Vulnerability

Overview

This document outlines the process for appropriately handling vulnerabilities deemed acceptable to ignore temporarily, permanently, or until a fix is available. It ensures transparency and accountability while maintaining a robust security posture.
It helps ensure that vulnerabilities are properly assessed, and decisions to ignore them are made based on a thorough understanding of associated risks.

Best practice

The best practice is to fix or patch vulnerabilities or to remove the vulnerable dependency. However, If a reported vulnerability doesn't have a fix or you decided not to fix it, you can ignore it. When you ignore the vulnerability, ARMO Cloud does not consider it a violation.

Risk Acceptance for a Vulnerability

  1. In the vulnerabilities table for the selected image, click the ignore button for one of the failed CVEs

  2. On the Ignore rule dialog, type the reason you want to ignore that CVE, and click Save.

    👍

    If the CVE isn't fixable, you can ignore it until there is a fix available.

  3. You should see a confirmation message at the top of the screen, indicating the CVE was ignored successfully, and the state of the button changed to Unignore.

ℹ️

Future scans will not count ignored CVEs, and as a result, the number of vulnerabilities will decrease

Revoke an accepted risk

  1. Click on the Unignore button for a CVE that was previously ignored
  2. Click on the trash button
  3. Confirm the deletion of the Ignore rule
  4. You should see a confirmation message at the top of the screen, indicating the Ignore rule deleted successfully, and the state of the button changed back to Ignore.