Design proposal: Dismiss vulnerability (API + GitOps docs)#45651
Draft
justinehg wants to merge 2 commits into
Draft
Design proposal: Dismiss vulnerability (API + GitOps docs)#45651justinehg wants to merge 2 commits into
justinehg wants to merge 2 commits into
Conversation
Proposes new REST API surface for dismissing vulnerabilities, as part of the Product Designer design challenge. Changes to `docs/REST API/rest-api.md` in the `## Vulnerabilities` section: - Adds `POST /api/v1/fleet/vulnerabilities/:cve/dismiss` - Adds `POST /api/v1/fleet/vulnerabilities/:cve/restore` - Adds `status` and `dismissed_by` query params to `List vulnerabilities` - Adds `dismissed` / `dismissal` fields to `List` and `Get` response objects - Updates section TOC
Companion to the API endpoints in the previous commit. Proposes the GitOps YAML schema for managing vulnerability dismissals as code. Changes to `docs/Configuration/yaml-files.md`: - Adds new `## vulnerabilities` top-level section - Documents `dismissed[]` list with `cve`, `reason`, `re_evaluate`, `scope` fields - Documents `path:` / `paths:` support consistent with policies, reports, labels - Notes GitOps conflict resolution (GitOps wins on next sync) - Notes Premium gating for `mode: on_cvss_increase` - Notes admin role requirement for `mode: never`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposes the documentation for a new dismiss vulnerability feature: a way for security engineers to hide evaluated CVEs from active reports while preserving the audit trail.
The full design lives in the companion Figma file. This PR captures only the API + GitOps surface.
Companion artifacts
Changes
docs/REST API/rest-api.md— extends the existing## Vulnerabilitiessection:Dismiss vulnerabilityendpoint (POST /api/v1/fleet/vulnerabilities/:cve/dismiss)Restore vulnerabilityendpoint (POST /api/v1/fleet/vulnerabilities/:cve/restore)statusanddismissed_byquery params toList vulnerabilitiesdismissedanddismissalfields toListandGetresponse objectsdocs/Configuration/yaml-files.md— adds new top-level## vulnerabilitiessection:spec.vulnerabilities.dismissed[]schema (mirrors the API one-to-one)mode: on_cvss_increasemode: never