STO Capture the audit trail on Exemptions in UDP scenarios
Log In
G
Granite Caterpillar
Ask / Scope
In UDP scenarios, exemptions may be created or used to bypass specific STO gating violations. The ask is to maintain a complete audit trail for exemption activity so that teams can understand who requested, approved, modified, used, or expired an exemption.
The audit trail should capture details such as:
Who created or requested the exemption
Who approved or rejected it
Date and time of each action
Reason or justification provided
Scope of the exemption
Associated pipeline, application, project, environment, or deployment
Vulnerability or policy that was exempted
Expiration date, if applicable
Any updates, revocations, or renewals
When the exemption was actually used in a UDP flow
Affected users
Primary users are security teams, compliance teams, audit teams, and platform owners who need traceability around exemptions.
Developers and release teams are also affected because they need confidence that exemptions are properly recorded and can be reviewed later.
Impact
This improves governance and accountability around exemption usage. It allows teams to prove why a gated issue was allowed to proceed and who approved it.
The impact is especially important for compliance reviews, internal audits, incident reviews, and reducing risk from undocumented or long-lived exemptions. It also helps prevent misuse of exemptions by making all exemption activity traceable.