Skip to main content

Baseline & Suppressions

Hardpoint’s baseline system lets you suppress known-safe findings to reduce noise and focus on real issues.

Configuration File

Create .hardpoint/baseline.yaml in your project or home directory: 
suppressions:
  - id: AI-001
    reason: Intentional override for testing

  - id: SHELL-002
    pattern: "homebrew"
    reason: Official Homebrew installer

  - id: SECRET-001
    file: "tests/*.env"
    reason: Test fixtures with fake credentials

Suppression Fields

FieldRequiredDescription
idYesFinding ID to suppress (e.g., AI-001)
reasonYesWhy this finding is suppressed
fileNoGlob pattern for specific files
patternNoRegex to match in line content
expiresNoExpiration date (ISO 8601)

Matching Rules

By Finding ID Only

Suppresses all findings with this ID: 
suppressions:
  - id: NET-001
    reason: Development server intentionally exposed

By File Pattern

Only suppresses in matching files: 
suppressions:
  - id: SECRET-001
    file: "tests/**/*.env"
    reason: Test fixtures
Glob patterns supported:
  • * - Match any characters except /
  • ** - Match any characters including /
  • ? - Match single character

By Content Pattern

Only suppresses when line content matches: 
suppressions:
  - id: SHELL-002
    pattern: "brew\\.sh|homebrew"
    reason: Official package manager

With Expiration

Temporary suppressions: 
suppressions:
  - id: AI-002
    reason: Temporary during migration
    expires: 2025-03-01T00:00:00Z
Expired suppressions are automatically ignored.

Examples

Suppress Test Fixtures

suppressions:
  - id: AI-001
    file: "testdata/**"
    reason: Test fixtures for scanner validation

  - id: SECRET-001
    file: "tests/**"
    reason: Fake credentials for testing

Suppress Known-Safe Patterns

suppressions:
  - id: SHELL-002
    pattern: "nvm\\.sh|rvm|homebrew"
    reason: Official version managers and package managers

Suppress During Investigation

suppressions:
  - id: GIT-001
    file: ".git/hooks/pre-commit"
    reason: Investigating - ticket #1234
    expires: 2025-02-01T00:00:00Z

CLI Commands

Hardpoint provides CLI commands to manage baselines: 
# List all suppressions
hardpoint baseline list

# Add a new suppression
hardpoint baseline add AI-001 --reason "Known safe pattern"

# Remove expired suppressions
hardpoint baseline prune

# Preview what would be removed
hardpoint baseline prune --dry-run
See baseline command for full documentation.

Viewing Active Suppressions

When running with --verbose, Hardpoint shows suppression statistics: 
hardpoint scan --verbose
Output includes: 
Suppressed 3 findings via baseline

Best Practices

  1. Always include a reason - Future you will thank present you
  2. Use specific patterns - Avoid overly broad suppressions
  3. Set expiration dates - For temporary suppressions
  4. Review periodically - Remove stale suppressions
  5. Keep in version control - Track changes to suppressions
[!CAUTION] Be careful not to suppress real security issues. Only suppress findings you have verified are false positives or accepted risks.