Reference: Finding Governance#

This page documents the complete governance lifecycle for findings, including valid status transitions, rules, and audit trail behavior.

Governance Status Definitions#

Status	Code	Description
Open	`open`	Finding is new or awaiting triage. Default for all newly created findings.
In Progress	`in_progress`	Finding is under active investigation or remediation.
False Positive	`false_positive`	The finding was evaluated and determined not to be a real vulnerability.
Accepted Risk	`accepted_risk`	The finding is real, but the organization has decided to accept the risk. Requires an expiry date.
Resolved	`resolved`	The vulnerability has been remediated and verified.
Reopened	`reopened`	A previously resolved finding has reappeared in a subsequent scan.

Valid Transitions#

                ┌─────────────────────────────────────────────────┐
                │                                                 │
                ▼                                                 │
  ┌──────────────────┐                                           │
  │      open        │ ◄────────────────────────────┐            │
  └─┬──┬──┬──┬───────┘                              │            │
    │  │  │  │                                       │            │
    │  │  │  └──────► false_positive                  │            │
    │  │  │                                          │            │
    │  │  └─────────► accepted_risk ──── (expiry) ──►│            │
    │  │                                             │            │
    │  └────────────► in_progress ──┬─► resolved ────┘            │
    │                               │                             │
    └───────────────► resolved ─────┼─────────────────────────────┘
                                    │                (via reopened)
                                    └─► false_positive
                                    └─► accepted_risk

Transition Rules#

From	To	Rules
`open`	`in_progress`	Always allowed
`open`	`false_positive`	Always allowed; add a note explaining why
`open`	`accepted_risk`	Requires an expiry date
`open`	`resolved`	Always allowed
`in_progress`	`resolved`	Always allowed
`in_progress`	`false_positive`	Always allowed
`in_progress`	`accepted_risk`	Requires an expiry date
`in_progress`	`open`	Always allowed (revert to untriaged)
`resolved`	`reopened`	Triggered when the finding reappears in a new scan
`reopened`	`in_progress`	Always allowed
`reopened`	`resolved`	Always allowed
`reopened`	`false_positive`	Always allowed
`reopened`	`accepted_risk`	Requires an expiry date
`false_positive`	`open`	Always allowed (revert decision)
`accepted_risk`	`open`	Always allowed (revoke acceptance)

Special Rules#

Accepted risk requires an expiry date. You cannot accept risk indefinitely. The expiry date represents when the decision should be re-evaluated.
AI Review cannot directly set accepted_risk. The accept_risk_candidate suggestion from AI Review is blocked at the API layer. To accept risk, the analyst must use the standard governance endpoint and provide an expiry date.
Reopened is system-triggered. When drift detection identifies a finding as a regression (previously resolved, now reappeared), the governance status transitions to reopened automatically.

Audit Trail#

Every governance transition generates an immutable entry in the finding_governance_log:

Field	Description
`finding_id`	The finding that changed
`from_status`	Previous governance status
`to_status`	New governance status
`actor_user_id`	The user who made the change
`note`	Free-text explanation from the analyst
`created_at`	Timestamp of the transition

AI Review Audit#

When an AI Review suggestion is applied, additional audit records are created in ai_review_apply_logs:

Field	Description
`ai_review_id`	The review that produced the suggestion
`actor_user_id`	The analyst who applied or ignored the suggestion
`action`	What was done (`apply`, `ignore`, `bulk_apply`, `bulk_ignore`)
`payload_json`	Details of the action
`created_at`	Timestamp

Effect on Effective Severity#

Governance status adjustments impact the finding's effective severity and score:

Status	Impact on Effective Severity
`open`	No change — effective = technical
`in_progress`	No change
`false_positive`	Reduced to `info` level
`accepted_risk`	Reduced (degree depends on scoring engine)
`resolved`	Reduced to `info` level
`reopened`	No change — treated as an active finding

These adjustments ensure that dashboard metrics, trend charts, and risk snapshots reflect actual organizational risk, not just raw detection output.

Bulk Governance Actions#

Bulk actions apply the same transition to multiple findings at once:

Select findings via checkboxes.
Choose target status.
Provide a shared note.
Each finding gets its own finding_governance_log entry (not a single bulk record).

Bulk AI Review Actions#

AI Review supports bulk apply and bulk ignore:

Bulk apply: applies all selected AI suggestions as governance transitions.
Bulk ignore: dismisses all selected suggestions without making changes.
High-confidence suggestions (≥ 0.75, excluding accept_risk_candidate) are pre-selected by default.

Findings Reference: Statuses and Severities Workflow: Reviewing Findings

PreviousWorkflow: Running a Scan

NextReference: Integration Events