Security policy actions
You cannot stack multiple actions in the same rule. To have multiple actions with a rule, create a new rule block with the same conditions, and specify a different action.
These are the actions that can currently be applied:
Action | Definitions |
---|---|
Change severity to… | Changes the severity of whatever issues match the conditions. This can be set to Low, Medium, High or Critical.
Issues with a changed severity:
|
Ignore current and future instances | Ignore all vulnerabilities that match the conditions. For example, ignore all issues that match a specific CVE, or ignore all issues that have no known exploits in projects with a "business criticality" attribute of "low." After an ignore policy is applied, ignores will happen every time the relevant Project is re-scanned, with ignored issues marked as "ignored by Security Policy". When setting the action, you can select "won't fix" and "not vulnerable" as ignore types, and add a reason you'd like to appear alongside the ignore, appearing on the issue card. Policy-based ignores have the same behavior as issues that are manually ignored. Like manual ignores, automatic PRs are not raised on issues ignored by a security policy, or included in the issue count in reporting. |
Last modified 7d ago