Workflow
Triaging Violations
When new violations appear, triage them quickly.Triage Checklist
- Assess severity: Critical/High/Medium/Low?
- Check EPSS: Is it actively being exploited?
- Identify ownership: Who should fix this?
- Determine priority: When should this be fixed?
- Validate: Real vulnerability or false positive?
Triage Actions
- Assign
- Suppress
- Escalate
Assign to team member who:
- Owns the affected code
- Has expertise in vulnerability type
- Is working on related changes
Assigning Violations
How to Assign
Best Practices
- Assign based on code ownership
- Limit violations per person
- Use due dates for urgency
- Notify assignee via comment or Slack
- Balance security work with features
Fixing Violations
Fix Workflow
Example: Fixing SQL Injection
Vulnerable:Suppressing Violations
Change violation status when it’s not a real security issue or is accepted risk.FALSE_POSITIVE Status
Use for violations that aren’t real security issues:- Genuine false positives
- Test/mock code
- Framework provides protection
- Not exploitable in context
ACCEPTED_RISK Status
Use when vulnerability is real but risk is accepted:- Business decision to accept risk
- Mitigated by compensating controls
- Fix would break critical functionality
- Temporary acceptance with fix deadline
Bulk Actions
Manage multiple violations at once:- Bulk assign: Assign multiple violations to team member
- Bulk suppress: Mark multiple false positives
- Bulk link: Link to Jira/GitHub issues
- Bulk export: Export violations for reporting
Violation Statuses
- OPEN: Active violation requiring action
- FIXED: Vulnerability has been fixed
- FALSE_POSITIVE: Not a real security issue
- ACCEPTED_RISK: Real vulnerability, risk accepted
Best Practices
- Triage violations within 24 hours
- Assign critical violations immediately
- Set realistic due dates
- Track violation metrics
- Review suppressions quarterly
- Don’t suppress to game metrics