false; } continue; } const kv = tryParseKV(trimmed); if (!kv) continue; const isNewEntry = !line.startsWith(' ') && !line.startsWith('\t'); if (isNewEntry && inEntry && Object.keys(currentEntry).length > 0) { entries.push(currentEntry); currentEntry = {}; } registerKey(kv.key, seenKeys, orderedKeys); currentEntry[kv.key] = kv.value; inEntry = true; } flushEntry(currentEntry, entries); }; const normalizeEntries = (entries, orderedKeys) => entries.map(entry => { const filled = {}; for (const key of orderedKeys) filled[key] = entry[key] || ''; return filled; }); const parseYamlTableContent = contentStr => { if (!contentStr) return []; const entries = []; const orderedKeys = []; const seenKeys = new Set(); const lines = contentStr.split('\n'); if (lines.some(line => line.trim().startsWith('- '))) { parseDashPrefixed(lines, entries, orderedKeys, seenKeys); } else { parseBlankSeparated(lines, entries, orderedKeys, seenKeys); } return normalizeEntries(entries, orderedKeys); }; const processText = text => { if (!text) return text; const parts = []; let keyIndex = 0; let lastIndex = 0; let match; while ((match = INLINE_MD_RE.exec(text)) !== null) { if (match.index > lastIndex) parts.push(text.slice(lastIndex, match.index)); if (match[1]) { parts.push({match[2]}); } else if (match[4]) { parts.push({match[5]}); } else if (match[6]) { parts.push({match[7]}); } else if (match[8]) { parts.push({match[9]}); } lastIndex = match.index + match[0].length; } if (lastIndex < text.length) parts.push(text.slice(lastIndex)); if (parts.length === 0) return text; const keyRef = { current: keyIndex }; return expandHtmlTags(parts, keyRef); }; const processBadges = text => { if (!text || typeof text !== 'string') return text; if (YES_RE.test(text)) return ; if (NO_RE.test(text)) return ; if (LIMITED_RE.test(text)) return ; if (NA_RE.test(text) || NA2_RE.test(text)) return Not applicable; return processText(text); }; const cellClassName = text => { if (!text || typeof text !== 'string') return undefined; if (NA_RE.test(text)) return 'yt-cell-na'; if (NA2_RE.test(text)) return 'yt-cell-na2'; return undefined; }; const expandSimpleTags = (str, keyRef) => { const result = []; let last = 0; SIMPLE_TAG_RE.lastIndex = 0; let m; while ((m = SIMPLE_TAG_RE.exec(str)) !== null) { if (m.index > last) result.push(str.slice(last, m.index)); if (m[1]) { result.push(
); } else if (m[2]) { result.push(
,
); } else if (m[3]) { result.push(Note: ); } else if (m[4]) { result.push(Warning: ); } last = m.index + m[0].length; } if (last < str.length) result.push(str.slice(last)); return result; }; const expandHtmlTags = (chunks, keyRef) => { const out = []; for (const chunk of chunks) { if (typeof chunk === 'string') { out.push(...expandSimpleTags(chunk, keyRef)); } else { out.push(chunk); } } return out; }; const extractText = node => { if (node === null || node === undefined) return ''; if (typeof node === 'string') return node; if (typeof node === 'number') return String(node); if (typeof node === 'boolean') return ''; if (Array.isArray(node)) return node.map(extractText).join(''); if (node && typeof node === 'object' && node.type) { const props = node.props || ({}); if (typeof props.children === 'string') return props.children; if (props.children) return extractText(props.children); return ''; } return String(node || ''); }; const [mounted, setMounted] = useState(false); useEffect(() => { setMounted(true); }, []); const data = useMemo(() => { if (propData) return propData; if (content && typeof content === 'string') return parseYamlTableContent(content); if (!children) return []; if (typeof children === 'string') return parseYamlTableContent(children); const childrenArray = Array.isArray(children) ? children : [children]; return parseYamlTableContent(childrenArray.map(extractText).join('').trim()); }, [children, propData, content]); const columns = useMemo(() => { if (!data || data.length === 0) return []; const firstRow = data[0]; if (!firstRow || typeof firstRow !== 'object') return []; return Object.keys(firstRow); }, [data]); if (!mounted) return null; if (!data || data.length === 0) return null; const rowKey = row => columns.map(c => row[c] || '').join('|'); return {columns.map(col => )} {data.map(row => {columns.map(col => )} )}
{col.replaceAll('_', ' ')}
{processBadges(row[col])}
; }; Endor Labs provides the following exception policy templates that you can use to quickly create exception policies. Each exception policy template provides parameters to help you customize the conditions under which an exception is applied. The following template categories are available: * [Container](#container) * [SCA](#sca) * [Vulnerabilities](#vulnerabilities) * [Secrets](#secrets) * [Malware](#malware) * [SAST](#sast) ## Container Use these templates to define exceptions for findings related to container images, including vulnerabilities in base images, installed packages, and container configurations. ### Common Define exceptions for common use cases such as: * Exclude a specific finding, for a specific package, for a specific dependency. * Exclude all findings for a specific dependency. * Exclude all findings for a specific package. * Exclude all vulnerabilities that do not have a patch available. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. `} ### Custom (Advanced) Define exceptions based on custom criteria that are less common for findings. For example, you can exclude all findings generated based on approximate scans for a specific ecosystem. