Skip to main content
Use the ignore command to add findings or vulnerability IDs to the ignore file, which is used to dismiss findings during scans. This allows developers to request exceptions directly in their pull requests and provides teams with the option to manage exceptions directly in the source code.
You must enable ignore file support in Settings > SYSTEM SETTINGS > Developer Workflows for ignore files to be processed during scans.

Usage

The syntax of the endorctl ignore command is: 
endorctl ignore [--finding-uuid <uuid> | --vuln-id <vuln-id>] [-i] [flags]
You must provide --finding-uuid, --vuln-id, or --interactive. If you provide a finding UUID, you must also provide --namespace. The more fields you provide, the more specific the ignore entry is. For example, if you only provide the finding name and there are multiple findings with the same name in the same repository version, the ignore entry is applied to all of them.

Options

The command endorctl ignore uses the following flags and environment variables:

Examples

Ignore a finding based on UUID

Ignore a specific finding based on the UUID and enter details such as reason and expiration-date interactively: 
endorctl ignore --finding-uuid $FINDING_UUID --namespace $NAMESPACE -i
Ignore finding UUID interactive

Ignore entry based on finding UUID and interactive input

Here the user entered the reason, expiration date, and comments interactively. The rest was automatically populated based on the finding UUID. The default prefix is the finding project name. 
 version: 1.0.0
 ignore:
   - id: endorlabs/app-java-demo-1
     username: bob@corp.com@google
     update_time: 2026-02-09 22:35:04 UTC
     finding_name: Unmaintained Dependency org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     parent_name: mvn://com.endor.webapp:endor-java-webapp-demo@4.0-SNAPSHOT
     dependency_name: mvn://org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     extra_key: mvn://org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     reason: other
     expiration_date: 2026-03-01
     comments: Will change to a better dependency in a separate commit

Enter all details interactively

Enter all details about which findings to ignore interactively, without the UUID: 
endorctl ignore -i
Ignore interactive

Ignore entry based on interactive input only

Here the user entered the finding name, reason, expiration date, and comments interactively. The default prefix is endorignore-. 
 version: 1.0.0
 ignore:
   - id: endorignore-1
     username: bob@corp.com@google
     update_time: 2026-02-09 22:36:01 UTC
     finding_name: Unmaintained Dependency org.webjars.bowergithub.webcomponents:shadycss@1.9.1
     reason: other
     expiration_date: 2026-03-01
     comments: Will change to a better dependency in a separate commit

Automation

Use command in a script to ignore findings based on UUID with a custom prefix: 
endorctl ignore \
  --path=$PATH_TO_IGNORE_FILE \
  --prefix=$CUSTOM_PREFIX \
  --namespace=$NAMESPACE \
  --finding-uuid=$FINDING_UUID \
  --username=$USERNAME \
  --reason=$REASON \
  --comments=$COMMENTS \
  --expiration-date=$EXPIRATON_DATE \
  --expire-if-fix-available=$EXPIRE_IF_FIX_AVAILABLE