Skip to main content
Existing projects often accumulate 40 or more findings on their first Drako scan. Fixing everything before you can use Drako in CI is a barrier to adoption. The baseline lets you acknowledge known findings and focus enforcement on new issues introduced going forward.

The problem

When you first scan an existing project, you might see: 
CRITICAL  3  │  HIGH  12  │  MEDIUM  18  │  LOW  9
You want to use --fail-on critical in CI, but the build would fail immediately because of pre-existing issues. The baseline solves this: save the current state once, and from then on CI only fails on findings that weren’t there before.

How baseline works

1

Save the current state

Run a scan with --baseline to record all current findings as the acknowledged baseline:
drako scan . --baseline
This creates .drako/.baseline.json in your project directory. The file stores SHA-256 fingerprints of each finding — no raw code snippets are stored, so secrets that appear in findings aren’t accidentally committed.
2

Commit the baseline file

Add the baseline file to version control so it’s shared across the team:
git add .drako/.baseline.json
git commit -m "Add Drako scan baseline"
The .drako/.last_scan.json cache file is automatically gitignored by Drako.
3

Run scans normally from now on

Subsequent scans automatically filter against the baseline and show only new findings:
drako scan .
Only findings that were not present when the baseline was saved will appear in the output.

Baseline commands

drako scan . --baseline     # Save current state as baseline
drako scan .                # Show only NEW findings (baseline active)
drako baseline show         # Display what's currently baselined
drako baseline reset        # Delete the baseline and start fresh
drako baseline show output: 
Baseline v1 — created 2026-03-15T10:23:44+00:00
Drako version: 0.9.1
Total baselined findings: 42
  CRITICAL: 3
  HIGH: 12
  MEDIUM: 18
  LOW: 9

Behavior details

  • The governance score always reflects all findings — the score is your real posture, not a filtered view. Baselined findings still count against the score.
  • CI pass/fail is based on new findings only--fail-on critical will not trigger on baselined CRITICAL findings, only on newly introduced ones.
  • SARIF output marks baselined findings as "baselineState": "unchanged" so GitHub Code Scanning shows them as pre-existing rather than new alerts.
  • The baseline file is team-shared — committing .drako/.baseline.json means all developers and CI pipelines see the same baseline state.

Fingerprinting

Baseline fingerprints are computed as SHA-256 hashes of the rule ID, normalized file path, and stripped code snippet. Line numbers are intentionally excluded — moving code within a file does not create a new finding. Only adding genuinely new violations does.
The baseline is a tool for incremental adoption, not a way to hide risk. The governance score always reflects your true posture, and auditors or security reviewers can see the full finding list with drako scan . --show-all. Do not use the baseline to suppress findings you intend to leave permanently unaddressed.

Build docs developers (and LLMs) love

Get started for freeTalk to us