Inline Suppression

Two mechanisms suppress individual findings without disabling the underlying rule for the whole project: inline novygl comments in source, or fingerprints in .vygl.yml. Either way, the suppressed finding still appears in the dashboard with status ignored so the audit trail is preserved.

Inline novygl comments

Add a comment on the same line as the finding to suppress it.

# Suppress a specific rule on this line
password = "test123"  # novygl: secrets.generic.password-assignment

# Suppress all Vygl findings on this line
api_key = "AKIAIOSFODNN7EXAMPLE"  # novygl

The form is # novygl: <rule-id> (specific) or # novygl (all rules on this line). Works with every comment style:

secrets.aws.access-key-id

-- novygl: secrets.generic.connection-string

<!-- novygl: sast.javascript.unescaped-html -->

The rule ID matches the one shown in the finding detail view.

Fingerprint ignore list

For findings where you can’t (or shouldn’t) modify the source, pin the fingerprint in .vygl.yml:

ignore:
  fingerprints:
    - "abc123def456..."  # Known false positive — see VYGL-789 for context

Copy the fingerprint from the finding detail view in the dashboard. Fingerprints are stable: they’re computed from rule, file, line, and a normalized snippet — they survive code reformatting and unrelated edits to surrounding code.

When to use which

• Inline comment — when the suppression should travel with the code (e.g. test fixtures with deliberately-insecure values, documented hardcoded examples in tutorials).
• Fingerprint ignore — when modifying the source isn’t appropriate (e.g. vendored code, generated files), or when you want suppressions reviewed via a config-only change to .vygl.yml.

Suppression is permanent until removed

Suppressed findings persist across scans. If the underlying issue evolves (e.g. a test fixture starts using a real-looking secret format), the suppression continues to apply. Periodically audit ignore.fingerprints and inline comments during code review.