Finding overrides
that survive every scan cycle

Purpose. The scanner condition fired, manual review proved the issue does not actually reproduce in this environment, and the finding should not contribute to the active backlog or the next scan diff.

What the record carries. override_type is set to false_positive. original_severity is captured for the audit trail. new_severity stays null because the finding is being suppressed rather than re-rated. reason carries the verification rationale (which evidence was checked, why the scanner condition was misfired, what was tested manually).

Audit reading. Auditors reading PCI DSS 6.3.1, ISO 27001 Annex A 8.8, SOC 2 CC4.1, and NIST SP 800-53 RA-5 can read the suppression record as a documented decision rather than a missing finding. The trail names the actor, the timestamp, the reason, and the (workspace, finding, target) scope the suppression applies to.

Purpose. The vulnerability is real, the exposure is real, and the organisation has decided not to remediate inside the current SLA window for a defensible business reason (compensating control, deferred fix, cost-versus-residual, vendor dependency, risk transfer).

What the record carries. override_type is set to accepted_risk. original_severity is captured so the original scanner-emitted severity stays on the record. new_severity stays null because the severity is unchanged, only the disposition is. reason carries the acceptance rationale (which control compensates, who owns the residual risk, what triggers re-evaluation).

Audit reading. Auditors read accepted_risk as an exception in the risk register rather than as a missing finding. The trail names the actor, the timestamp, the rationale, and the scope. NIST SP 800-53 PM-9, ISO 27001 A.5.7, and SOC 2 CC9.1 read against this discipline as risk treatment evidence rather than as silent backlog drift.

Purpose. The finding is real, but the scanner-emitted severity does not match the workspace severity policy for the asset class, the exploitability context, or the environmental factors that the scanner does not see.

What the record carries. override_type is set to severity_override. original_severity captures the value the scanner emitted (the evidence). new_severity carries the workspace decision (the disposition). reason carries the rationale (why the workspace severity differs: environmental factor, compensating control, asset criticality, exploitability assessment). Both numbers stay on the record so the audit can read both and the reason between them.

Audit reading. Auditors read severity_override as a documented re-rating rather than a silent downgrade. The original-versus-overridden delta and the reason field together form the defensible record. The override travels with the finding through subsequent scan cycles via the (workspace, finding, target) match.

The UNIQUE(workspace_id, finding_id, target) constraint means the same finding on the same target cannot have two competing override records inside the workspace. Re-applying an override updates the existing record rather than creating a new one, so the audit trail never carries two contradictory decisions for the same scope.

The POST endpoint upserts on the unique tuple. Changing the rationale, the new_severity, or the override type updates the same row, refreshes updated_at, and leaves created_at and the original creator in place. Revisions are observable through updated_at rather than producing parallel records.

Because the override is keyed to the target, a workspace operating multiple environments (staging, production, customer-specific domains, distinct connected repositories) cannot accidentally suppress a finding everywhere by accepting it on one environment. Each environment carries its own override decision.

When a new scan completes against the same target, the scan-diff endpoint annotates each finding with the override status by looking up the (workspace, finding_id, target) tuple. The override travels with recurring detections without manual re-application.

List overrides for the workspace, optionally filtered by target. Returns the full override record (override_type, original_severity, new_severity, reason, created_by, timestamps) ordered by created_at descending. RBAC-gated through the initiate_scan permission.

Create or update an override. Requires finding_id, target, and override_type; optional original_severity, new_severity, reason. Upserts on the (workspace_id, finding_id, target) unique tuple so re-applying an override updates the existing row rather than forking it. Validates override_type against the three allowed values and returns 400 on anything else.

Remove an override by id, scoped to the requesting workspace. Removing the override means the next scan-diff comparison treats the finding as un-overridden again; the audit log retains the deletion event.

Compute the diff between two scan executions for the same target. Each finding in new_findings, fixed_findings, and unchanged_findings is annotated with its current override status from the (workspace, finding_id, target) lookup so the diff reads the disposition alongside the change.

A vulnerability management team runs weekly external scans against the production estate, reviews the new findings from each cycle, and confirms a handful as false positives caused by scanner heuristics that do not reflect the actual deployment. Each confirmed false positive is recorded with override_type false_positive, original_severity preserved, the reason field explaining what was verified manually, and the (workspace, finding, target) tuple. The next weekly scan annotates the recurring detection with the suppression so the team does not re-triage the same false positives every cycle.

An AppSec team running authenticated scans against an internal application has a known SQL injection in an admin-only endpoint protected by network segmentation and an internal-only WAF rule. The fix is scheduled for the next major release but cannot ship inside the current SLA window. The team records override_type accepted_risk with original_severity preserved as high, the reason field naming the compensating control, the named owner, and the review trigger. The exception register reads against the accepted_risk overrides for the workspace and surfaces them on the leadership dashboard alongside the open backlog.

A GRC team preparing for ISO 27001 surveillance and SOC 2 fieldwork needs to demonstrate that the vulnerability programme operates suppression and risk acceptance as controlled activities rather than silent exception drift. The list of overrides per workspace, with override_type, original_severity, new_severity, reason, created_by, created_at, and updated_at, exports through the activity log and feeds the auditor sample request directly. ISO 27001 Annex A.8.8, SOC 2 CC4.1, and PCI DSS 6.3.1 read against this evidence as a defensible discipline.

A security engineering team running code scanning on a connected repository receives a Semgrep finding rated medium for a hardcoded secret in a test fixture file that never ships to production. The team records override_type severity_override with original_severity medium, new_severity low, and the reason field explaining that the secret is fixture-only and not deployed. The override travels with subsequent code scans against the same connected repository so the recurring detection inherits the workspace severity rather than the scanner default.

A security operations team operates the same application across staging, production, and customer-specific tenant subdomains. A known vulnerability has been accepted on the staging environment because the data is synthetic and the fix is staged for the next deploy. Each environment carries its own override record because the (workspace, finding, target) tuple is enforced; the acceptance on staging.example.com does not silently cover production.example.com or customer-a.example.com.