Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Configuring Dismissal Requirements

Was this helpful?

  1. Code Risks
  2. Code Risk Policy Settings

Require Review Before Dismissal

PreviousDeveloper Feedback On PushNext0 New High Severity Vulnerabilities

Last updated 10 months ago

Was this helpful?

Summary

Arnica's dismissal workflow provides developers with a seamless way to provide feedback when a risk alert cannot or should not be acted on. When an alert is sent to ChatOps, the notification will include two response options - "I'm on it" and "Dismiss". When a finding is dismissed by a developer, it is treated as closed. Any risk dismissed within a feature branch will be detected, but result in no additional alerts in pull request scanning. Once dismissed, risks will not appear in PR comments and will not impact status check outcomes. Arnica's "Dismissals Require Review" policy ensures that all risks go through a review process before they are considered dismissed.

Configuring Dismissal Requirements

Dismissals are mapped on the policy rule level, allowing dismissal requirements to be configured for any level of granularity. To require reviews for specific findings configure the following:

  1. Create a policy with the trigger set to "Code risk detected on push".

  2. Configure the conditions of the policy to match only the risks that you would like to require a review. This can include restrictions on specific finding types, specific severity levels, or any other condition available within Arnica. Ex: Critical findings only + all SCA risks can be resolved with version updates to the direct dependency.

  3. After setting conditions, add an action to the policy which includes an instant message through chat ops.

The configuration for requiring dismissals is visible as a checkbox directly within the Instant Message section of the policy.

Dismissals are available only within the Instant Message workflow. A chat-ops integration must be completed prior to configuring this rule.

🤖