Skip to main content

Issue exemption workflow

Issue Exemption workflows in STO enable developers to request exemptions for specific security vulnerabilities when shipping software. If a security scanner in the pipeline detects a vulnerability and an OPA policy enforces blocking such vulnerabilities, the pipeline will be failed. In such cases, developers can submit exemption requests to the product security team for review. If approved, the pipeline can proceed despite the detected vulnerabilities. These workflows provide a controlled mechanism for managing security exceptions while ensuring visibility and oversight.

note

Security Testing Developers and Security Testing SecOps users can request exemptions, but only Security Testing SecOps users can approve them.

Users with roles Security Testing Developer and Security Testing SecOps can raise exemptions. An exemption request can be raised for a specific issue. Once submitted, the request can be processed by either approving, rejecting, or canceling it. Refer to Request Issue Exemption for details on raising an exemption request, and Manage Issue Exemption for handling exemption requests.

When exemptions are useful

Here are some reasons wny your organization might want to exempt an issue:

  • Your organization is aware of this issue and is actively working on a fix. In the meantime, they want to exempt it from blocking the pipeline.
  • The issue is in compliance with your organization's acceptable use policies.
  • The security risk is low and remediation would require too much effort or expense.
  • The scanner detects an issue but it is, in fact, a false positive.
  • You need to exempt an issue so you can deploy a hotfix. In this case, you can request a temporary exemption that expires within your organization's SLA for fixing security issues.
  • There are currently no known fixes or remediation steps available for the detected vulnerability. You might want to enable Harness AI Development Assistant (AIDA™) to help you remediate your issues using AI.

What happens when an STO exemption gets approved

To see the list of pending exemptions, select Exemptions in the left menu. Each exemption corresponds to one vulnerability. If a scan detects a vulnerability with an active exemption, the pipeline proceeds even if the vulnerability matches the failure criteria for the step. Refer to Manage Issue Exemption to learn more about handling exemption requests.