Skip to content

Configuration

Allowlist workflow

Unblock a PR without weakening the policy: allow entries with reasons and expiry dates, suppressed-but-visible findings, and automatic escalation when an exception goes stale.

Sometimes you ship with a flagged package on purpose: the replacement is planned, the fork is in progress, or the risk is accepted. The allowlist makes that a reviewable, expiring decision instead of a disabled rule.

allow:
  - package: react-native-legacy-thing
    reason: "Replacement planned for Q4; tracked in TICKET-123"
    expires: 2027-01-31

One entry suppresses findings for one package. The PR goes green; the decision is in the diff, with a reason, reviewed like any other code change.

Suppressed, not silenced

Allowlisted findings still appear in every report, marked as allowed and carrying the reason:

  • Pretty output shows the finding with its allow-reason.
  • JSON keeps the finding with its suppression state.
  • SARIF attaches a suppressions entry with the justification, so code scanning shows it as accepted, not vanished.
  • Annotations downgrade to a notice — visible in the PR, never a red X.

Nothing disappears: the debt stays on the books, it just stops blocking merges.

Expiry escalates

expires (YYYY-MM-DD) is optional but recommended. Past that date the entry stops suppressing and the findings escalate to errors — a stale exception fails the build harder than no exception, because "we accepted this until January" is not "we accepted this forever". Renewing the date is deliberate: someone has to touch the YAML, and the reviewer gets to ask why.

The intended loop

  1. A PR adds a flagged package; the check fails with the finding and evidence link.
  2. The finding's message includes the exact allow entry to copy if the team decides to proceed.
  3. The author adds the entry — with a reason and an expiry — in the same PR.
  4. The check goes green; the finding remains visible in reports until the package is replaced or the entry expires.

False positives cost one YAML line too — and since every finding links its evidence, a wrong directory flag is easy to spot and worth reporting upstream while the allow entry unblocks you.