Skip to main content
Skip table of contents

Suppression Requests for SAST in SCMs

Note: This feature is currently limited and disabled by default. It will become available gradually over the course of October-November 2025.

Overview

With Mend’s suppression feature, developers can suppress false positives or non-actionable security findings directly from their code repositories, without switching into the Mend AppSec platform.

The Approval Workflow extends this capability: suppression requests can optionally require review and approval by security team members or designated approvers, ensuring controlled governance.

Getting it done

Enabling the Suppression Feature in Your Repository

To enable and manage suppression directly from your repository, introduce the findingSuppressions parameter within the scanSettingsSAST section of your .whitesource file:

CODE 
"scanSettingsSAST": {
  "findingSuppressions": "requireApproval"
}

Available options for the findingSuppressions parameter:

  • requireApproval - If this option is selected, a Developer can mark Security Findings for Suppressions and wait for an Approver to Approve / Reject the action.

image-20251013-091524.png

The Request Suppression section appears when “requireApproval” is specified for the Findings Suppressions parameter.

  • enabled (default) - Suppressions are available through the repository and are applied immediately once selected.

image-20251013-091622.png

Once enabled, you will have the option to suppress findings without the approval process.

Please note that after updating the settings, you’ll need to rerun the scan for the changes to take effect. You can do this by selecting the checkbox in the Issues tab to manually trigger a scan or by adding a new commit to an existing feature branch.

  • disabled - Suppressions are not available through the repository scans.

Scope: The main use case for suppressions from the repo is on Pull Requests because this is where a false positive could really be a blocker for a developer.

In addition, suppressions are also supported from the Code Security Report Issue and from GitHub issues created for individual findings.

Once a suppression request is submitted, you’ll see an indication of the pending request for the security person within your organization who’s responsible for reviewing suppression requests:

image-20251014-133449.png

Mend Platform Approval/Rejection Process

After the suppression request is submitted through the repo, it will be visible in the Mend Platform for the security persona via the Suppression Request screen within a specific Application/Project:

image-20251013-104549.png

To approve or reject a suppression request, you can either select a specific suppression request and then click Approve Suppression or Reject Suppression, or click on the relevant finding and choose whether to approve or reject the request. After making your choice, confirm by approving or rejecting the suppression request.

image-20251014-134531.png

Approve/Reject via the bulk option

image-20251014-140034.png

Approve/Reject via the side panel of a specific finding

  • If approved, the code finding will have the “Suppressed” status within the Mend Platform and will disappear from the Mend Code Security Check.

  • If rejected, the code finding will have the “Unreviewed” status and will remain as an active finding detected. The indication for the rejection will be visible through the Mend Code Security Check in the repo integration, with a comment on the reason.

    image-20251014-135910.png

Reference

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close