-
Notifications
You must be signed in to change notification settings - Fork 1.8k
[docs] replace old risk acceptance article and add calendar #14244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
c5bf796
Replace old risk acceptance article and add calendar
dangoelz f680221
revert thulite changes and block renovate
paulOsinski ba5330f
resize images
paulOsinski 72bee45
update lock file
paulOsinski a8163a5
Merge branch 'bugfix' into calendar_risk_acceptance
paulOsinski 77a460b
change article directories
paulOsinski 50067b0
content changes
paulOsinski dc2308c
Merge branch 'calendar_risk_acceptance' of github.com:dangoelz/django…
paulOsinski 9cacb73
update lock file again
paulOsinski File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| --- | ||
| title: "Calendar" | ||
| description: "How to use the Calendar in DefectDojo Pro" | ||
| audience: pro | ||
| weight: 2 | ||
| --- | ||
|
|
||
| DefectDojo features a built-in Calendar so you can track all prior and active Engagements and Tests within your organization. Any time a User creates a new Engagement or Test and establishes the start and end dates, a corresponding entry will automatically be added to the Calendar. | ||
|
|
||
| ### Landing Page | ||
|
|
||
| The Calendar page includes filters at the top and a monthly calendar below. The filters can adjust which results appear in the calendar based on: | ||
| - Engagement and/or Test | ||
| - Start and End date | ||
| - Engagement Status (e.g., Completed, In Progress, On Hold, etc.) | ||
| - Engagement/Test Lead (i.e., to whom is the Engagement/Test assigned?) | ||
| - Engagement Type (e.g., Interactive or CI/CD) | ||
| - Test Type (e.g., Pen Test, Acunetix Scan, Tenable Scan, etc.) | ||
|
|
||
|  | ||
|
|
||
| Once filtered, results can be exported and shared as an ICS file. | ||
|
|
||
| Importantly, Calendar will only present Engagements and Tests to which the User viewing the calendar has access. It will not display Engagements and Tests that the User does not have permission to view. | ||
|
|
||
| ## Features | ||
|
|
||
| ### Monthly View | ||
|
|
||
| The monthly calendar will preview five entries on each day. Additional entries occurring on that day will be hidden from view unless the **"+ [X] events"** is clicked within the cell of any particular date. Once clicked, the calendar will shift from a monthly view to a daily view. | ||
|
|
||
| Clicking on an for a Test or Engagement will open a pop-up modal with additional information on that entry, including: | ||
| - Start and End Date | ||
| - Test or Engagement Type | ||
| - Lead | ||
| - Status | ||
| - Asset | ||
| - Engagement | ||
| - Test | ||
|
|
||
| From there, the Asset, Engagement, or Test can be accessed via hyperlink. | ||
|
|
||
| ### Daily View | ||
|
|
||
| In the daily view, all currently active Engagements and Tests will appear chronologically in descending order (i.e, a newly created Engagement or Test will be found at the bottom of that day’s entry). Engagements appear in blue, while Tests appear in Orange. | ||
|
|
||
| If set within the applicable Engagement/Test, the title of each entry in the daily calendar will include the following: | ||
| - Status | ||
| - Product | ||
| - Engagement | ||
| - Test | ||
| - Assignee | ||
|
|
||
| #### Arrows | ||
|
|
||
| The arrows on the left and right side of each entry indicate whether that particular Test or Engagement is present on the preceding and/or following day. | ||
|
|
||
| For example, a Test that was made on the same day on which it’s being viewed will not have arrows on the left because that Test didn’t exist the day before. Conversely, a Test that ends on the same day on which it’s being viewed will not have arrows on the right because the entry won’t exist on the following day. | ||
|
|
||
| For example, as the final Engagement in the screenshot below (**In Progress** Example Product A ▶ **Sample Engagement** (Unassigned)) is being viewed on the day it was created, and the Target End Date was set for the following day, no arrows are present on either the left or right side. | ||
|
|
||
|  |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| title: "Calendar" | ||
| description: "Exploring the Calendar feature in DefectDojo Pro" | ||
| summary: "" | ||
| date: 2026-02-01T17:33:00+00:00 | ||
| lastmod: 2026-02-01T17:33:00+00:00 | ||
| draft: false | ||
| weight: 2 | ||
| seo: | ||
| title: "" | ||
| description: "" | ||
| canonical: "" | ||
| robots: "" | ||
| exclude_search: true | ||
| --- |
74 changes: 0 additions & 74 deletions
74
docs/content/triage_findings/findings_workflows/risk_acceptances.md
This file was deleted.
