Skip to main content

Manual Severity Override

Last updated on

Manual Severity Override

Harness STO automatically assign severity level of an issue based on standardized scoring system such as CVSS. However, these severity levels do not always reflect your organization’s specific risk posture, business impact, or runtime environment.

Manual Severity Override enables you to adjust the severity of a security issue when the severity assigned by Harness STO does not align with your internal risk assessment. This allows you to prioritize vulnerabilities based on real-world context, such as asset criticality, exploit exposure, compensating controls, or production impact.

Severity overrides function as a contextual overlay on top of the original scan results. They do not modify the underlying scan data or CVSS scores; instead, they provide an organization-specific risk perspective while preserving scan integrity and traceability.

Severity overrides apply at the project level scope and are reflected across All Issues page, Vulnerabilities and Exemptions page of scan results.

note

This feature is behind the feature flag STO_ISSUE_OVERRIDE. Contact Harness Support to enable the feature.

Override Severity from the Issues Page

You can manually override the severity only from the Issues page.

  1. Go to Issues page from the left navigation and Select the issue you want to override severity. Click on the Create Override.
  1. Select the new severity from the dropdown, add a comment explaining the reason for the severity change, and click Continue. Once applied, the updated severity is reflected immediately on the Issues and Exemptions pages. On the Vulnerabilities page, the overridden severity becomes visible after the next scan.
note

  • Manually overriding the severity will change how the issue is prioritized and reported across the project. The updated severity will apply to all impacted targets and all associated occurrences of this Issue.

  • The new severity will be applied from the next scan.

View Overridden Severity on Vulnerabilities Page

  • On Vulnerabilities page, you can view the new overridden severity being applied from the next scan. You can also add the Severity Overriden filter to view only the issues with overridden severity.

Audit Trails

From the Audit Trails page, you can view who has manually overridden the severity and when it was done, and which security issue was overridden to which severity.