In some cases, you would not want to see a particular vulnerability finding in the output of a scan. Possible reasons could be:
- that the vulnerability is not applicable to a specific situation.
- that the risk has been diverted or mitigated by other measures already implemented.
- that the risk in the process of being mitigated or remediated.
- or that there are other valid reasons why a specific risk would be acceptable.
For these cases you can create an check exemption. This functionality can be accessed from the Masterdata part of the menu:
It can also be accessed from within a Scan overview:
Check exemption access for a specific vulnerability inside a Scan
or from within the check selection of a scan within a project:
Check excemption access for a specific check inside a scan within a Project
In the exemption configuration application, you can exclude checks for a specific period.
It is also possible to do so for different scopes like a specific scan, a specific project or for example, for all scans. In addition, you can document the reason why this check has been exempted, who approved it and provide references to other documentation.
Example of an newly created Excemption
After an exemption has been created for a specific check, it will no longer show up in the Scan export nor participate in the Risk score for an SAP system. You can make them visible in the Scan overview were they show up in blue after selecting a special flag:
Check exemption displayed in Scan overview
Exemptions will also appear in the Scan comparison report:
Exemption shown in Scan comparison report