Risk acceptance
You can accept the risks found by the solution taking into account the following:
- In case of vulnerabilities, configuration errors, and sensitive data, you can accept risks with all severity levels.
- In case of malware, you can accept risks only with the Medium, Low, and Negligible severity levels.
You cannot accept risks with the High and Critical severity levels.
You can accept risk in the following sections:
- In the Image scan results window, risks associated with all threat types (vulnerabilities, malware, misconfigurations, and sensitive data) detected by scanning a specific image can be accepted.
- In the Investigation → Vulnerabilities section, risks are accepted for all vulnerabilities detected by the solution. Risks are accepted in relation to all artifacts detected during the scanning process, including CI/CD objects.
To accept risks, risk management rights are required.
To accept a risk based on image scan results:
- In the image scan results window, open the tab with information about the required threat type.
- In the table, select a threat and click the Accept button in the Risk acceptance column.
- In the window that opens, specify the risk acceptance parameters:
- Select the extent of risk acceptance:
- For the selected image with the detected risk;
- For all images in the repository containing the image with the detected security threat;
- For all images in which this security threat has been or will be detected.
- Specify the period after which this security threat must be considered again when determining the image security status.
- Specify the reason for risk acceptance.
- Select the extent of risk acceptance:
- Click the Accept button.
The selected threat does not affect the security status of this specific image, images in the repository, or all images for the defined number of days (or for an unlimited term).
An accepted risk can be viewed in the Policies → Risk acceptance section.
To accept the risk of a detected vulnerability:
- Click the vulnerability record ID in one of the following sections:
- On the Vulnerabilities tab in the image scan results window.
- In the Investigation → Vulnerabilities section.
- In the sidebar that opens, go to the Risk acceptance tab.
The Risk acceptance tab is available if you have rights to view accepted risks.
- Click the Add risk acceptance button.
- In the window that opens, specify the risk acceptance parameters:
- Select the extent of risk acceptance:
- for the selected artifact (image or CI/CD object)
- for the repository containing the object with the detected vulnerability
- for artifacts in which this vulnerability is currently detected
- for all artifacts, including artifacts that the solution may find during subsequent scans.
The risk is assumed regardless of the scope.
- Specify a period from 1 to 999 days after which the risk acceptance for this vulnerability will be revoked. By default, the period is 30 days.
- Specify the reason for risk acceptance.
- Select the extent of risk acceptance:
- Click the Add button.
The accepted risk for the vulnerability is displayed on the Risk acceptance tab. It can also be viewed in the Policies → Accepted risks section.