Triage security findings by transitioning them through workflow states that determine appropriate remediation actions. The triage process transforms raw security scanner outputs into prioritized, business-relevant guidance for development teams while maintaining appropriate approval workflows.
| You need Admin user role permissions or a custom role with triage findings permission to triage security findings. |
Access security findings for triage
Navigate to findings that require triage decisions in either the component or application security center.
For components:
-
Select an organization.
-
Select Components, then select a component.
-
Select Security center.
For applications:
-
Select an organization.
-
Select Applications, then select an application.
-
Select Security center.
Triage findings
By default, when a security scan detects an issue, a new finding is created in the security center with its status set to Unreviewed. From here, a user with the Admin role, or a custom role with the triage findings permission, should transition its status to Fix Required, at which point it is moved to the Fix Required tab.
During the triage process, a qualified security or DevOps SME is likely to uncover findings that either fall within your tolerance for risk, or are false positives, neither of which require remediation. In CloudBees Unify, a user with the correct permissions can transition the status of these findings to Risk Accepted if they have decided not to fix the issue, or to False Positive if they believe the security finding is incorrect. Transition all other findings to Fix Required.
Once a finding has been transitioned to Risk Accepted or False Positive, its status won’t be affected by new scans. Resolved findings are automatically updated. Once a developer fixes all the associated findings, source code management platforms such as GitHub, Gerrit, or Bitbucket inform CloudBees Unify, which initiates a new scan. If the scan doesn’t find any violations, the finding is automatically marked as closed in your collaboration tool, and its status updated to Resolved.
To triage findings:
-
For the issue containing the asset you want to review, select to expand the issue.
-
Select Triage.
-
Select one of the following:
-
Fix Required: The finding needs to be fixed.
-
False Positive: The finding is incorrect, or not an actionable issue. Selecting false positive immediately updates the status of the finding, and it appears in dashboards as a false positive finding.
The user can transition the finding back for further triage. An organization owner can also reject the transition to false positive, which reverts the status to Unreviewed.
-
For Justification, enter comments for the organization owner, explaining why the finding is a false positive.
-
-
Risk Accepted: the issue falls within your risk tolerance. Transition to risk accepted requires approval by an organization owner.
-
For Expiry date, select a date for the risk acceptance to expire. Defaults to 90 days.
-
For Justification, enter comments for the organization owner, explaining why the finding falls within risk tolerance.
-
-
-
Select Triage Finding:
-
Fix Required findings are moved to the Fix Required tab.
-
False Positive and Risk Accepted findings are moved to the Awaiting Approval tab, to be reviewed by an organization owner.
-
Approve or deny transitions
Transition requests are approved by users with the Admin role, or another role with the necessary permissions. For further details, refer to Triage permissions.
To approve or deny a transition request:
-
From the Security Center, select the Awaiting Approval tab.
-
For the issue containing the asset you want to review, select to expand the issue.
-
Select Review.
-
Select either:
-
Approved
-
Denied
-
-
For approved findings, enter an Expiry Date for the approval.
-
Enter any review comments.
-
Select Submit review:
-
Approved transitions change to the relevant status, false positives indefinitely, and risk accepted findings for the selected timeframe (90 days by default).
For risk accepted findings, the SLA due date is replaced with the risk-acceptance expiry date. Once the expiry date passes and a scan completes, the finding reverts back to unreviewed status, and the SLA due date reverts back to the current SLA setting for the organization. -
Denied transitions have their status changed:
-
Denied false positives to Unreviewed.
-
Denied risk accepted to Fix required.
-
-
Triage permissions
The permissions below are required for different triage activities to ensure appropriate access control.
By default, only admins can triage findings, but custom user roles can be created to allow users more granular control of triage.
| Custom permissions assigned to a user belonging to an organization’s system generated teams will not work. Instead, you must assign the user to a custom team. |
The following user role permissions affect triage:
| Role permission | Purpose |
|---|---|
Review risk accepted request |
Review a transition request for a risk accepted finding. |
Review false positive request |
Review a transition request for a false positive finding. |
SLA configuration |
Define the service-level agreement (SLA) for an organization. |
Triage findings |
Triage security findings: transition a finding to fix required, risk accepted, or false positive. |
View findings by triage status |
View security findings in the security center, grouped by triage status. |