Field	Description	Required
Type	Risk Acceptance, False Positive, Workaround, N/A	Yes
Justification	Reason for the mitigation	Yes
Expiration Date	When to review/expire (Risk Acceptance only)	No
Approved By	Who approved this mitigation	Yes
Evidence	Supporting documentation	No
Scope	This version only, or all versions	Yes

Managing Mitigations

Mitigation Status

Status	Meaning
Active	Mitigation is currently in effect
Expired	Past expiration date, needs review
Revoked	Manually cancelled
Superseded	Replaced by fix or new mitigation

Editing Mitigations

Click on a mitigation to view details
Click Edit
Update fields as needed
Click Save

Revoking Mitigations

Click on a mitigation
Click Revoke
Provide revocation reason
Mitigation becomes inactive

Bulk Mitigations

Apply mitigations to multiple vulnerabilities:

In Vulnerabilities tab, select multiple items
Click Bulk Actions → Add Mitigation
Fill in common mitigation details
Click Apply to Selected

Mitigation Policies

Create policies to auto-apply mitigations:

Policy Types

Policy	Description
CVE Exemptions	Specific CVEs always mitigated
Package Exemptions	Specific packages always mitigated
Severity Threshold	Auto-accept below severity level
Development Only	Auto-accept in dev environments

Creating a Policy

Go to Settings → Mitigation Policies
Click + New Policy
Configure policy rules
Set scope (organization or project)
Click Save

Expiration and Review

Setting Expiration

For risk acceptances, set an expiration date:

30 days - Short-term acceptance
90 days - Quarterly review cycle
180 days - Semi-annual review
365 days - Annual review
Custom - Specific date

Expiration Notifications

Safeguard.sh notifies you before expiration:

14 days before expiration
7 days before expiration
On expiration date

Reviewing Expired Mitigations

Go to Mitigations tab
Filter by Status: Expired
For each expired mitigation:
- Extend expiration if still valid
- Revoke if no longer applicable
- Upgrade to fix if available

Audit Trail

All mitigation actions are logged:

Event	Logged Information
Created	Who, when, justification
Modified	Who, when, changes
Approved	Approver, timestamp
Expired	Automatic expiration
Revoked	Who, when, reason

Viewing Audit Trail

Click on a mitigation
Click History tab
View all changes

Reporting

Mitigation Reports

Generate mitigation reports:

Go to Reports → Mitigations
Select date range and filters
Choose format (PDF, CSV, Excel)
Download report

Report Contents

Active mitigations summary
Expired mitigations requiring review
Mitigation by type breakdown
Approver summary
Expiration timeline

API Access

Manage mitigations via API:

# List mitigations for a project
curl -X GET https://api.safeguard.sh/v1/projects/{id}/mitigations \
  -H "Authorization: Bearer $API_KEY"

# Create a mitigation
curl -X POST https://api.safeguard.sh/v1/projects/{id}/mitigations \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "vulnerability_id": "CVE-2024-1234",
    "type": "risk_acceptance",
    "justification": "Not exploitable in our configuration",
    "expires_at": "2025-06-01T00:00:00Z"
  }'

Best Practices

Documentation

Provide detailed justifications
Reference external analysis if available
Include ticket/issue numbers
Document compensating controls

Review Process

Require approval for risk acceptances
Set appropriate expiration dates
Review expirations promptly
Re-evaluate when context changes

Organization

Use consistent mitigation categories
Define organizational policies
Train team on mitigation process
Regular mitigation audits

Integration with Gates

Mitigations affect security gate results:

Active mitigations exclude vulnerabilities from gate failures
Expired mitigations do not exclude vulnerabilities
Policy-based mitigations apply automatically

Mitigations

Mitigations

Overview

Accessing Mitigations

Mitigation Types

Risk Acceptance

False Positive

Workaround Applied

Not Applicable

Creating a Mitigation

From Vulnerabilities Tab

Mitigation Form