Require Review Before Dismissal

Summary

Arnica's dismissal workflow provides developers with a seamless way to provide feedback when a risk alert cannot or should not be acted on. When an alert is sent to ChatOps, the notification will include two response options: "I'm on it" and "Dismiss". When a finding is dismissed by a developer, it is treated as closed. Any risk dismissed within a feature branch will be detected, but will result in no additional alerts in pull request scanning. Once dismissed, risks will not appear in pull request comments and will not impact status check outcomes. Arnica's "Dismissals Require Review" policy ensures that all risks go through a review process before they are considered dismissed.

Configuring Dismissal Requirements

Dismissals are mapped at the policy rule level, allowing dismissal requirements to be configured for any level of granularity. To require reviews for specific findings, configure the following:

  1. Create 2 policies with the triggers set to "Code risk detected on push" and "Code risk detected on pull request".

  2. Configure the conditions of each policy to match only the risks for which you would like to require a review. This can include restrictions on specific finding types, specific severity levels, or any other condition available within Arnica. Example: Critical findings only + all SCA risks that can be resolved with version updates to the direct dependency.

  3. After setting conditions, add an action to the policy that includes an instant message through ChatOps (Slack, Microsoft Teams, or as a comment in the pull request).

  4. Select the checkbox "Dismissals Require Review".

Configuring Dismissal Reviews

Dismissals are available within the Instant Message workflow, enabling reviewers to get a real-time notification when the developer requests a review and respond in a timely manner. A ChatOps integration with Slack or Microsoft Teams must be completed prior to configuring this rule.

  1. Create a policy with the trigger "User Dismissed Finding via ChatOps".

  2. Configure the conditions to match only the risks that need to be routed to specific people or channels.

  3. Add an action to "Send an Instant Message" and select "Add specific recipient".

Dismissal reviews can be routed dynamically based on different conditions and product mapping. For example, High and Critical severity findings can be routed to the security team for review, and Medium severity findings can be routed to product-mapped security champions. To do this, configure 2 rules: the first goes to security with an instant message that goes directly to the security channel, and the second rule sends an instant message with a product-mapped configuration.

PreviousDeveloper Feedback On PushNext0 New High Severity Vulnerabilities

Last updated

Was this helpful?