Provide a time-limited waiver for defect findings in the Merge Request for which an exception is provided

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Presently, if defects are found in a feature branch, the associated Merge Request will require approvers to triage the defects and make a decision as to whether to accept the risk (i.e. provide an exception), or take some other action, such as creating an issue on fixing the defect in the developer's backlog, or rejecting the change altogether. During the time the approvers (oftentimes the application security team) are making this decision, the pipeline cannot proceed.

Intended users

InfoSec / Application Security / DevSecOps personas who need to triage defects in a Merge Request.

Further details

InfoSec / Application Security / DevSecOps personas may wish to temporarily provide an exception to a defect finding so as not to be a "bottleneck" that blocks pipelines from proceeding, but also have a mechanism to review previously-supplied exceptions after a period of time to ensure such exceptions are still appropriate.

Proposal

It could be beneficial to have an option to provide a "time-limited waiver" so that an exception can be provided, such that the Merge Request can be merged and the pipeline thereby proceeds; however, after a defined period of time, there is an automatic reminder to review the exception.