Manage Issue Exemption Requests
This document details how issue exemption requests can be reviewed and processed by security teams(reviewers). It walks through the complete lifecycle of an exemption request, the permissions required to take action, and how exemptions can be applied at different scope - Project, Organization, or Account.
The reviewer's role must include Approve/Reject permissions for Exemptions at the appropriate scope, whether at the Project, Organization, or Account level. Refer to Required permissions for issue exemptions and ensure you have the required privileges at the required scopes.
Issue Exemption lifecycle
An Issue Exemption request in STO follows a defined lifecycle, with actions that can be taken at each stage. The actions to address exemption requests include Approve, Reject, Cancel, and Re-open (to re-open any expired, rejected requests).
The lifecycle stages are as follows:
- Pending: The request is newly created and awaits review. At this stage, users can choose to approve, reject, or cancel the request.
- Approved: The request has been reviewed and accepted. The issue is temporarily or permanently exempt from further action based on the exemption details.
- Rejected: The request has been reviewed and denied. The issue remains active, and the pipeline may continue to block due to OPA policy enforcement failures.
- Expired: The exemption period has elapsed. Once expired, the issue returns to its original active state unless a new exemption is requested.
Expired and Rejected exemption requests with Organization or Account scope can only be moved to Approved by approving; those with Project, Pipeline, or Target scope can be moved to Pending by re-opening.
 
Users with the Security Testing AppSec role can approve or manage issue exemption requests. Refer to Required permissions for issue exemptions to learn more.
Approve, Reject, or Cancel an Exemption Request
Each exemption request is associated with a specific scope, either a Pipeline, Target, or Project. Reviewers can approve the exemption at the requested scope or at a broader level, such as Organization or Account, as long as they have the appropriate permissions. Refer to the Required permissions for issue exemptions for more details.
 
You can act on exemption requests from the Exemptions section, available at the Project, Organization, and Account levels. Reviewing from higher scopes (Organization or Account) provides a broader view, allowing you to manage exemptions across all organizations and projects within.
In the Exemptions section at the Organization or Account level, you can only see exemption requests from projects where you have View permissions. However, if you have Approve/Reject permissions at the Organization or Account level and you approve an exemption at that scope, it will be applied to all organizations and projects under it, even to those you don’t have access to.
Approve an Exemption Request
To approve an exemption request:
- Go to Exemptions section from the left navigation.
- Select Pending tab.
- Click on the exemption request you want to act on. The Exemption Details pane opens on the right.
- Based on your permissions, you will see the actions available to you.
You can approve the exemption at the requested scope or a higher one:
- Approve for this target – Applies the exemption only to the specific target where the issue was found.
- Approve for this pipeline – Applies the exemption only to the specific pipeline where the issue was found.
- Approve for this project – Applies the exemption to all pipelines and targets in the current project.
- Approve for this organization – Applies the exemption across all projects in the organization requires Approve/Reject` permission at the Organization scope.
- Approve for this account – Applies the exemption across all organizations and projects in the account requires Approve/Rejectpermission at the Account scope).
When you click on an Approve action, a window appears displaying details such as the Issue Title, Requested Scope, and an optional Comment field. You can review the request details, add a comment if needed, and click Submit to proceed.
Only the latest comment from an approval or rejection action is displayed in the exemption pane. Comments history is not shown. To view complete exemption details, refer to View Issue Exemptions documentation.
Always review the Exemption Details and consider the Requested Duration before approving. The exemption remains active only for the specified time window (e.g., 7 days from the approval date).
 
 
Users Can Approve Their Own Exemptions
You can control whether users are allowed to approve or reject their own exemption requests. This option is available under Exemption Settings on the Default Settings page at the Project, Organization, and Account levels. To configure this setting, you must have Admin-level permissions at the respective scope.
Reject an Exemption Request
To reject an exemption request, you can either use the Reject action directly from the Exemptions section or click the request to open the Exemption Details pane, where you can review the request thoroughly before choosing to Reject it.
When you click on the Reject action, a window appears displaying details such as the Issue Title, Requested Scope, and an optional Comment field. You can review the request details, add a comment if needed, and click Submit to proceed.
Only the latest comment from an approval or rejection action is displayed in the exemption pane. Comments history is not shown. To view complete exemption details, refer to View Issue Exemptions documentation.
 
 
Once rejected, the request moves to the Rejected tab. The associated issue remains active and may continue to block pipelines due to OPA policy enforcement failures. For more information, see the Issue Exemption Lifecycle.
Cancel an Exemption Request
Clicking Cancel on an exemption request immediately removes it from the system. Once canceled, the request no longer appears in the Exemptions section. If the exemption is still needed, a new request must be created.
Best Practices
- 
A user with the Security Testing AppSec role should periodically review all exemptions and update their statuses as needed. 
- 
Always define a baseline for every target. If a target doesn’t have a baseline, exemption details won’t be visible. Instead, you’ll see a link prompting you to define the target’s baseline.   
- 
You can view the Time Remaining for approved exemptions and the Requested Duration for pending, rejected, and expired requests.