Ignore Rules

JFrog Security Documentation

JFrog Xray
Content Type
User Guide


This feature is available with Artifactory version 7.10.5 and above.

This feature requires you to have the Manage Watches role. For more information, see Users and Groups.Introduction to Users and Groups

Some of the feature enhancements introduced in Xray version 3.13.0 require Artifactory version 7.12.0 and above. For more information, see Xray Release Notes 3.13.0.Xray Release Notes

In some cases, when violations are detected, as security or legal personnel, you would like to accept or whitelist some of these violations. This could be for different reasons, such as:

  • Although the security vulnerability is real, you have ways to protect against it (such as a WAF configuration).

  • The conditions needed for this vulnerability to happen are not met in the specific case.

  • As an organization, you are aware of the violation, but you would still like to release the product.

  • The violation is not a showstopper, and you would like to deal with it in future versions.

  • The violation is a false positive.

  • The violation is valid, but you need more time to deal with it. Time based ignore enables you to silence the violation for a period of time. Once that period expires, the Ignore Rule will be deleted automatically, and if the violation occurs again it will not be ignored moving forward.

In such cases, the ignore violations feature, enables you to have granular control on the violations that should be ignored. Xray allows you to define the scope of the ignore rule on the vulnerability, component, artifact, watch level, and more. Thus, giving you the flexibility and control needed to apply the ignore rule.

The following procedures are supported when Ignoring violations: