Update CLI Command Reference.md

docs/2.Basics/CLI Command Reference.md

@@ -54,7 +54,8 @@ nav_order: 2
 | `--baseline BASELINE`                                                                                                                                                                                                                                                                                                                                                      | Use a .checkov.baseline file to compare current results with a known baseline. Report will include only failed checks that are new with respect to the provided baseline                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `--output-baseline-as-skipped`                                                                                                                                                                                                                                                                                                                                             | Output checks that are skipped due to baseline file presence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | `--skip-cve-package SKIP_CVE_PACKAGE`                                                                                                                                                                                                                                                                                                                                      | Filter scan to run on all packages but a specific package identifier (deny list), You can specify this argument multiple times to skip multiple packages                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws. [env var: CKV_POLICY_METADATA_FILTER]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to exclude filtered policies based on Prisma Cloud policy metadata. When used with --policy-metadata-filter, the exceptions override any policies selected as a result of the --policy-metadata-filter flag. [env var: CKV_POLICY_METADATA_FILTER_EXCEPTION]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `--summary-position` {`top`, `bottom`}                                                                                                                                                                                                                                                                                                                                     | Choose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `--no-fail-on-crash                            `                                                                                                                                                                                                                                                                                                                           | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `--enable-secret-scan-all-files CKV_SECRETS_SCAN_ENABLE_ALL`                                                                                                                                                                                                                                                                                                               | Enable secret scan to scan all type of file                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |