Accept vulnerabilities

Accept vulnerabilities permanently

In the second table of the Policies section, you will find a list of the types of vulnerabilities that your team has suggested for permanent acceptance. In front of each vulnerability type name, you will see whether that acceptance was approved, rejected or is pending. All those vulnerability types listed there as accepted will be ignored by Fluid Attacks' DevSecOps agent in its task of breaking the build. Therefore, you assume the risk that comes with their being allowed into production.

List Types Vulnerabilities

Submit a vulnerability type to accept

Role required: User, Vulnerability Manager or User Manager

To add a vulnerability type, you have to type its name in the bar, and if you want, you can add tags. After that, you can click on the plus symbol.

Adding a Types Vulnerabilities

After this the vulnerability type will appear in the table and its Status will be Submitted. Remember that any team member can make the approval request. On the other hand, you can approve or reject only if you are a User Manager.

Approve and reject acceptance requests

Role required: User Manager

You can accept a type of vulnerability by clicking the check mark button, which will change its status from Submitted to Approved. Conversely, by clicking the cross-mark button, the status will change to Rejected.

Actions approve or reject

Disable and resubmit acceptance policy

Role required: User Manager

You can also disable the acceptance policy for a type of vulnerability by clicking the prohibition sign.

Disable Acceptance For A Vulnerability

A pop-up window will appear asking for confirmation. By clicking on Confirm, this vulnerability’s status will automatically change to Inactive.

Disable Acceptance For A Vulnerability

There’s another button that has a right arrow symbol. This button is available when the status of the type of vulnerability is inactive.

Re-submit action

Clicking it will change the status to Submitted, and you can further decide whether or not the vulnerability will be accepted.

Button In Inactive Vulnerability

Add tags to classify vulnerabilities for acceptance

Role required: User, Vulnerability Manager or User Manager

You can add one or more tags under which you would like to classify the type of vulnerability. After clicking the add button, the tag(s) you chose will be applied automatically to all the vulnerabilities of that type.

Accept vulnerabilities temporarily

Role requirements for submitting, approving, rejecting, disabling and resubmitting types are the same as for permanent acceptance of vulnerabilities. See details above.

In this section, you can add all vulnerability types reported in an organization or individually select those that you want to apply the Temporarily Accepted treatment, having an approval process before applying such treatment. When specific rules are not defined in this policy (default behavior), requests for temporary approvals are automatically approved without requiring additional validations.

Below, we will explain how to apply this approval system.

As mentioned above, you can apply to all vulnerabilities reported in the organization by clicking on the Vulnerability type field in the All Vulnerability Types option.

All vulnerabilities

Note: Setting this option will apply the approval request to all reported types.

If you prefer to apply this setting individually, select the type for which you would like to request temporary treatment approval.

Individually type

Remember that you can add tags.

Now, when you have selected the type, you can click on the plus symbol. The request for approval of this type will be sent, and it will be in a Submitted status. Only a person with the User Manager role can approve or reject the request.

Submitted status

Once approved, the Status value will change to Approved. After that, when applying the Temporarily Accepted treatment, approval will be required prior to application.