Managing Findings
How to waive, ignore, and resolve security findings
Managing Findings
Not every finding requires immediate action. SecurityChecks provides multiple ways to manage findings based on your workflow.
Finding States
| State | Meaning | When to Use |
|---|---|---|
| Open | Active issue needing attention | Default state for new findings |
| Resolved | Fixed in code | After you've addressed the issue |
| Waived | Acknowledged but not fixing | Accepted risk, false positive, or deferred |
| Ignored | Hidden from view | Not relevant to your codebase |
Resolving Findings
When you fix a security issue:
- Push the fix to your repository
- Run a new scan
- SecurityChecks automatically marks the finding as Resolved when the issue no longer appears
Or manually mark as resolved:
- Open the finding detail page
- Click the Mark as Resolved button
- The finding moves to your resolved list
Waiving Findings
For findings you've reviewed but won't fix immediately:
- Open the finding detail page
- Click Waive Finding
- Select a reason:
- False positive - Not actually a vulnerability
- Acceptable risk - We understand and accept this
- Will fix later - Tracked elsewhere (add ticket link)
- Not applicable - Out of scope for this codebase
- Optionally set an expiration (7, 30, or 90 days)
- Click Create Waiver
Waived findings:
- Don't count toward your open finding totals
- Reappear automatically when the waiver expires
- Are visible in your waived findings list
- Include audit trail (who waived, when, why)
Ignoring via Configuration
For patterns you want to ignore across all scans, add them to your .securitychecks.json:
{
"severity": {
"ignore": [
"GRAPHQL.INTROSPECTION.ENABLED"
]
}
}
This is useful for:
- Invariants that don't apply to your architecture
- Development-only patterns you've intentionally enabled
- Organization-wide policy decisions
Best Practices
Do
- Document your reasoning - Future you will thank past you
- Set expiration dates - Revisit accepted risks periodically
- Use waivers for exceptions - Not as a way to ignore all findings
- Review waived findings monthly - Risks change over time
Don't
- Waive without investigation - Every P0 deserves a look
- Ignore entire categories - Each finding is context-specific
- Let waivers pile up - If you're waiving > 30%, something's wrong
Filtering Your View
On the Findings page, use filters to focus on what matters:
- Status: Open, Waived, Resolved, Ignored
- Severity: P0 (Critical), P1 (Important), P2 (Advisory)
- Project: Filter by specific repository
- Invariant: Group by checker type
CLI Baseline
For teams using CI/CD, you can baseline existing findings:
scheck baseline --update
This creates a baseline file that:
- Excludes existing findings from CI failures
- Fails only on new findings introduced in the PR
- Tracks baseline changes in version control
See CI/CD Integration for more details.