Manage Exceptions
Exceptions suppress or override policy findings without modifying the underlying rule sets. Anchore Enterprise provides two distinct mechanisms — pick the one that matches the scope of the override you want.
When to Use Which
The two mechanisms differ in what they target and when they are evaluated.
| Mechanism | What it targets | Scope | When evaluated | Typical use |
|---|---|---|---|---|
| Allowlists | Individual findings — a specific CVE on a specific package, with optional expiry | Image and app-version — referenced by both image and SBOM mappings | After rules fire, before the final verdict | Accepting a known risk, suppressing a known false positive, granting a time-bounded exception |
| Allowed and denied image lists | Whole images, identified by name, image ID, or digest | Image only — image mappings | Before any mapping or rule logic runs | Unconditionally trusting a base image, blocking an image known to be unfit for production |
Both mechanisms record their action in the evaluation output, so a finding that was allowlisted or an image that was denied is still visible in the audit trail — the override is transparent, not silent.
How Exceptions Fit Into a Policy
Both allowlists and the allowed and denied image lists are stored inside the policy bundle, alongside rule sets and mappings. See Anatomy of a Policy Bundle for where each lives in the JSON structure.
Allowlists are referenced by mappings — when a mapping rule matches an artifact, it identifies which rule sets evaluate the artifact and which allowlists are applied to the resulting findings. The allowed and denied image lists are global to the bundle and are checked before any mapping is resolved.
The evaluation pipeline walks through the full order — including where each exception mechanism takes effect.
Last modified June 16, 2026