Breadcrumbs

Suppress Findings from your GitHub.com Repository

Overview

Your development team can directly suppress code findings identified by Mend Code Security Checks as false positives right within your GitHub repository. This eliminates the need to switch contexts to the Mend AppSec Platform, enabling developers to work uninterrupted within their familiar workflow. Suppressing false-positive findings directly from your repository ensures that your Pull Requests (PRs) do not get blocked unnecessarily.

Note: For more about suppressing findings within the Mend AppSec Platform, please refer to our Triage your Code Security Findings documentation.

Getting it done

Enabling the Suppression Feature in Your Repository

To enable and manage suppression directly from your GitHub repository, introduce the findingSuppressions parameter within the scanSettingsSAST section of your .whitesource file:

"scanSettingsSAST": {
  "findingSuppressions": "enabled"
}

Available options for the findingSuppressions parameter:

  • enabled (default) - Suppressions are available through the repository and are applied immediately once selected.

  • requireApproval - If this option is selected, a Developer can mark Security Findings for Suppressions and wait for an Approver to Approve / Reject the action (to learn more about this option, navigate to our Suppression Requests for SAST in SCMs documentation).

  • disabled - Suppressions are not available through the repository scans.

Scope: The main use case for suppressions from the repo is on Pull Requests because this is where a false positive could really be a blocker for a developer.

In addition, suppressions are also supported from the Code Security Report Issue and from GitHub issues created for individual findings.

Configuring the Available Suppression Reasons

By default, developers can suppress findings using two reasons: false positive and acceptable risk. Security managers can control exactly which suppression reasons are offered to developers in the repository flow by adding the optional suppressionReasons array to the scanSettingsSAST section of the .whitesource file:

"scanSettingsSAST": {
  "findingSuppressions": "enabled",
  "suppressionReasons": ["false-positive", "acceptable-risk", "temporarily-ignore", "other"]
}

Accepted values for the suppressionReasons array:

  • false-positive

  • acceptable-risk

  • temporarily-ignore

  • other

Notes:

  • When the field is set, only the reasons listed in the array are presented as available options in the GitHub suppression flow — both in the inline comment instructions and in the /mend code suppress command.

  • When the array is empty ([]), the default reasons are used: false-positive and acceptable-risk.

  • This setting controls which reasons are presented in the GitHub flow; it does not block manually typed commands. If a developer manually types a /mend code suppress command with a reason that is not in the configured array, the command is still processed. This setting also affects only the GitHub repository flow; it does not change the suppression reason options available in the Mend AppSec Platform UI.

Suppress Findings From a Check Run

When a GitHub check run identifies a code security issue, Mend automatically creates inline comments on the PR, highlighting the specific finding directly in the new code at the identified line:

image-20260204-130924.png

To suppress a finding, you should add a comment with potential reasons for the suppression:

  1. To suppress as a false positive, comment on the GitHub issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
    In this example: /mend code suppress false-positive 1e5e745e-ff85-401a-a5e8-6e1195c8b056 Optional Comment

  2. To suppress as an acceptable risk, comment on the GitHub issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
    In this example: /mend code suppress acceptable-risk 1e5e745e-ff85-401a-a5e8-6e1195c8b056 Optional Comment

image-20260204-131206.png
Adding a comment for the “acceptable risk” reason with a user comment

Once commented with the appropriate reason, and based on the Suppressions parameter settings, the finding will either immediately be suppressed in the Mend AppSec Platform or requested for approval in the Mend AppSec Platform.

image-20260204-131415.png
When “Require Approval” is configured, the suppression request has to be accepted in the Mend AppSec Platform by the approver persona

Once the suppression request is approved, the finding will be removed from the Mend Code Security Check and if this was the only finding, the check run will pass successfully.

Suppress Findings From a Code Security Finding

When a GitHub check run completes, and an issue per finding is configured, Mend automatically creates a GitHub Issue for each code finding.

image-20260204-170316.png

To suppress a finding, expand the corresponding section. Once commented with the appropriate reason, and based on the Suppressions parameter settings, the finding will either immediately be suppressed in the Mend AppSec Platform or requested for approval in the Mend AppSec Platform.

It contains two comment options with possible suppression reasons. Comment on the GitHub Issue using the provided syntax. You may add an extra comment saved as a “User comment” on the feedback comment.

  • /mend code suppress false-positive Optional comment

  • /mend code suppress acceptable-risk Optional comment

image-20260204-170843.png
Adding a comment on the Issue for the “acceptable risk” reason with a user comment
image-20260204-170943.png
When “Require Approval” is configured, the suppression request has to be accepted in the Mend AppSec Platform by the approver persona

Re-running Checks after Suppression

Suppressing a finding does not automatically trigger a re-scan or update of the existing GitHub check run. Due to the potential duration of scans, developers may prefer to suppress multiple findings before re-scanning.

To manually trigger a re-scan:

  1. Click the Re-run button on the relevant GitHub check run.

  2. A status of "In Progress" will appear temporarily.

  3. After completion, the results of the check run will reflect the updated status, removing all suppressed findings.

image-20250326-015917.png

Note: A built-in 5-minute delay prevents excessive re-running of scans. If an immediate update is necessary, you can trigger a scan quickly by committing a trivial code change, such as modifying whitespace or adding a comment.

Suppression Visibility after Merging a PR

After merging the PR and scanning the base branch, all suppressed findings become visible in the Mend AppSec Platform with a suppressed status. The suppression details—including the reason and the GitHub username of the developer who performed the suppression—are clearly displayed for audit and tracking purposes:

image-20250326-020315.png