Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt

Use this file to discover all available pages before exploring further.

The fangs allow command manages the allowlist — the set of rules that tell the Differ to ignore specific network destinations, filesystem paths, or TLS hostnames when computing deviations. Use it to suppress noise from known-good infrastructure (internal CIDRs, telemetry endpoints, temp directories) without promoting entire runs into the baseline. Rules can be scoped globally to all packages or narrowly to a single package name.

Subcommands

SubcommandPurpose
allow listShow all allowlist entries, optionally filtered to one package
allow addCreate a new CIDR, path, or SNI suppression rule
allow remove <id_prefix>Delete an entry by its ID prefix

fangs allow list

Fetches every row from the allow_entries table and renders them in a table. When -package is supplied, only entries that are either global or scoped to that specific package are shown (the same filter the Differ itself applies). 
fangs allow list [-package <package_name>]

Flags

-package
string
Filter the output to entries that apply to the given package — global entries plus any entries with a matching package_name. When omitted, all entries across all scopes are returned.

Output columns

ColumnDescription
IDShort hex prefix of the 16-character entry ID
SCOPEglobal or package
PACKAGEPackage name for package-scoped entries; for global entries
KINDRule type: cidr, path, or sni
VALUEThe rule value (truncated to 40 characters in table output)
NOTEThe operator-supplied free-form comment (truncated to 30 characters)
CREATEDRFC 3339 timestamp of when the entry was created

Empty state

When no entries exist, allow list prints example commands instead of an empty table: 
no allowlist entries.
  fangs allow add -kind cidr  -value 10.0.0.0/8 -note 'internal net'
  fangs allow add -kind sni   -value telemetry.internal -package my-pkg

fangs allow add

Creates a new allowlist entry and persists it to storage. The entry takes effect immediately — the next time the Differ analyzes a run for the relevant package, it will skip any events that match this rule. 
fangs allow add -kind <KIND> -value <VALUE> [-package <package_name>] [-note <note>]

Flags

-kind
string
required
The rule type. Accepted values:
  • cidr — suppresses net_new_destination deviations where the IP address falls within the given CIDR range. Validated with net.ParseCIDR.
  • path — suppresses fs_new_path_* deviations where the file path starts with the given prefix. Must begin with /.
  • sni — suppresses net_new_https_host deviations where the TLS SNI matches the given string. No structural validation is applied.
-value
string
required
The rule value. Format depends on -kind:
  • cidr: a valid CIDR notation string, e.g. 10.0.0.0/8 or 192.168.1.0/24
  • path: an absolute path prefix starting with /, e.g. /tmp/npm-cache
  • sni: any string, e.g. telemetry.example.com
-package
string
Scope the rule to a single package. When supplied, the entry has scope package and only suppresses deviations in runs of that package. When omitted, the entry is global and applies to runs of every package.
-note
string
A free-form human-readable comment describing why this rule exists. Visible in allow list output. Recommended for audit trail purposes.

Validation rules

KindValidation
cidrParsed with net.ParseCIDR — must be valid CIDR notation
pathMust begin with /
sniNo structural check — operator-supplied strings are accepted as-is

ID format

Each entry is assigned an 8-byte cryptographically random ID encoded as a 16-character hex string, e.g. a3f2b19c44e8d701. This ID is generated at add time and never changes.

Examples

fangs allow add \
  -kind cidr \
  -value 10.0.0.0/8 \
  -note "RFC-1918 internal network"

fangs allow remove

Deletes an allowlist entry by its ID prefix. Uses the same git-style prefix resolution as baseline promote — supply enough characters to uniquely identify the entry. 
fangs allow remove <id_prefix>

Arguments

id_prefix
string
required
A prefix of the 16-character entry ID. FANGS resolves the prefix against the allow_entries table. Must uniquely match exactly one entry.

Error conditions

ErrorCause
ErrAmbiguousThe prefix matches more than one entry — use a longer prefix
ErrNotFoundNo entry matches the given prefix

Examples

fangs allow remove a3f2b1
Removing an allowlist entry does not automatically re-flag past runs. It only affects future Differ executions. If you need to re-evaluate a previously analyzed run, re-trigger analysis for that run manually.

Scoping reference

Understanding scope is critical for keeping the allowlist precise.

Global scope

Created with no -package flag. Applies to every package FANGS monitors. Use for rules that are truly infrastructure-wide, such as internal RFC-1918 CIDRs or shared CDN prefixes.

Package scope

Created with -package <name>. Applies only to runs of that specific package. Use for rules that are expected for one package but would be suspicious in others — e.g., a package-specific telemetry SNI.
When in doubt, prefer package-scoped rules. A global rule that suppresses a suspicious value for one package silently hides the same value if it shows up in a completely different package’s run.

Build docs developers (and LLMs) love

Get started for freeTalk to us