[[_TOC_]] ### :rotating_light: Closed as duplicate of https://gitlab.com/groups/gitlab-org/-/epics/10894+ ### Problem to solve Customers may have CVEs that are known to have little or no impact on their organization. To enable more efficient triage and remediation, customers would like to be able to curate a list of CVEs that should be automatically ignored. ### Proposal Create a rules-based method of automatically dismissing DS/CS findings based on known CVEs. Users can define a list of CVEs that is used as a reference post-scan to populate the Vulnerability report. These vulnerabilities are displayed on the Vulnerability report in a `Dismissed` state, with a Dismissal Reason of `Acceptable Risk`. ### Scope #### Beta * User can provide a `sca-ruleset.toml` file where they provide a list of CVEs that are set in a `Dismissed` state * Once scan executes, results will show in Vulnerability report. Any CVE in the `sca-ruleset.toml` will show as `Dismissed` with a Dismissal Reason of `Acceptable Risk` and a pre-defined comment that is included in the toml file. #### GA * Beta work has concluded * Any identified bugs are fixed * Add ability for users to specify a remote configuration file. Much like the functionality available to SAST users ([documentation](https://docs.gitlab.com/user/application_security/sast/customize_rulesets/#specify-a-remote-configuration-file)) ### Related issues _From original writing of this issue_ related: https://gitlab.com/gitlab-org/gitlab/-/issues/348620 related: https://gitlab.com/gitlab-org/gitlab/-/issues/239033