# How should I reduce the number of Harden-Runner anomalous endpoint alerts After enabling Harden-Runner in audit mode, you may see many "New Endpoint" detections. Here's how to bring alert volume under control. ### Why You're Seeing Many Alerts Harden-Runner builds a behavioral baseline for each job. Endpoints appear "anomalous" when they weren't in previous runs. Common causes: * Baselines need several runs to capture full endpoint range * CDNs rotate subdomains between runs * Rare workflow triggers (releases, manual dispatch) hit endpoints not seen in regular CI * Dependency updates introduce new network calls ### Strategy 1: Let Baselines Stabilize Run workflows 5-10 times after enabling Harden-Runner before evaluating alert volume. Baselines improve with more observations. ### Strategy 2: Create Suppression Rules When an endpoint is verified as legitimate, create a suppression rule to prevent recurring alerts. 1. Navigate to Harden-Runner → Detections 2. Select the anomalous endpoint alert 3. Click Create Suppression Rule 4. Confirm endpoint and scope (job-level or org-wide) See [Suppression Rules](https://docs.stepsecurity.io/harden-runner/suppression-rules) documentation for full options or follow this interactive demo to see how this works: {% embed url="" %} #### Use Wildcards for Dynamic Endpoints For services that rotate subdomains, such as AWS or Azure CDNs, use wildcard patterns to prevent repetitive alerts. Example: `*.amazonaws.com` Configure these patterns directly within the suppression rule to ensure future variations are automatically covered. #### Establish a Review Cadence Schedule a weekly 15-minute review of new alerts: * If the endpoint is expected and verified as safe, create or refine a suppression rule * If the endpoint is unexpected, investigate and correlate with recent workflow or dependency changes ### What Good Looks Like Mature deployments typically see <5 new anomalous alerts per repo per week. Higher volume suggests baselines need more training runs.