Exclusions: cutting noise without creating gaps
How to exclude noisy assets safely, and what to document so the exclusions survive audit.
Updated · exclusions · noise
There are good reasons to exclude an asset from scanning: it's managed by a third party, it's ephemeral, it's out of compliance scope, or a scan causes genuine operational pain. There are also bad reasons, most of which reduce to “the findings are annoying.”
Anatomy of a good exclusion
Every exclusion should have:
- A scope (single asset, pattern, or tag).
- A reason, in plain English.
- An owner who can be asked “is this still valid?”
- An expiry date. Ninety days is a reasonable default.
Patterns to watch for
- Exclusions as bug suppressions: if you're excluding to silence a specific finding type, fix the rule, not the scope.
- Exclusions without expiry: they become forever. Set a review cadence.
- Exclusions that affect compliance scope: get a sign-off in writing and file it with your compliance evidence.