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727\` or \`GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version here if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Match findings based on the reachability of the vulnerable dependency. Select **Unreachable Dependency** to match findings where the vulnerable dependency is not reachable, **Reachable Dependency** to match findings where the vulnerable dependency is reachable, and **Potentially Reachable Dependency** to match findings where the vulnerable dependency is potentially reachable. You can choose any combination of these options. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Function Reachability Description: Match findings based on the reachability of the vulnerable function. Select **Unreachable Function** to match findings where the vulnerable function is not reachable, **Reachable Function** to match findings where the vulnerable function is reachable, and **Potentially Reachable Function** to match findings where the vulnerable function is potentially reachable. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Apply exceptions to findings with this meta tag, set by the policy that generated the finding or with the \`--finding-tags\` CLI option. These tags are different and separate from the system defined finding tags. - Parameter: File Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. - Parameter: Phantom Dependency Description: Select **Yes** to match findings for phantom dependencies. Matches all finding types unless specified otherwise. `} ### Vulnerabilities Define exceptions for vulnerabilities findings. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. `} ## SCA Use these templates to define exceptions for Software Composition Analysis (SCA) findings, including vulnerabilities, outdated dependencies, unmaintained packages, license risks, and other issues in your open-source dependencies. ### Common Define exceptions for common use cases such as: * Exclude a specific finding, for a specific package, for a specific dependency. * Exclude all findings for a specific dependency. * Exclude all findings for a specific package. * Exclude all vulnerabilities that do not have a patch available. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. `} ### Custom (Advanced) Define exceptions based on custom criteria that are less common for findings. For example, you can exclude all findings generated based on approximate scans for a specific ecosystem. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727\` or \`GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version here if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Match findings based on the reachability of the vulnerable dependency. Select **Unreachable Dependency** to match findings where the vulnerable dependency is not reachable, **Reachable Dependency** to match findings where the vulnerable dependency is reachable, and **Potentially Reachable Dependency** to match findings where the vulnerable dependency is potentially reachable. You can choose any combination of these options. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Function Reachability Description: Match findings based on the reachability of the vulnerable function. Select **Unreachable Function** to match findings where the vulnerable function is not reachable, **Reachable Function** to match findings where the vulnerable function is reachable, and **Potentially Reachable Function** to match findings where the vulnerable function is potentially reachable. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Apply exceptions to findings with this meta tag, set by the policy that generated the finding or with the \`--finding-tags\` CLI option. These tags are different and separate from the system defined finding tags. - Parameter: File Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. - Parameter: Phantom Dependency Description: Select **Yes** to match findings for phantom dependencies. Matches all finding types unless specified otherwise. `} ### Vulnerabilities Define exceptions for vulnerabilities findings. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. `} ### Malware Define exceptions for malware findings. {` - Parameter: Malware ID Description: The malware identifier. For example, \`MAL-2025-2422\` or \`GHSA-pfwm-66hm-9h5r\` or \`SNYK-JS-TFJSLAYERS-9406475\` (case insensitive). - Parameter: Status Description: Select the status of malware finding such as **Malware** for confirmed malware, **Telemetry** if the package is not always malicious but may expose environment details, or **Unhealthy** if the package appears broken or non-functional. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Exclude Approximate Description: Select **Yes** to match findings that are generated based on approximate scans. `} ## Secrets Define exceptions for secrets findings. {` - Parameter: Validation Status Description: Select secret validation status: **Valid**, **Invalid**, or **Unable to Validate**. - Parameter: Custom Tag Description: Only match findings with this custom tag, set by the policy that generated the finding or with the \`--finding-tags\` CLI option. These tags are different and separate from the system defined finding tags. - Parameter: File Path Description: Only match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. `} ## Malware Define exceptions for malware findings. {` - Parameter: Malware ID Description: The malware identifier. For example, \`MAL-2025-2422\` or \`GHSA-pfwm-66hm-9h5r\` or \`SNYK-JS-TFJSLAYERS-9406475\` (case insensitive). - Parameter: Status Description: Select the status of malware finding such as **Malware** for confirmed malware, **Telemetry** if the package is not always malicious but may expose environment details, or **Unhealthy** if the package appears broken or non-functional. