Status & Resolution
DevSecOps Bot supports resolution paths that reflect real-world engineering decisions and reduce operational noise.
Open (default)
Use when:
- The issue is valid and needs remediation.
Fixed / Resolved
Use when:
- A code/config/dependency change removes the finding.
- A new scan confirms the rule no longer triggers.
False Positive
Use False Positive when:
- The issue is not actually a real security/compliance problem in your codebase, despite being detected.
Examples:
- A scanner pattern matched a string that looks like a token but is not a secret.
- Static analysis flagged an injection risk, but the input is provably constant/sanitized and the finding is invalid in context.
Ignore (Acceptable Risk)
Use Ignore / Acceptable Risk when:
- The issue is real, but your organization accepts the risk due to business constraints, compensating controls, or low practical impact.
Examples:
- A vulnerable dependency is required temporarily, with mitigations in place.
- An IaC configuration violates a benchmark rule, but is constrained by platform requirements and reviewed.
Impact on compliance scoring
Issues marked as:
- False Positive, or
- Ignore / Acceptable Risk are excluded from compliance scoring and compliance readiness calculations. This ensures compliance scores reflect actionable and verified risk, not acknowledged exceptions.