STO Allow Exemptions on target ame of vulnerabilities
Log In
G
Granite Caterpillar
Ask / Scope
Currently, exemption support may not allow teams to scope exemptions based on the target name associated with vulnerabilities. The ask is to support exemptions at the target-name level so teams can create more precise and context-aware exemptions.
The scope includes allowing exemptions to be applied based on the vulnerability target name, such as a specific artifact, container image, service, dependency target, repository, or scanned component name.
The expected behavior is that if a vulnerability appears under a specific target name and that target has a valid exemption, the gating logic should recognize the exemption and not block the pipeline for that scoped case.
The exemption should remain narrow and should not unintentionally exempt the same vulnerability across unrelated targets.
Affected users
Primary users are developers, application teams, security engineers, and platform teams managing vulnerabilities across multiple targets or deployable components.
This is especially relevant for teams with shared vulnerabilities that appear across multiple services, images, or components but require different exemption decisions depending on where they appear.
Impact
This enables more accurate exemption handling and avoids overly broad exemptions. Teams can exempt a vulnerability only where there is a valid business or technical justification, while still enforcing gates for the same vulnerability in other targets.
This reduces unnecessary deployment blockers while maintaining security control. It also improves exemption hygiene by encouraging narrow, well-scoped exceptions instead of broad bypasses.