S
Spectacular Moose
Current behavior:
Exemptions in STO expire only on the date explicitly set at grant time (or never, if granted permanently). When the underlying vulnerability is actually remediated, the exemption remains in an "active" state until its configured expiration date. It continues to show up as an active exemption in reporting, dashboards, and audit exports.
Impact:
  • Stale exemptions accumulate over time and pollute our risk reporting. It becomes difficult to answer "what risk are we currently accepting?" without manual reconciliation between active exemptions and current scan findings.
  • Audit and compliance reviews require manual correlation to prove each active exemption still corresponds to a real, present finding.
Requested behavior:
We would like STO to detect when an exempted issue no longer appears in scan results and then transition the exemption to a distinct terminal state (e.g., "Remediated / Inactive") so that it's clearly differentiated from "Expired" or "Rejected."