Skip to main content

Request Issue Exemption

Issue exemptions help unblock pipelines by allowing security teams to temporarily bypass specific security issues that would otherwise fail the build. To understand how exemptions fit into your security workflow, refer to the issue exemptions workflow.

You can create exemption requests either for the entire issue or for specific occurrences within an issue:

Reviewers have the flexibility to approve exemption requests either at the requested scope or extend the scope to the Organization or Account level during the review process. For more details, refer to Manage Issue Exemptions. To view submitted requests, refer to View Issue Exemptions.

note

Support for Exemptions at Organization and Account level is is controlled by the feature flag STO_GLOBAL_EXEMPTIONS. Contact Harness Support to enable it.

note

To create an exemption request, you must have the necessary permissions (Exemptions: View, Create/Edit) at the Project level, or you can have the Security Testing Developer or Security Testing SecOps roles assigned. Refer Permissions required for issue exemptions for more details.

Create Exemption Request for an Issue

To request an exemption for an entire issue, you can set the exemption scope at the Project, Pipeline, or Target level. To begin, navigate to the Security Tests tab.

  1. In the Security Tests tab, locate and select the specific issue for which you want to request an exemption. This action opens the Issue Details pane on the right.

  2. In the Issue Details pane, click Request Exemption.

Submit Exemption Request

Fill out the Request Exemption for Issue form with the following fields:

Where do you want this issue to be exempted?

Specify where the exemption should apply:

  • This Target: Exempts the issue only for the selected target. The issue remains reported in other targets or pipelines.
  • This Pipeline: Exempts the issue only in the current pipeline. The issue is still reported in other pipelines or projects.
  • This Project: Exempts the issue across all pipelines and targets within this project. Choose carefully, as the exemption applies broadly within the project.
info

While requests can only be created with the scopes mentioned above, reviewers can approve and apply them at the requested scope or at a higher scope - Organization or Account.

For how long?

Select the shortest practical time window for the exemption to limit the risk exposure.

Reason

Select one of the following reasons and provide relevant details:

  • Compensating controls: Your organization has controls (e.g., firewall, IPS) in place that reduce the risk posed by this issue.
  • Acceptable use: The flagged practice is acceptable based on internal security policies.
  • Acceptable risk: The risk is low, and remediation would require significant resources or impact functionality.
  • False positives: The scanner flagged a non-issue. Confirmed by a security assessor or internal review.
  • Fix unavailable: No known fix or remediation steps currently exist for the issue.
  • Other: Provide a detailed technical explanation for why the issue should be exempted.

Further Description

Add any technical context, mitigations, or supporting information that will help the reviewer understand why the exemption is justified.

URL Reference

Add a link to supporting documentation, source code, or any relevant resource that provides additional context.

After completing the form, click Create Request to submit the exemption.

Once the exemption request is submitted:

  • Inform your Security Testing SecOps reviewer.
  • Ensure they have enough context and links to make a well-informed decision.

Create Exemption Request for Occurrences within Issue

To request an exemption for selected occurrences of an issue, the exemption scope can only be set to the Target level. To begin, navigate to the Security Tests tab.

  1. In the Security Tests tab, locate and select the specific issue for which you want to request an exemption. This action opens the Issue Details pane on the right.
  2. In the Issue Details pane, click the Occurrences tab.
  3. Select the occurrences for which you want to request the exemption.
  4. Review the selected occurrences and click the Request Occurrence Exemption button. This will open the Request Exemption dialog box.

Follow the steps in the Submit Exemption Request section to complete and send your request.

View Issue Exemptions

You can view all exemption requests from the Exemptions section in the left navigation. This section is accessible from your Project, Organization, and Account views. Each scope displays exemption requests relevant to that level:

note

Exemption requests list you see at the Organization and Account views are still subject to your project-level view permissions. Refer to Permissions for exemption requests to learn more.

In the Exemptions sections, the requests are displayed in tabs presenting their status, each request includes:

  • Severity: e.g., High
  • Issue: e.g., json5@2.2.0: Prototype Pollution
  • Scope: Requested exemption scope – Project, Pipeline, or Target
  • Reason: e.g., False Positive, Acceptable Use
  • Exemption Duration: e.g., Exempted for all time
  • Requested by: User who submitted the request
  • Actions: Based on your permissions and request status — Approve, Reject, Cancel, Reopen

Here are the columns that are specific to status tab.

  • Pending: Displays severity, issue, scope, reason, exemption duration, requested by, and action buttons such as Approve, Reject, or Cancel.
  • Approved: Shows Approved by, Time remaining, Approved at, Requested by, with actions to Reject or Cancel.
  • Rejected: Displays Requested by, Rejected by, and options to Reopen, or Approve and Cancel.
  • Expired: Displays Requested by, with options to Approve, Reopen, or Cancel.
tip

For details on exemption request statuses and actions, refer Exemption Request Lifecycle. To learn how to manage requests, refer Manage Issue Exemptions.

Clicking on an exemption request opens the Exemption Details pane, which provides a detailed overview of the request along with available actions (based on your permissions).

This pane includes the following details:

  • Issue Details: Displays the issue title, severity, description, and scanner details.
  • Exemption Status and History: Shows the current status of the exemption (e.g., Pending, Approved, Rejected, Expired) along with a history of events such as when it was requested, approved, or rejected, etc.
  • Occurrences: Lists all the occurrences of the issue across different scans, and targets where it was detected.
  • Targets Impacted Displays all targets affected by the issue and where the exemption would be applied if approved.
  • Response Actions: If you have the required permissions, you will see options to Approve, Reject, Cancel, or Re-open the request, depending on its current state.

Use this view to fully assess the impact of the issue before taking action on the request.

View exemptions at the Project level

  • Make sure you have the required permissions to view the requests.
  • In your Harness project, go to the left navigation and click Exemptions.

This page displays exemption requests from the selected project.

View exemptions at the Organization level

To view all exemption requests across projects in an organization:

  • Make sure you have the required permissions to view the requests.
  • In Harness, select the Organization from the top breadcrumb.
  • In the left navigation, click Exemptions.

This page displays exemption requests from all projects within the selected organization that you have access to.

View exemptions at the Account level

To view exemption requests across the entire account:

  • Make sure you have the required permissions to view the requests.
  • In Harness, select the Account from the top breadcrumb.
  • In the left navigation, click Exemptions.

This page displays exemption requests from all projects across the organizations you have access to.