Oops, something went wrong.
113 changes: 113 additions & 0 deletions
113
docs/content/triage_findings/risk_acceptance/PRO__risk_acceptance.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| --- | ||
| title: "Risk Acceptances" | ||
| description: "Leveraging Risk Acceptances in DefectDojo Pro" | ||
| audience: pro | ||
| weight: 2 | ||
| --- | ||
|
|
||
| **Risk Acceptances** are a special status that can be applied to Findings using either **Full Risk Acceptance** objects or the **Simple Risk Acceptance** workflow to formally document and operationalize the decision to acknowledge a vulnerable Finding without immediately remediating it. | ||
|
|
||
| DefectDojo Pro includes enhanced Risk Acceptance capabilities to scale risk management decisions, including: | ||
| - **Cross-Product Risk Acceptances**: A single Risk Acceptance can be applied across multiple products, allowing you to bundle all instances of the same or similar Findings throughout your entire portfolio of Assets into a single Risk Acceptance object. | ||
| - **Bulk Management**: Filter and search for specific Findings of vulnerability IDs and apply Risk Acceptance to all results simultaneously regardless of the Asset they belong to. | ||
|
|
||
| ### Accessing Risk Accepted Findings | ||
|
|
||
| The sidebar features a section for Risk Acceptances that includes three subsections in its dropdown menu: | ||
| - **Risk Accepted Findings** | ||
| - This section includes a table of all Findings that have been risk accepted, whether through as a part of a Full Risk Acceptance object or using the Simple Risk Acceptance workflow. | ||
| - **All Risk Acceptances** | ||
| - This section includes a table of all Full Risk Acceptance objects, arranged in chronological order. | ||
| - **New Risk Acceptance** | ||
| - Clicking this option in the sidebar will start the workflow to create a Full Risk Acceptance object. | ||
|
|
||
|  | ||
|
|
||
| ## Creating Risk Acceptances | ||
|
|
||
| When a finding is Risk Accepted, the following will occur: | ||
| - The Finding’s status will no longer be “Active” but it will remain queryable, reportable, and auditable. | ||
| - The Finding’s status will be changed to “Risk Accepted.” | ||
| - The Finding will no longer be counted toward Metrics, but will still appear within the Test it originated from. | ||
|
|
||
| Findings can be Risk Accepted in one of two ways: They can either be added to Full Risk Acceptance objects, or by using the Simple Risk Acceptance workflow. | ||
|
|
||
| ### Full Risk Acceptances | ||
|
|
||
| A Full Risk Acceptance allows Users to accept the risk of multiple Findings while bundling them into a single object, regardless of the Asset, Engagement, or Test they originated from. | ||
|
|
||
| If organizational policy requires formal, documented risk acceptances, or Users wish to trigger certain actions once a Risk Acceptance expires, Full Risk Acceptance is the best choice, as they capture the internal decision-making process and can serve as a source of truth. | ||
|
|
||
| Each Full Risk Acceptance adds additional context to Risk Acceptance, such as: | ||
| - The name of the Risk Acceptance object. | ||
| - The owner of the Risk Acceptance object. | ||
| - The security recommendation and decision regarding how to handle the Finding(s). | ||
| - Any proof associated with the recommendation or decision. | ||
| - Details regarding the recommendation or decision. | ||
| - The User who accepts the risk associated with the decision. | ||
| - The expiration date. | ||
| - Whether the Finding’s status will return to “Active” upon expiration. | ||
| - Whether the SLA will restart upon expiration. | ||
|
|
||
| Expiration is unique to Full Risk Acceptance objects, and allows any Findings that have been Risk Accepted to be re-examined at an appropriate time. Once a Risk Acceptance expires, any Findings will be set to Active again. | ||
|
|
||
| If you don’t specify a date, the Default Risk Acceptance / Default Risk Acceptance Expiration days will be used from the System Settings page. | ||
|
|
||
| #### How to Complete a Full Risk Acceptance | ||
|
|
||
| A Full Risk Acceptance object can be made in three different ways: | ||
| - Using the **New Risk Acceptance** button in the sidebar. | ||
| - Using the **Add Risk Acceptance** button on an individual Finding. | ||
| - Clicking the **Risk Acceptance Actions** button that appears after selecting a Finding/multiple Findings from within a table. | ||
|
|
||
| ##### New Risk Acceptance (Sidebar) | ||
|
|
||
| Clicking New Risk Acceptance from the sidebar will open a page in which the User can establish the data and details associated with a new Full Risk Acceptance object. The second page will allow the User to filter and select the Findings to be added to that object. | ||
