Requested Waivers
The Requested Waivers tab on the Waivers dashboard provides a quick reference to all requests that have been made to waive policy violations. Users with permissions to waive policy violations (reviewer) for the organization or application can review each waiver request in detail and choose to apply or reject it.
Use the filter to retrieve Requested Waivers for a specific organization or application, repository, application category, policy type, expiration date, policy threat level, and the waiver reason.
Status of the Waiver Requests
The Status column indicates the status of the waiver request.
Approved status indicates that the waiver has been approved for the specified policy violation and it will appear in the Existing Waivers tab. An approved waiver request cannot be edited. In scenarios where a previously approved waiver request needs to be re-approved, possibly after expiration of the waiver or change in waiver scope, a new request will have to be created.
Requested status indicates that the decision to approve or reject the waiver by the reviewer is pending. The waiver requester can edit the waiver request and resubmit.
Rejected status indicates that the reviewer has rejected the waiver request. The waiver requester can review the rejected waiver request and re-submit the request.
The Date Requested column will show the latest date when the waiver request was last submitted.
Reviewing a Requested Waiver
Users with permissions to waive a policy violation for an organization or application can approve or reject a waiver request.
Click on the waiver request on the Requested Waivers page to review.
You can change the scope of the requested waiver, the component matching strategy, expiration date of the requested waiver, and the reason for the requested waiver to meet the approval criteria and approve the waiver. The policy violation will appear as waived in subsequent evaluations and the waiver will on the Existing Waivers page.
If the requested waiver is not acceptable on the given policy or the policy constraint or condition, you can reject the waiver request. The waiver request can also be rejected if you need more explanations from the requester. Click on the Reject Waiver Request button.
Enter the rejection reason and click on Send.
The reason for rejection will appear on the Waiver Request for the requester to make changes and resubmit.
Requesting a Waiver
Users who do not have permissions to waive policy violations (requesters) can create a new waiver request.
Notable Behavior Change
In versions before 192, your IQ instance must have the Waiver Request webhook event configured before you are able to submit waiver requests through the user interface. See Lifecycle Webhooks to learn more about configuring webhook events.
This webhook is not required inversions 192+.
To create a new Waiver Request, select a specific violation for which you would like to request a waiver.
You can do this from the Violations tab of the main dashboard.
Or, navigate to Reports, select a specific application report, select a specific component, and go to the Policy Violations tab for that component.
The Violation Details pop-over contains the details of the policy violation. Review the threat levels, constraints, vulnerability details and check if there are any applicable waivers. You can also review Similar Waivers, if they exist for the policy violation.
Click on the Request Waiver button if you want to create a new waiver request. The Request Waiver page contains the waiver configuration details including the policy name, violating constraints and conditions.
The Request Waiver page contains the waiver configuration details including the policy name, violating constraints and conditions.
Select the scope for the requested waiver, the component match strategy, waiver expiration duration and a reason for requesting the waiver. Add additional comments for contextual information on the waiver request. You can add additional notes to the reviewer (approver) to justify your waiver request.
Rejected Waiver Request
Click on the rejected waiver request from the Requested Waivers dashboard to view the waiver request. The Request Waiver page will display the name of the user who rejected the request and the reason it was rejected, at the top.
You can update the waiver request to resolve the reason for rejection and resubmit the waiver request. The status for this waiver request will appear as Requested on the Requested Waivers page.