Add finding suppression system (v0.4.4)

Users can acknowledge known-benign findings in config.json Suppressions array. Pattern wildcards via -like. Count shown in summary box and CI JSON.

Made-with: Cursor

Author: TMHSDigital

AmIHacked.ps1

@@ -78,8 +78,9 @@ if ($script:NonInteractive) {
     $script:RedactMode = $Redact.IsPresent
 }
 $script:RedactMap = @{}
+$script:SuppressedCount = 0
 
-$script:Version = "0.4.3"
+$script:Version = "0.4.4"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
@@ -350,6 +351,7 @@ if ($script:NonInteractive) {
     Write-SummaryLine "CRITICAL  " "$critCount" "Red" $w
     Write-SummaryLine "WARNING   " "$warnCount" "Yellow" $w
     Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
+    Write-SummaryLine "Suppressed " "$($script:SuppressedCount)" "DarkGray" $w
     Write-Host "  |  $(' ' * ($w - 2))  |"
     Write-SummaryLine "Total     " "$totalCount findings" "White" $w
     Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
@@ -378,6 +380,7 @@ if ($script:NonInteractive) {
     Write-SummaryLine "CRITICAL  " "$critCount" $(if ($critCount -gt 0) { "Red" } else { "Green" }) $w
     Write-SummaryLine "WARNING   " "$warnCount" $(if ($warnCount -gt 0) { "Yellow" } else { "Green" }) $w
     Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
+    Write-SummaryLine "Suppressed " "$($script:SuppressedCount)" "DarkGray" $w
     Write-Host "  ║$(' ' * $w)║" -ForegroundColor DarkCyan
     Write-SummaryLine "Total     " "$totalCount findings" "White" $w
     Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
@@ -406,6 +409,7 @@ if ($script:NonInteractive) {
         critical   = $critCount
         warning    = $warnCount
         info       = $infoCount
+        suppressed = $script:SuppressedCount
         total      = $totalCount
         duration   = [math]::Round($duration.TotalSeconds, 1)
         reportPath = $reportFile

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.4] - 2026-03-15
+
+### Added
+- **Finding suppression system** -- `Suppressions` array in config lets users acknowledge known-benign findings by title pattern (wildcard `-like` matching). Suppressed count appears in summary box and CI JSON output.
+
 ## [0.4.3] - 2026-03-15
 
 ### Added

CLAUDE.md

@@ -78,6 +78,7 @@ Copied from `config/config.example.json`. Controls:
 - Optional API keys: VirusTotal (`VirusTotalAPIKey`), AbuseIPDB (`AbuseIPDBKey`)
 - Suspicious parent→child process rules
 - Per-module tuning parameters
+- `Suppressions`: array of `{ pattern, reason }` objects. Findings whose Title matches a pattern (wildcard via `-like`) are silently dropped before storing or printing. A `$script:SuppressedCount` counter tracks how many were suppressed; the count appears in the summary box and CI JSON output (`suppressed` key).
 
 `config/config.json` is gitignored to keep API keys local.
 

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.3-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.4-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -241,6 +241,7 @@ Then edit `config/config.json` (gitignored — API keys stay local):
 | `SuspiciousParentChild` | `object[]` | Parent→Child process rules |
 | `SuspiciousTempExtensions` | `string[]` | Extensions flagged in temp directories |
 | `TrustedAppDirs` | `string[]` | App directory names to skip during temp-dir scanning |
+| `Suppressions` | `object[]` | Findings to silence permanently. Each entry has a `pattern` (wildcard, matched against Title) and optional `reason` |
 | `AccountMaxAgeDays` | `int` | Flag accounts created within N days |
 | `FileSystemMaxAgeDays` | `int` | Flag recently modified system executables |
 | `MaxEventLogEntries` | `int` | Max events to scan per log |

config/config.example.json

@@ -73,5 +73,9 @@
     ".microsoft.com", ".windowsupdate.com", ".akamaized.net",
     ".cloudfront.net", ".slack-msgs.com", ".googleapis.com",
     ".gstatic.com", ".steamcontent.com"
+  ],
+  "Suppressions": [
+    { "pattern": "New Listening Port: 6463", "reason": "Discord RPC — expected on this machine" },
+    { "pattern": "Unquoted Service Path*", "reason": "Vendor bug, not exploitable — no write access to intermediate paths" }
   ]
 }

lib/Helpers.ps1

@@ -174,6 +174,15 @@ function Add-Finding {
     $Remediation = Invoke-Redact $Remediation
     $Details     = Invoke-RedactObject $Details
 
+    if ($script:Config.Suppressions) {
+        foreach ($sup in $script:Config.Suppressions) {
+            if ($Title -like $sup.pattern) {
+                $script:SuppressedCount++
+                return
+            }
+        }
+    }
+
     $finding = [PSCustomObject]@{
         Severity    = $Severity
         Category    = $Category