Create an osv-scanner.toml file at the root of the repository in the format documented by OSV-Scanner
Add an '[[IgnoredVulns]]' entry for each vulnerability ID to suppress, providing the 'id' field and an optional 'reason' string for audit trail purposes
Configure path ignore patterns if specific subdirectories such as test fixtures or vendor code should be excluded from scanning
Reference the config file explicitly with '--config osv-scanner.toml' when running osv-scanner, or place it where the tool auto-discovers it
Commit the toml file to version control so the ignore list is auditable and consistent across environments
Periodically review ignored vulnerability IDs to retire ignores when upstream fixes are applied
Known gotchas
OSV vulnerability IDs are database-specific (e.g., GHSA- or CVE- prefixed); ensure you use the canonical OSV ID for the specific database entry you intend to suppress rather than an alias
Ignored vulnerabilities are silenced in output but the exit code behavior may still be affected depending on the OSV-Scanner version; verify CI pipelines behave as expected after adding ignores
The toml config file format may change between OSV-Scanner major versions; review release notes when upgrading the scanner to confirm config compatibility
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp