Suppressing false positives — .nucleus-ignore

Nucleus Verify blocks the verdict when it detects hardcoded secrets, command injection, code-injection, unsafe deserialization, or critical IaC misconfigurations. If a match is a known false positive, add a .nucleus-ignore file to the repository root to suppress it.

Example

# .nucleus-ignore — lives at repository root

# ── Whole-rule suppression (everywhere) ────────────────────
# Suppress the hardcoded-secret rule for the entire repo
critical_operators_secrets

# ── File-scoped suppression ─────────────────────────────────
# Only suppress this rule inside `scripts/demo.py`
critical_operators_security scripts/demo.py

# ── Line-scoped suppression (most narrow) ──────────────────
# Suppress the exact file:line — use when the others are too broad
critical_operators_iac k8s/dev-pod.yaml:42

Syntax

FormMeaning
rule_id Suppress the rule everywhere in the repo
rule_id path/to/file Suppress the rule only in that file
rule_id path/to/file:LN Suppress the rule at that file and line
# anything Comment (ignored)

Available rule IDs

When to use it

Legitimate reasons to suppress include: demo / example code that intentionally shows an insecure pattern, training material with labelled vulnerabilities, tooling that wraps a dangerous call but has its own guardrail, third-party vendored code pending an upstream fix.

Rule of thumb: prefer the narrowest form. Use line-scoped over file-scoped, and file-scoped over blanket. Every suppression is an implicit acknowledgement of the risk.

Where the matches come from

Suppressions apply to the three critical-severity operator rules that run in gate_s (the Structural Integrity gate). They do not silence Semgrep, Bandit, Gitleaks, OSV-Scanner, or CodeQL — those run in gate_scanners and have their own ignore syntax inside each tool.

← Back to Nucleus Verify