Managing Violations

​

Workflow

​

Triaging Violations

​

Triage Checklist

• Assess severity: Critical/High/Medium/Low?
• Check EPSS: Is it actively being exploited?
• Identify ownership: Who should fix this?
• Determine priority: When should this be fixed?
• Validate: Real vulnerability or false positive?

​

Triage Actions

​

Assigning Violations

​

How to Assign

​

Best Practices

• Assign based on code ownership
• Limit violations per person
• Use due dates for urgency
• Notify assignee via comment or Slack
• Balance security work with features

​

Fixing Violations

​

Fix Workflow

​

Example: Fixing SQL Injection

def get_user(user_id):
    query = f"SELECT * FROM users WHERE id = {user_id}"
    return db.execute(query)

def get_user(user_id):
    query = "SELECT * FROM users WHERE id = ?"
    return db.execute(query, (user_id,))

​

Suppressing Violations

​

FALSE_POSITIVE Status

• Genuine false positives
• Test/mock code
• Framework provides protection
• Not exploitable in context

​

ACCEPTED_RISK Status

• Business decision to accept risk
• Mitigated by compensating controls
• Fix would break critical functionality
• Temporary acceptance with fix deadline

​

Bulk Actions

• Bulk assign: Assign multiple violations to team member
• Bulk suppress: Mark multiple false positives
• Bulk link: Link to Jira/GitHub issues
• Bulk export: Export violations for reporting

​

Violation Statuses

• OPEN: Active violation requiring action
• FIXED: Vulnerability has been fixed
• FALSE_POSITIVE: Not a real security issue
• ACCEPTED_RISK: Real vulnerability, risk accepted

​

Best Practices

• Triage violations within 24 hours
• Assign critical violations immediately
• Set realistic due dates
• Track violation metrics
• Review suppressions quarterly
• Don’t suppress to game metrics

​

Next Steps