|
|
||
| ##### Add Risk Acceptance (Individual) | ||
|
|
||
| Having opened an individual Finding, click the gear icon in the top right corner of the view and select **Add Risk Acceptance**. From there, you will be able to either add the Finding to an existing Full Risk Acceptance object, or create a new object. | ||
|
|
||
|  | ||
|
|
||
| ##### Risk Acceptance Actions (Table) | ||
|
|
||
| Having selected a Finding/Findings from within a table, click the **Risk Acceptance Actions** button that appears at the top and select either **Add to New Risk Acceptance Object** or **Add to Existing Risk Acceptance Object** and fill out the required fields. | ||
|
|
||
| If the Risk Acceptance Actions button is unclickable, it’s likely because one of the selected Findings has already been added to a Full Risk Acceptance object, as the same Finding can’t be added to multiple objects. | ||
|
|
||
|  | ||
|
|
||
| ##### Editing Full Risk Acceptances | ||
|
|
||
| Once a Full Risk Acceptance object has been created, you can edit the details of the object, upload a file with proof of the Risk Acceptance, or delete the object entirely by clicking the gear icon in the top right of the object’s view. | ||
|
|
||
| Findings can also be added and removed from the object using the same menu. Alternatively, Findings can be removed from the object by clicking the ⋮ kebab menu next to an individual Finding, clicking **Bulk Update Actions**, and selecting **Unaccept Risk** from the Simple Risk Acceptance Status dropdown menu. | ||
|
|
||
| Finally, if you add any Findings to a Full Risk Acceptance object and then subsequently delete that object, the Findings within will have their status automatically reverted to “Active.” | ||
|
|
||
| ### Simple Risk Acceptances | ||
|
|
||
| Simple Risk Acceptances do not have any associated metadata or expiration date. They are most appropriate for when tracking risk-accepted Findings is still required for compliance, but there is no associated need for an object to track or to change the status of the affected Findings. | ||
|
|
||
| Simple Risk Acceptance is not enabled by default, but it can be toggled in the Optional Fields portion of the Asset’s settings after clicking the gear icon in the top right of the Asset view. | ||
|
|
||
|  | ||
|
|
||
| Once enabled, Simple Risk Acceptance can be run from the table of Findings within a Test view. | ||
|
|
||
| #### How to Complete a Simple Risk Acceptance | ||
|
|
||
| You can complete the Simple Risk Acceptance workflow from either the All Findings table (accessible from the sidebar) or from the table of Findings within a specific test. The workflow is identical between the two. | ||
|
|
||
| Select the Findings you wish to Risk Accept and click the **Bulk Update Actions** button that appears at the top of the table. From there, select **Accept Risk** from the Simple Risk Acceptance Status dropdown. Because the Findings have been Simple Risk Accepted, there is no associated Full Risk Acceptance object. The Findings that were Risk Accepted are accessible from the **Risk Accepted Findings** menu in the sidebar. | ||
|
|
||
|  | ||
|
|
||
| Conversely, if you wish to unaccept the risk for any Findings that had been previously Risk Accepted, select **Unaccept Risk**. If a Finding has been Simple Risk Accepted, the risk must be unaccepted prior to adding it to a Full Risk Acceptance object. | ||
|
|
||
| ### Risk Acceptance Best Practices | ||
|
|
||
| While it is possible to affect Findings within Full Risk Acceptance objects using Simple Risk Acceptance workflows (and vice versa), it is generally preferable to default to either process exclusively rather than leveraging both. | ||
|
|
||
| For example, if Full Risk Acceptance objects are the default approach, if a Finding is Simple Risk Accepted, it may cause confusion if there is no associated object that contains the affected Finding. Similarly, if Findings are typically Simple Risk Accepted, it may create similar confusion to then add some Findings to a Full Risk Acceptance object when there are no such objects for most other Findings. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| title: "Risk Acceptance (Pro)" | ||
| description: "Risk Acceptances in DefectDojo Pro" | ||
| summary: "" | ||
| date: 2026-02-01T17:33:00+00:00 | ||
| lastmod: 2026-02-01T17:33:00+00:00 | ||
| draft: false | ||
| weight: 2 | ||
| seo: | ||
| title: "" | ||
| description: "" | ||
| canonical: "" | ||
| robots: "" | ||
| exclude_search: true | ||
| --- |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall great job! I did notice a few of these sentences are a bit long and formal, which can make them harder to read for ESL audiences. I've made those changes already, just wanted to flag them.