As a security engineer, I seek to run SCA (software component analysis) scans as late in the CICD process as possible (shift right). However I do not want to block releases at this point. What I DO want is for vulnerabilities discovered at this late stage to auto request an exemption, and for the exemption to be automatically granted, and for the duration of the exemption to be configurable to my organizations SLO for remediating security findings. The vulnerability severity needs to be configurable, but for our needs it's High and Critical.

Additionally, notification to myself, repo owners, security staff via email would be amazing.