> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/compliance-controls-and-posture/suppressions-and-exceptions.md).

# Suppressions and exceptions

Suppressions and exceptions solve different problems, even though both reduce compliance noise.

Use a suppression to stop matching violations from surfacing at all.

Use an exception to acknowledge risk while keeping the violation visible.

This distinction matters because it changes both what appears in the posture dashboard and how criterion health is calculated.

For the admin workflows behind both rule types, see [Compliance controls](/compliance-controls-and-posture/compliance-controls.md). For the day-to-day triage flow, see [Compliance posture](/compliance-controls-and-posture/compliance-posture.md#add-an-inline-exception).

***

### Choose the right action

Use a **suppression** when the criterion should not apply to some or all of your environment.

Use an **exception** when the violation is real, but the risk is understood and accepted.

In short:

* suppressions hide,
* exceptions acknowledge,
* and only exceptions stay visible in posture.

### Suppressions

Suppressions stop matching violations from appearing in posture.

Admins manage suppressions in **Settings → Compliance → Suppressions**.

The full setup flow is covered in [Compliance controls](/compliance-controls-and-posture/compliance-controls.md#suppressions-tab).

Suppressions apply at the criterion level, and can be blanket or scoped.

#### Blanket suppressions

A blanket suppression hides every violation for one criterion.

Use this when the criterion does not apply.

A blanket-suppressed criterion shows as **Fully Suppressed**.

This is the broadest suppression type. It removes the criterion from active posture for all matching entities.

#### Scoped suppressions

A scoped suppression hides only matching entities.

Use this for targeted carve-outs.

Scoped suppressions use an entity filter. If you need a refresher on filter syntax and behavior, see [Filters](/getting-started/entitlement-data-discovery/filters.md) and [Working with filters](/getting-started/entitlement-data-discovery/working-with-filters.md).

This lets you exclude specific slices of your environment without hiding the criterion everywhere else.

For example, you might suppress a criterion for resources tagged `env=dev` while keeping production violations visible.

{% hint style="info" %}
Use scoped suppressions when you want to reduce noise without losing production signal.
{% endhint %}

<div data-with-frame="true"><figure><img src="/files/clk1q4iT1GaZq6tt6KWB" alt=""><figcaption></figcaption></figure></div>

***

### Exceptions

Exceptions acknowledge a violation without hiding it; excepted violations stay visible in [Compliance posture](/compliance-controls-and-posture/compliance-posture.md), but appear separately from active violations.

A fully excepted criterion (i.e., a framework criteria for which all violations have been marked as exception) shows as **Passing with Exceptions**.

Exceptions always require an entity filter — there is no concept blanket exception. They are meant to be used in a targeted manner.

This keeps accepted risk visible and reviewable, while preventing it from being treated the same way as unresolved active violations.

#### Global exceptions

Admins create rule-based exceptions in **Settings → Compliance → Exceptions**.

The admin workflow is covered in [Compliance controls](/compliance-controls-and-posture/compliance-controls.md#exceptions-tab).

Use these when the same exception applies repeatedly. Global exceptions are useful when a known condition affects many similar entities and should be handled consistently.

#### Inline exceptions

Admins and risk managers can add quick exceptions from the [violations table](/compliance-controls-and-posture/compliance-posture.md#violations-table). Use these when reviewing a specific violation.

Inline exceptions are useful when the right decision becomes clear during triage and does not require broader configuration work. Note that inline exceptions persist across compute runs until and unless removed.

<div data-with-frame="true"><figure><img src="/files/0o4EGQcb3bsBmeRBH9G1" alt=""><figcaption></figcaption></figure></div>

***

### When to use each

#### Use a suppression when

* The criterion does not apply to your environment.
* A compensating control makes the check irrelevant.
* You want to remove known noise from posture counts.

#### Use an exception when

* The violation is real.
* You accept the risk (for now).
* You still want an audit trail in posture.

***

### What changes in posture

#### After a suppression

* Matching violations disappear from the dashboard.
* Matching violations do not count as active.
* Blanket-suppressed criteria show **Fully Suppressed**.

#### After an exception

* Matching violations stay visible.
* Matching violations move to **Excepted Violations**.
* The exception reason appears on the **Excepted** badge tooltip.

This makes exceptions better for auditability and ongoing review, while suppressions are better for removing inapplicable or intentionally excluded checks.

Both suppressions and exceptions are logged with details of who created them, and when, and are retained in a read-only state with similar details on deletion. You can review these records from the [Suppressions tab](/compliance-controls-and-posture/compliance-controls.md#suppressions-tab) and [Exceptions tab](/compliance-controls-and-posture/compliance-controls.md#exceptions-tab).


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/compliance-controls-and-posture/suppressions-and-exceptions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.