Skip to main content

Exclude Findings from Tests

Exclude specific items from a compliance test when they do not apply to your organization, and re-include them when needed.

⚠️ Select your experience

The steps depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

A finding represents a specific resource, configuration, or result that affects whether a test passes or fails. You can exclude findings when they do not apply to your organization or represent an approved exception. Excluding items ensures tests focus on issues that impact compliance while preserving visibility and audit context.

Example scenarios

  • If a security group allows public SSH for a documented business reason, you can exclude that finding while recording justification.

  • If a vulnerability test reports priorities that do not impact compliance, you can exclude those findings to focus remediation on relevant risks.

Personnel findings

If a test lists personnel as findings, you can't exclude or reinclude those individuals from the Monitoring page. Create these exclusions from the Personnel page instead, where you can manage personnel exclusions or mark them out of scope.

Exclude findings from a test

  1. Open Monitoring and select a test.

  2. Open the Findings tab.

  3. Select one or more findings.

  4. Select Exclude.

  5. Enter a business rationale.

  6. Select Submit.

You can select an individual finding to view additional details before excluding it.

Re-include excluded items

  1. Open Monitoring and select a test.

  2. Open the Exclusions tab.

  3. Select one or more excluded items.

  4. Select the Include

  5. Confirm by selecting Reinclude.

Drata reapplies the item during the next test run.

Find tests with exclusions

To find tests that include exclusions:

  1. Open Monitoring.

  2. Apply the Has exclusions filter.

This filter shows all tests with one or more excluded findings.

Instructions for the Classic Experience ⬇️

Companies have the ability to exclude one or more items from a test when that test is not applicable to those items. This will ensure each time the test is run, those items are excluded. Excluded items will also always be visible within the test on the monitoring page. Managing exclusions in Drata ensures that only key vulnerabilities impacting compliance are addressed, while others are effectively streamlined.

BEFORE DIVING IN

  • Admins, Information Security Leads, and DevOps Engineer have the ability to set exclusions.

  • For those with Compliance as Code, you can exclude items or recommended changes for a test. Ensure that you configured and connected your repository within Drata.

    • To verify if you connected your Github repository, go to the Settings page and then Compliance as Code.

Exclude items from a test

Excluded items will no longer cause the test to fail. After excluding an item, you can run the test to view the changes that you made. You can also revert or re-include any exclusions made.

  1. Navigate to the 'Monitoring' page.

  2. Ensure you are on the Production tab, and select a failed test.

    • For Compliance as Code tests, select the Code or Pipeline tabs, and then select a failed test.

      • If you are excluding items from the Pipeline tab, select the Exclude findings button instead of the exclude icon (which is mentioned in the next steps).

  3. Within the drawer, scroll down to the Last test result section and ensure you are on the Included tab. You can exclude all items, multiple items, or just one item.

    • To exclude all items, select or checkmark the Select All option. Then, select the exclude icon.

      Select All option to exclude all items

    • To exclude multiple items, select or checkmark the items you want to exclude. Then, select the exclude icon.

      Selecting multiple items to exclude

    • To exclude one item, select the exclude icon that relates to the item you would like to exclude.

  4. Enter the reason for the exclusion then submit.

  5. Once you exclude an item, the item will be displayed in the Excluded tab. If there is not an Excluded tab, that means there are no exclusions.

For example, on this 'Public SSH Denied' test, a security group is listed that allows public SSH. There is a business reason for this allowance. To exclude an item, select the minus icon to the right of the item, and you'll be given a modal to provide a business rationale for the exclusion. Similarly, if a 'High vulnerabilities addressed' test lists certain priorities that aren't impactful for compliance, you can exclude those as needed, ensuring a clear rationale is always logged.

Bulk action exclusion modal with business rationale input

Re-include an exclusion

  1. Navigate to the 'Monitoring' page.

  2. Ensure you are on the Production tab, and select a failed test.

    • For those with Compliance as Code, select the Code tab, and then select a failed test.

  3. Within the drawer, scroll down to the Last test result section and ensure you are on the Excluded tab. If there is not an Excluded tab, that means there are no exclusions.

  4. Select the items you would like to include, and then select the addition icon

  5. You will see the modal where you provided business rationale for the exclusion prior. Select Reinclude to reinclude that item.

Reinclude modal showing previous business rationale with Reinclude button
Related Articles
Exclusion labels within GCP
Excluding Infrastructure resources
Manage Tests in Monitoring Page
View and Manage Test Details (New Experience)
Disable a Test
Did this answer your question?