Skip to main content

Statuses

These are the current workflow statuses for vulnerabilities.
StatusMeaning
OpenNew vulnerability, not yet reviewed
ConfirmedVerified as a real issue
Needs ReviewRequires human attention
In ProgressBeing worked on
In ReviewFix submitted, under review
ResolvedFinal state for remediated vulnerabilities. Resolution required
ClosedFinal state for Won’t Fix, False Positive, Duplicate, or other non-remediation outcomes. Resolution required

Status notes

  • When you move a vulnerability to Resolved or Closed, a resolution is required
  • Available transitions depend on the current status
  • A final vulnerability can be reopened manually only when Cysmiq still has an active location for it
  • If all locations are fixed, future redetection by a scan is the path that reopens the finding
  • Reopening a final status is tracked as a regression and shown in the vulnerability detail view

Resolutions

Resolutions describe the outcome when a vulnerability is marked Resolved or Closed.
ResolutionMeaning
FixedIssue was fixed
Won’t FixAccepted risk, will not fix
False PositiveNot a real issue
DuplicateSame as another vulnerability
Cannot ReproduceUnable to verify
DoneCompleted
RejectedSystem-only, set when analysis determines it is not a vulnerability

False positive workflow

Use this workflow when the development team confirms that a finding is invalid or does not represent an actionable vulnerability.
  1. Open the vulnerability detail view.
  2. In the Status and resolution sidebar control, choose Closed.
  3. Choose False Positive as the resolution.
  4. Add a comment with the decision context, such as the reviewer, evidence, or linked discussion.
  5. Save the status change.
For bulk cleanup, select findings in the vulnerability list, choose Change status / resolution, then apply Closed with False Positive. After the update, the vulnerability is tracked as Closed with resolution False Positive. The activity log records the transition and comment, filters can find the finding by status or resolution, and future redetection can reopen a final finding as a regression. Use Won’t Fix for real findings where the team accepts risk. Use vulnerability lifecycle resolution for finding validity decisions. Policy exceptions apply to policy violations such as SLA, package, manifest, or custom policy matches. API triage exposes this workflow as the Ignored state. That state maps to Closed with resolution False Positive.