We're currently using wildcard certs for our external servers (DMZ). These are being scanned via our internal IP ranges (due to using the AWS pre-authed scanner), and so in doing, they are failing the comparison of the subject common name check. This is because AWS by default generates ip-X-X-X-X.ec2.internal for all reverse DNS names, which in our case does not match our *.domain.com certificates.
I can see that we can flag these findings as exceptions for False Positives, but I would like to ensure that the exception only applies if the wildcard is found (as opposed to all mismatched SCN certificates). Is there a good way to apply this exception dynamically based on the results of the test, or is it a manual, host by host, service by service, exception task?