Vulnerability Exclusions
You can select to exclude a specific vulnerability (CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures., threat, or secret) that appears in a specific package. If you set the vulnerability as not important or relevant, CloudGuard ignores it. Such vulnerability has the Excluded from Findings indication on the asset pages. CloudGuard rules do not take the vulnerability into account.
The vulnerability exclusions are applied to the raw data in the package before running an assessment and obtaining findings. Therefore, these exclusions affect findings, toxic combinations, notifications, and more.
To exclude only findings related to vulnerabilities, see Configuring CloudGuard Exclusions.

-
Navigate to Workloads > Vulnerabilities > Vulnerability Exclusions.
-
Click Add in the top left.
-
In the Create new exclusion window, enter a name for the exclusion. This parameter is mandatory.
-
Select to Include in Assessment, if you want CloudGuard to create a finding related to the vulnerability regardless of its being ignored. This option affects only findings; for toxic combinations, risk score, etc., the vulnerability remains ignored.
-
Select the scope of the exclusion application. For Environments, select one or more environments to apply the exclusion. For Organizational Units, select one or more units.
-
Select one of these options:
-
CVE - Enter these details:
-
CVE ID (mandatory)
-
Package name
-
Package version
-
-
Threat - Enter these details:
-
Category
-
Path (mandatory) - file path
-
-
Secret - Enter the file path (mandatory).
-
-
Entity Name / Entity ID - Exclude vulnerabilities that correspond to specific entities. Enter the entity name or ID. You can enter one or more entity names. Start to type the entity name to see and select a matching option. You can include the wildcard '%' in the entity name, to include a group of entities. For example,
%s3%
matches all entities with 's3' in their name. -
Enter your comment to distinguish between different exclusions. The comment is a mandatory parameter.
-
Select the date range.
-
Click Save.
You can also create a CVE exclusion from the CVE page. In the top right corner, click the menu icon , select Exclude, and enter the required parameters.
If CloudGuard finds the excluded CVE in one of the images, the Vulnerabilities page of the image shows the CVE with the Is Excluded indication. Click the CVE ID to open its page and learn more details. It also shows information on who excluded the CVE and when.

-
Navigate to Workloads > Vulnerabilities > Vulnerability Exclusions.
-
Select an exclusion to edit and click Edit on the top bar.
-
Modify the exclusions parameters and click Save.

-
Navigate to Workloads > Vulnerabilities > Vulnerability Exclusions.
-
Select an exclusion to delete and click Delete on the top bar.
-
Click Confirm to confirm your choice.
CloudGuard rules start to take the CVE in account.
You can also delete a CVE exclusion from the CVE page. In the top right corner, click the menu icon , select Remove exclude, and click Confirm to confirm your choice.