Skip to main content

Create and Manage Vulnerability Exceptions

Add Vulnerability Exceptions

Add exceptions in two different ways:

  1. To add your exceptions on the Vulnerability Exceptions page (Vulnerabilities > Exceptions), click + Add exception at the top-right of the page.

  2. Use the Container Vulnerability (Vulnerabilities > Containers) and Host Vulnerability (Vulnerabilities > Hosts) pages to create contextual exceptions. For example, when you click on a CVE ID (when Group by CVE is active) in the Vulnerabilities List, then click Add exception, the contextual exception is automatically filled with the resource scope and vulnerability criteria based on the details of the vulnerability selected.

Define an exception by providing the Resource scope, Vulnerability Criteria, and Context. Click Save (or Cancel) once you have completed all of these fields.

info

Wildcards are not supported when defining scope or criteria for vulnerability exceptions.

Scope and criteria entries are case-sensitive.

Resource scope

Define which resources will be affected by the exclusion. The types of resources change depending on whether the exception is for a Container or Host.

Click the + Add Criteria button to provide additional resource types to constrain the scope of the exception depending on your requirements. For example, after selecting the Container domain, restrict the exception to a tag in a specific registry by including both the Image Tag and Registry criteria.

Container

Select Container from the Domain list. This will alter the available resource types.

vuln-exceptions-resource-scope-container.png

You can enter multiple values for each resource type. A description of each type is provided in the table below:

Resource TypeDescriptionExample
Image IDEnter the sha256 hash that was generated for the container image.sha256:ex4ampl3
Image TagEnter the container image tag.7.6
RegistryEnter the container registry.index.docker.io
RepositoryEnter the container repository.ecr_standard_images
NamespaceEnter the namespace for the package distribution (for example, an operating system or language package).rhel:7

Host

Select Host from the Domain list. This will alter the available resource types.

vuln-exceptions-resource-scope-host.png

You can enter multiple values for each resource type. A description of each type is provided in the table below:

Resource TypeDescriptionExample
HostnameEnter the hostname for the machine.ip-10-10-10-10.us-west-1.compute.internal
External IPEnter the external IP address.101.102.103.104
Cluster nameEnter the cluster name for the group of hosts.PROD1
NamespaceEnter the namespace for the package distribution (for example, an operating system or language package).rhel:7

Vulnerability Criteria

Define the criteria of the vulnerability to be excluded. The criteria value changes depending on the type of criteria selected.

vuln-exceptions-vulnerability-criteria.png

Click the + Add Criteria button to constrain the scope of the exception depending on your requirements. For example, restrict the exception to a non-fixable CVE by including both the CVE and Fixable=False criteria.

Each criteria option is described in the table below:

Vulnerability CriteriaDescriptionExample
CVEEnter the vulnerability (CVE) ID that you want to constrain the exception to. You can provide multiple IDs.CVE-2021-2389
FixableSelect True or False to constrain the exception to a fixable or non-fixable vulnerability.N/A
PackageEnter the package name (for example, an operating system or language package). This can include a version number. You can provide multiple package names.commons-collections:commons-collections::3.2.1
SeveritySelect the severity of the vulnerability to constrain the exception to a Critical, High, Medium, Low, or Info vulnerability. You can provide multiple severity levels.N/A

Context

Define the context of the exception.

vuln-exceptions-context.png

ContextDescription
NameProvide a name for the exception. This will appear as the header for the exception when viewing the Exceptions list.
ReasonSelect a reason for the exception from the list defined in Use Cases. You can also choose Other and provide a Comment.
ExpiresSelect an expiry date for the exception or leave it as Never.
CommentEnter your own comments regarding the exception.

Edit Vulnerability Exceptions

All exceptions can be edited in the Vulnerabilities > Exceptions page once they have been created.

  1. Click to view an existing exception in the Exceptions list.

  2. Click the Edit icons policy-edit-title.png to edit each field respectively.

  3. Click Save (or Cancel) when done.

Delete Vulnerability Exceptions

Exceptions can be deleted in the Vulnerabilities > Exceptions page once they have been created.

  1. Click to view an existing exception in the Exceptions list.

  2. Click the Delete icon policy-delete-option.png to delete the exception.

Disable an exception

Disable an exception (rather than deleting it) by changing the Expires date to the current date with a time set in the past. Then click Apply and Save.

For example, if today's date is 29th September 2022 2:32 PM, set the expiry date to 29th September 2022 2PM (or earlier).

vuln-exceptions-vulnerability-criteria-expires-disable.png

Add Contextual Vulnerability Exceptions

Add contextual exceptions by clicking Add Exception when viewing any individual Host, Image, or CVE assessment. This can be done in both the Container and Host Vulnerability pages.

vuln-exceptions-contextual-exception-cve-assessment.png

After clicking Add Exception, the exception form is filled in with the details based on the assessment viewed.

vuln-exceptions-contextual-exception-cve-assessment-filled.png

Add any additional criteria and the Context to complete the exception, then click Save.

You can also create contextual exceptions on the vulnerabilities list when filtering by certain groups.

vuln-exceptions-contextual-exception-package-name-vulnerabilities-list.png

When do changes to Vulnerability Exceptions become active?

When a vulnerability exception is added, changed, or deleted, the following timings apply:

  1. Platform, Proxy, and Inline Scanner: Changes to exceptions are active 5 minutes after the change is made.
  2. Container Assessment: If an exception change affects an active image, it will be reflected in the next continuous assessment.
  3. Host Assessment: The next daily re-evaluation will apply the changes to assessments on the respective online hosts.

Limit to Number of Vulnerability Exceptions

The total number of vulnerability exceptions that can exist in an environment is 100 for hosts and 150 for containers. This only includes active exceptions (expired/disabled exceptions are not counted).

You can delete or disable exceptions to reduce the number below the limit if urgent.

Contact Lacework Support if you want to discuss raising your vulnerability exception limits.

Create a Vulnerability Exception Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework which enables configuration of Lacework Vulnerability Exceptions using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.

Configure Host Vulnerability Exceptions in Lacework
resource "lacework_vulnerability_exception_host" "example" {
name = "My Vuln Exception"
description = "This is a vulnerability host exception"
enabled = true
reason = "Accepted Risk"
vulnerability_criteria {
severities = ["critical"]
cves = ["cve-2021-11111", "cve-2021-22222"]
fixable = true
package {
name = "myPackage"
version = "1.0.0"
}
package {
name = "myOtherPackage"
version = "1.0.0"
}
}
resource_scope {
hostnames = ["host1", "host2"]
cluster_names = ["cluster1", "cluster2"]
namespaces = ["namespace1", "namespace2"]
}
}
Configure Container Vulnerability Exceptions in Lacework
resource "lacework_vulnerability_exception_container" "example" {
name = "My Vuln Exception"
description = "This is a vulnerability container exception"
enabled = true
reason = "Accepted Risk"
vulnerability_criteria {
severities = ["Critical", "High"]
cves = ["cve-2021-11111", "cve-2021-22222"]
fixable = true
package {
name = "myPackage"
version = "1.0.0"
}
package {
name = "myOtherPackage"
version = "1.0.0"
}
}
resource_scope {
image_ids = ["sha256:3b83d9104a4c4ccf76433756f14a2ad109e2aae15444b63339"]
image_tags = ["4.0", "1.0", "3.1", "5.0"]
namespaces = ["debian"]
registries = ["index.docker.io"]
repositories = ["lacework/lacework-cli"]
}
}

Additional information on the lacework_vulnerability_exception_host and lacework_vulnerability_exception_container resources can be found on the Terraform Registry.