Skip to main content

Overview

The suppression system allows you to manage false positives in your AI security workflow. When RAXE detects a threat that you’ve verified as safe, you can suppress it to prevent future alerts.
Suppressions should be used sparingly. Before suppressing, verify it’s a true false positive and consider if the detection rule needs updating.

Configuration

Suppressions are configured in .raxe/suppressions.yaml: 
version: "1.0"

suppressions:
  - pattern: "pi-001"
    reason: "Known false positive in authentication flow"

  - pattern: "jb-*"
    reason: "Test suite uses jailbreak patterns"
    expires: "2027-06-01"

Required Fields

FieldDescription
patternRule ID or wildcard pattern (e.g., pi-001, pi-*)
reasonHuman-readable reason for suppression (required for audit)

Optional Fields

FieldDescription
expiresISO 8601 expiration date
actionOverride action: SUPPRESS, FLAG, or LOG
created_byWho created the suppression

Patterns

Patterns support wildcards with family prefixes: 
# Valid patterns
- pattern: "pi-001"       # Exact rule ID
- pattern: "pi-*"         # All prompt injection rules
- pattern: "jb-00*"       # Jailbreak rules starting with 00
- pattern: "*-injection"  # All injection-related rules
Bare wildcards (*) are not allowed. You must specify a family prefix like pi-* or jb-*.

Valid Family Prefixes

PrefixFamily
piPrompt Injection
jbJailbreak
piiPII Leakage
cmdCommand Injection
hcHarmful Content
encEncoding Attacks
ragRAG Attacks

Actions

Instead of fully suppressing a detection, you can override its action:
ActionBehavior
SUPPRESSRemove from results entirely (default)
FLAGKeep in results but mark for human review
LOGKeep in results for metrics/logging only
suppressions:
  - pattern: "hc-*"
    action: FLAG
    reason: "Harmful content requires human review"

SDK Usage

Inline Suppression

from raxe import Raxe

client = Raxe()

# Simple pattern suppression
result = client.scan(text, suppress=["pi-001", "jb-*"])

# With action override
result = client.scan(text, suppress=[
    {"pattern": "pi-001", "action": "FLAG", "reason": "Review required"}
])

Context Manager

# Suppress for multiple scans
with client.suppressed("pi-*", reason="Testing auth flow"):
    result1 = client.scan(text1)
    result2 = client.scan(text2)

CLI Usage

Scan with Suppression

# Single suppression
raxe scan "text" --suppress pi-001

# Multiple suppressions
raxe scan "text" --suppress pi-001 --suppress "jb-*"

# With action override
raxe scan "text" --suppress "pi-001:FLAG"

Manage Suppressions

# List all suppressions
raxe suppress list

# Add a suppression
raxe suppress add pi-001 --reason "Known false positive"

# Remove a suppression
raxe suppress remove pi-001

# View audit log
raxe suppress audit

Best Practices

Be Specific

Use exact rule IDs when possible. Avoid broad wildcards.

Set Expirations

Temporary suppressions should have expiration dates.

Document Reasons

Provide clear reasons for audit compliance.

Review Regularly

Schedule quarterly reviews of active suppressions.

Example: Good vs. Bad Reasons

# Bad - not actionable
- pattern: "pi-001"
  reason: "false positive"

# Good - explains context
- pattern: "pi-001"
  reason: "Auth flow uses 'ignore previous' in rate limit messages - verified safe"

Troubleshooting

Suppression Not Working

  1. Check pattern syntax: raxe suppress list
  2. Verify file location: ls -la .raxe/suppressions.yaml
  3. Check for expiration: Expired suppressions are automatically skipped

Invalid Pattern Error

Ensure patterns have valid family prefixes: 
Error: Wildcard patterns must have a valid family prefix.
Pattern: foo-*, Valid families: pi, jb, pii, cmd, hc, enc, rag

Missing Reason Error

All suppressions require a reason field: 
Error: suppressions[0]: Missing required field: reason
For broader enforcement rules across your deployment, see Policies.

What’s Next

Policies

Configure enforcement policies

Troubleshooting

Common issues and solutions