Require Review Before Dismissal

Summary

Arnica's dismissal workflow provides developers with a seamless way to provide feedback when a risk alert cannot or should not be acted on. When an alert is sent to ChatOps, the notification will include two response options - "I'm on it" and "Dismiss". When a finding is dismissed by a developer, it is treated as closed. Any risk dismissed within a feature branch will be detected, but result in no additional alerts in pull request scanning. Once dismissed, risks will not appear in PR comments and will not impact status check outcomes. Arnica's "Dismissals Require Review" policy ensures that all risks go through a review process before they are considered dismissed.

Configuring Dismissal Requirements

Dismissals are mapped on the policy rule level, allowing dismissal requirements to be configured for any level of granularity. To require reviews for specific findings configure the following:

  1. Create a policy with the trigger set to "Code risk detected on push".

  2. Configure the conditions of the policy to match only the risks that you would like to require a review. This can include restrictions on specific finding types, specific severity levels, or any other condition available within Arnica. Ex: Critical findings only + all SCA risks can be resolved with version updates to the direct dependency.

  3. After setting conditions, add an action to the policy which includes an instant message through chat ops.

The configuration for requiring dismissals is visible as a checkbox directly within the Instant Message section of the policy.

Dismissals are available only within the Instant Message workflow. A chat-ops integration must be completed prior to configuring this rule.

Last updated