Request Issue Exemption

Issue exemptions help unblock pipelines by allowing security teams to temporarily bypass specific security issues that would otherwise fail the build. To understand how exemptions fit into your security workflow, refer to the issue exemptions workflow.

You can submit issue exemption requests with the exemption scope set to Project, Pipeline, or Target. While requests can only be raised at these specific scopes, reviewers have the option to approve them at the requested scope or at a broader scope, such as Organization or Account, during the approval process. For more details, refer to Manage Issue Exemptions. To learn how to create a request, follow the steps in the sections below. To view submitted requests, see View Issue Exemptions.

note

Support for Exemptions at Organization and Account level is is controlled by the feature flag STO_GLOBAL_EXEMPTIONS. Contact Harness Support to enable it.

note

To create an exemption request, you must have the necessary permissions (Exemptions: View, Create/Edit) at the Project level, or you can have the Security Testing Developer or Security Testing SecOps roles assigned. Refer Permissions required for issue exemptions for more details.

Create Issue Exemptions

Navigate to the build execution

1. From the left navigation, select Executions.
2. Locate and click on the specific build execution containing the issue you want to exempt.

Identify the issue to exempt

1. Within the build execution details, select the Security Tests tab.
2. Find and click on the specific issue you want to exempt. This opens the Issue Details pane on the right.

Submit the exemption request

In the Issue Details pane, click Request Exemption.

Fill out the Request Exemption for Issue form with the following fields:

Where do you want this issue to be exempted?

Specify where the exemption should apply:

• This Target: Exempts the issue only for the selected target. The issue remains reported in other targets or pipelines.
• This Pipeline: Exempts the issue only in the current pipeline. The issue is still reported in other pipelines or projects.
• This Project: Exempts the issue across all pipelines and targets within this project. Choose carefully, as the exemption applies broadly within the project.

info

While requests can only be created with the scopes mentioned above, reviewers can approve and apply them at the requested scope or at a higher scope - Organization or Account.

For how long?

Select the shortest practical time window for the exemption to limit the risk exposure.

Reason

Select one of the following reasons and provide relevant details:

• Compensating controls: Your organization has controls (e.g., firewall, IPS) in place that reduce the risk posed by this issue.
• Acceptable use: The flagged practice is acceptable based on internal security policies.
• Acceptable risk: The risk is low, and remediation would require significant resources or impact functionality.
• False positives: The scanner flagged a non-issue. Confirmed by a security assessor or internal review.
• Fix unavailable: No known fix or remediation steps currently exist for the issue.
• Other: Provide a detailed technical explanation for why the issue should be exempted.

Further Description

Add any technical context, mitigations, or supporting information that will help the reviewer understand why the exemption is justified.

URL Reference

Add a link to supporting documentation, source code, or any relevant resource that provides additional context.

After completing the form, click Create Request to submit the exemption.

Notify reviewers

Once the exemption request is submitted:

• Inform your Security Testing SecOps reviewer.
• Ensure they have enough context and links to make a well-informed decision.

View Issue Exemptions

You can view all exemption requests from the Exemptions section in the left navigation. This section is accessible from your Project, Organization, and Account views. Each scope displays exemption requests relevant to that level:

• The Project-level Exemptions section shows requests submitted for that specific project.
• The Organization-level Exemptions section shows requests across all projects within the organization.
• The Account-level Exemptions section lists requests across projects from multiple organizations under the account.

note

Exemption requests list you see at the Organization and Account views are still subject to your project-level view permissions. Refer to Permissions for exemption requests to learn more.

In the Exemptions sections, the requests are displayed in tabs presenting their status, each request includes:

• Severity: e.g., High
• Issue: e.g., json5@2.2.0: Prototype Pollution
• Scope: Requested exemption scope – Project, Pipeline, or Target
• Reason: e.g., False Positive, Acceptable Use
• Exemption Duration: e.g., Exempted for all time
• Requested by: User who submitted the request
• Actions: Based on your permissions and request status — Approve, Reject, Cancel, Reopen

Here are the columns that are specific to status tab.

• Pending: Displays severity, issue, scope, reason, exemption duration, requested by, and action buttons such as Approve, Reject, or Cancel.
• Approved: Shows Approved by, Time remaining, Approved at, Requested by, with actions to Reject or Cancel.
• Rejected: Displays Requested by, Rejected by, and options to Reopen, or Approve and Cancel.
• Expired: Displays Requested by, with options to Approve, Reopen, or Cancel.

tip

For details on exemption request statuses and actions, refer Exemption Request Lifecycle. To learn how to manage requests, refer Manage Issue Exemptions.

Clicking on an exemption request opens the Exemption Details pane, which provides a detailed overview of the request along with available actions (based on your permissions).

This pane includes the following details:

• Issue Details: Displays the issue title, severity, description, and scanner details.
• Exemption Status and History: Shows the current status of the exemption (e.g., Pending, Approved, Rejected, Expired) along with a history of events such as when it was requested, approved, or rejected, etc.
• Occurrences: Lists all the occurrences of the issue across different scans, and targets where it was detected.
• Targets Impacted Displays all targets affected by the issue and where the exemption would be applied if approved.
• Response Actions: If you have the required permissions, you will see options to Approve, Reject, Cancel, or Re-open the request, depending on its current state.

Use this view to fully assess the impact of the issue before taking action on the request.

View exemptions at the Project level

• Make sure you have the required permissions to view the requests.
• In your Harness project, go to the left navigation and click Exemptions.

This page displays exemption requests from the selected project.

View exemptions at the Organization level

To view all exemption requests across projects in an organization:

• Make sure you have the required permissions to view the requests.
• In Harness, select the Organization from the top breadcrumb.
• In the left navigation, click Exemptions.

This page displays exemption requests from all projects within the selected organization that you have access to.

View exemptions at the Account level

To view exemption requests across the entire account:

• Make sure you have the required permissions to view the requests.
• In Harness, select the Account from the top breadcrumb.
• In the left navigation, click Exemptions.

This page displays exemption requests from all projects across the organizations you have access to.