Exceptions
Use exceptions to acknowledge findings without letting them clutter your priorities.
Not every finding needs immediate action. Exceptions let you acknowledge a finding while preventing it from affecting risk scores or competing for attention with urgent issues. Use them to:
- Document a finding you've decided to accept
- Record a compensating control
- Flag a false positive
- Stop a check from running at all
By default, exceptions take effect the moment they're created and a different team member approves or rejects them afterward as an audit step. The exact behavior is governed by three space-level settings described below.
Space-level exception settings
Each space has three settings that shape how exceptions behave. The defaults favor fast iteration; tightening them adds governance and review.
| Setting | Default | What changes when toggled |
|---|---|---|
| Immediately apply created exceptions | On | When off, new exceptions start in a pending state and don't apply until a team member with Editor or Owner access approves them. |
| Allow non-expiring exceptions | On | When off, every exception must have an expiration date. |
| Allow users to approve their own exceptions | Off | When on, the same user who creates an exception can also approve it. By default, a different team member must approve. |
The approval history gives you a clear audit trail regardless of which settings you choose.
The four exception types
| Exception type | What happens | When to use it |
|---|---|---|
| Risk Accepted | Check still runs; finding doesn't affect the score | You know about the risk and plan to fix it later. |
| Workaround | Check still runs; finding doesn't affect the score | A compensating control is in place that mitigates the finding. |
| False Positive | Check still runs; finding doesn't affect the score | The finding is inaccurate or doesn't apply in your environment. |
| Disable | Check does not run | The check is causing stability or performance impact and you want to skip it entirely. |
Where exceptions can be set
You can set exceptions at two levels.
Space-wide:
- Policy checks
- Vulnerabilities
- Vendor advisories
- Compliance framework controls
- Compliance framework control checks
On a single asset:
- Checks on an asset
- Vulnerabilities on an asset
- Vendor advisories on an asset
Manage exceptions
Each space has a centralized Exceptions page that lists every exception in the space, its status, and when it expires. Use it to approve or reject pending exceptions and to catch exceptions that are about to expire.
How exceptions affect scoring
Exceptions other than Disable keep the underlying check running, but the finding contributes 0 to risk scores. Disable prevents the check from running on the affected scope. To learn how this rolls into the Space Risk Score, read How the Space Risk Score Is Calculated.