Arnica Documentation
  • Introduction
  • Getting Started
    • ๐Ÿ”‘Sign Up
    • โ–ถ๏ธSCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • ๐Ÿ“คChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • ๐ŸŽซTicket Management
      • ๐Ÿ›Jira Integration
      • ๐Ÿ“‹ADO Boards Integration
    • ๐Ÿง Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • ๐ŸจOn Premise Integrations
  • Inventory
    • ๐Ÿ’ผIdentities, Repositories & Organizations
    • ๐Ÿ“‡Software Bill of Materials (SBOM)
    • ๐Ÿฆ„Prioritization & Product Ownership
  • Hardcoded Secrets
    • ๐Ÿ•ต๏ธSecret Detection
    • โชRealtime Secret Mitigation
    • ๐Ÿฅ•Secrets Policy Settings
  • Code Risks
    • ๐ŸŽผStatic Application Security Testing (SAST)
      • Custom SAST Rules
    • ๐ŸงฉSoftware Composition Analysis (SCA)
    • ๐Ÿ”ก3rd Party Package Licenses
      • Override License Classifications
    • ๐Ÿคน3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • โ›…Infrastructure as Code Security
    • ๐Ÿค–Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • ๐Ÿช„Code Risk Magic Links
    • ๐Ÿ“ฆCode Risk Language and Framework Support
  • Platform Operations
    • ๐ŸšชJoining an Existing Org
    • โŒDeleting a Tenant
    • ๐Ÿซ‚How do I invite members to my tenant?
      • New User Invitations
    • ๐Ÿ‘ฅUsers & Roles
    • ๐Ÿ”‡Deleting Integrations
    • โŒ›Scheduled Jobs
      • How often do Jobs run?
    • ๐Ÿ’ธBilling
  • Security
    • ๐ŸŽฎRole Based Access Control (RBAC)
    • ๐Ÿ›ก๏ธData Handling
    • ๐Ÿ›๏ธSSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Configuring Dismissal Requirements

Was this helpful?

  1. Code Risks
  2. Code Risk Policy Settings

Require Review Before Dismissal

PreviousDeveloper Feedback On PushNext0 New High Severity Vulnerabilities

Last updated 8 months ago

Was this helpful?

Summary

Arnica's dismissal workflow provides developers with a seamless way to provide feedback when a risk alert cannot or should not be acted on. When an alert is sent to ChatOps, the notification will include two response options - "I'm on it" and "Dismiss". When a finding is dismissed by a developer, it is treated as closed. Any risk dismissed within a feature branch will be detected, but result in no additional alerts in pull request scanning. Once dismissed, risks will not appear in PR comments and will not impact status check outcomes. Arnica's "Dismissals Require Review" policy ensures that all risks go through a review process before they are considered dismissed.

Configuring Dismissal Requirements

Dismissals are mapped on the policy rule level, allowing dismissal requirements to be configured for any level of granularity. To require reviews for specific findings configure the following:

  1. Create a policy with the trigger set to "Code risk detected on push".

  2. Configure the conditions of the policy to match only the risks that you would like to require a review. This can include restrictions on specific finding types, specific severity levels, or any other condition available within Arnica. Ex: Critical findings only + all SCA risks can be resolved with version updates to the direct dependency.

  3. After setting conditions, add an action to the policy which includes an instant message through chat ops.

The configuration for requiring dismissals is visible as a checkbox directly within the Instant Message section of the policy.

Dismissals are available only within the Instant Message workflow. A chat-ops integration must be completed prior to configuring this rule.

๐Ÿค–