Manage issue exemption requests
When an issue exemption request is submitted, it goes through a defined lifecycle. The available actions to address these requests include Approving, Rejecting, or Cancelling. The exemption lifecycle consists of the following stages:
Users with role Security Testing SecOps can approve or manage the issue exemption requests.
-
Pending: The request is newly created and awaits review. At this stage, users can choose to approve, reject, or cancel the request.
-
Approved: The request has been reviewed and accepted. The issue is temporarily or permanently exempt from further action based on the exemption details.
-
Rejected: The request has been reviewed and denied. The issue remains active, and the pipeline continues to enforce OPA policies as if no exemption was requested.
-
Expired: The exemption period has elapsed, or the exemption has been invalidated. Once expired, the issue returns to its original active state unless a new exemption is requested.
Approve, reject, or cancel an STO exemption
To respond to an exemption request, navigate to the issue exemption request within the Security Tests tab of a specific pipeline execution. If the requester has not shared a direct link to the issue for exemption, you can request it from them. Alternatively, you can follow the steps below to locate the exemption and respond accordingly.
This workflow requires Security Testing SecOps user permissions.
-
Select Exemptions from the left navigation and then select Pending to view the pending exemption requests.
-
Review the exemption request. The Exemption Details pane includes a high-level summary of the issue, links to relevant documentation, and a list of all locations in the scanned object where the issue was detected.
note-
The Exemption Details pane is comprehensive, but might not include all the information you need. You might want to research the issue further before you approve the request.
-
Consider the Requested Duration for the exemption request. When you approve a request, the exemption remains active only for the specified time window (for example, 7 days from the approval time).
-
It is good practice to define a baseline for every target. If the target does not have a baseline defined, you won't see any exemption details. Instead, you will see a link to define the target baseline.
-
-
Select one of the following:
- Approve The request is approved. This issue will not block future pipeline executions for the requested duration (see Time Remaining in the Approved table).
- Reject The request moves to the Rejected table, where a Security Testing SecOps user can approve it later if appropriate.
- Cancel The request is cancelled and removed from the exemption list. If a user wants an exemption for the issue, they must file a new request.
You can control whether users can approve or reject their own exemption requests. This setting can be managed by enabling or disabling the Users can approve their own exemptions option. Find this setting under Exemption settings on the Default settings page. This is available in the project, organization and account level settings.
noteThis setting is behind the feature flag
STO_EXEMPTION_SETTING. Contact Harness Support to enable this setting.
Good practice: Review and update STO exemptions periodically
These workflows require Security Testing SecOps user permissions.
It is good practice for a Security Testing SecOps user in your organization to review all exemptions periodically and update the status of individual exemptions as needed.
To review all exemptions, select Security Testing Orchestration > Exemptions in the left menu. This page shows the high-level information for all pending, approved, rejected, and expired exemptions.
You can view the Time Remaining for approved exemptions and Requested Duration for pending, rejected, and expired exemptions.
SecOps users can do the following in this page:
-
Reject pending and approved exemptions
-
Approve pending and rejected exemptions
-
Re-open expired exemptions
-
Cancel (delete) pending, approved, rejected, or expired exemptions