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Exclude Approximate Description: Select **Yes** to match findings that are generated based on approximate scans. `} ## SAST Define exceptions for SAST findings. {` - Parameter: Rule Name Description: Full name of the rule. For example, \`Insecure cookie-based authentication\` (case insensitive). - Parameter: SAST Tag Description: Only match findings with this SAST tag. For example, \`A02:2021\` or \`OWASP-Top-10\` (case insensitive). - Parameter: Custom Tag Description: Only match findings with this meta tag, set by the policy that generated the finding or with the \`--finding-tags\` CLI option. These tags are different and separate from the system defined finding tags. - Parameter: CWE Description: Only match findings with this CWE. For example, \`CWE-123\` or \`CWE-456\` (case insensitive). - Parameter: File Scope Description: Only match findings with this file scope. For example, \`Normal\` or \`Test\`. - Parameter: File Path Description: Only match findings for files that match this glob style file pattern. For example, \`src/golang/**\`. `} ## Vulnerabilities Use these templates to define exceptions for vulnerability findings, including CVEs, security advisories, and known exploits in your dependencies. ### Common Define exceptions for common use cases such as: * Exclude a specific finding, for a specific package, for a specific dependency. * Exclude all findings for a specific dependency. * Exclude all findings for a specific package. * Exclude all vulnerabilities that do not have a patch available. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. `} ### Custom (Advanced) Define exceptions based on custom criteria that are less common for findings. For example, you can exclude all findings generated based on approximate scans for a specific ecosystem. The following table describes the parameters. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727\` or \`GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Finding Name Description: Match full or partial finding name. - Parameter: Dependency Name Description: Match full or partial dependency name. - Parameter: Package Name Description: Match full or partial package name. Do not specify a package version here if you want the exception to apply to multiple versions of the package. - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Category Description: Match finding category. - Parameter: Type Description: Match finding type. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Reachability Description: Match findings based on the reachability of the vulnerable dependency. Select **Unreachable Dependency** to match findings where the vulnerable dependency is not reachable, **Reachable Dependency** to match findings where the vulnerable dependency is reachable, and **Potentially Reachable Dependency** to match findings where the vulnerable dependency is potentially reachable. You can choose any combination of these options. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Function Reachability Description: Match findings based on the reachability of the vulnerable function. Select **Unreachable Function** to match findings where the vulnerable function is not reachable, **Reachable Function** to match findings where the vulnerable function is reachable, and **Potentially Reachable Function** to match findings where the vulnerable function is potentially reachable. Be aware that the more options you select, the more exceptions you will create. This might result in the exclusion of important findings. - Parameter: Ecosystem Description: Match finding ecosystem. - Parameter: Custom Tag Description: Apply exceptions to findings with this meta tag, set by the policy that generated the finding or with the \`--finding-tags\` CLI option. These tags are different and separate from the system defined finding tags. - Parameter: File Path Description: Only match findings for dependencies or files that match this glob style file pattern. For example, \`src/golang/**\`. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. - Parameter: Phantom Dependency Description: Select **Yes** to match findings for phantom dependencies. Matches all finding types unless specified otherwise. `} ### Vulnerabilities Define exceptions for vulnerabilities findings. {` - Parameter: Vulnerability ID Description: The vulnerability identifier. For example, \`CVE-2024-3727 or GHSA-qh2h-chj9-jffq\` (case insensitive). - Parameter: Fix Availability Description: Select **Fix Not Available** to apply the exception if a patch is not available for the dependency. - Parameter: Severity Description: Match finding severity. - Parameter: Relationship Description: Select **Direct Dependency** to only match findings for direct dependencies, or **Transitive Dependency** to only match findings for transitive dependencies. - Parameter: Dependency Scope Description: Match findings based on the scope of the dependency. Select **Normal** to match findings generated for dependencies essential for the primary operation of the application, and used in a production environment. Select **Test** to match findings for dependencies required for testing purposes, such as testing frameworks and libraries not used in a production environment. You can choose either option or both. - Parameter: Approximate Dependency Description: Select **Yes** to match findings that have been generated based on approximate scans. `}