For each vulnerability we alert you with, you can assign a status. You can choose to mark the vulnerability as unaffected, or vulnerable or you can choose to snooze or pause. All the vulnerabilities have a default status of unexamined until you decide to change it.
To set a review status:
- Go to your Repositories from the left side menu
- Click on a specific repository
- In the Repository view, click on a specific CVE
- In the Actions section, choose one of the the available status choices:
Unaffected: you can mark the CVE as Unaffected to ignore the vulnerability.
Vulnerable: you can flag a CVE as Vulnerable to ensure it’s on your radar
Pause rule triggering: you can wait to take action and pause automation triggering. There are two options you can choose, either Snooze or Pause. When you snooze the CVE, you can define a period of time (1 week, 1 month, etc). When you pause the CVE, you can pause until a new fix is available. Pausing is only supported for the Github app.
Unexamined: this is the default status before choosing another one.
Use Automation to set a review status
Our automation engine can help you remove manual work, by setting review statuses. You can use automations to flag CVEs as unaffected or vulnerable. For example, you can create a rule that when a dependency contains a vulnerability where CVSS is low (0.0-3.9), then mark the vulnerabilities as “unaffected”.