Risk Register - One View to See, Search, and Act on Risk

Risk Register - One View to See, Search, and Act on Risk

Risk Register centralizes findings from PR scans and DeepScans. It gives AppSec, DevSecOps, and engineering leaders a clear starting point to track, triage, and act on risk across the entire org.

Risk Register Features

  • See all findings from all PRs and DeepScans together.
  • Understand where risk is concentrated by repo, type, and severity.
  • Prioritize work by Critical/High first, then drill into specifics.
  • Dismiss findings with reasons and context so the same false positives do not keep coming back.
  • Use filters to move from org-level insight to actionable lists in seconds:
    • Date ranges
    • Risk level (Critical, High, Medium, Low)
    • Agent (DeepScan, PR)
    • Status (Merged, Open, Closed)

Finding Dismissal

Risk Register supports Finding Dismissal so teams can formally close out incorrect findings and reduce repeat noise.

In the Risk Register, click Dismiss on a finding to:

  • Select a reason for dismissal (for example: False Positive, Won't Fix)
  • Add supporting context in a text box

When you dismiss a finding as False Positive:

  • DryRun Security creates a fingerprint of that vulnerability.
  • Future PR and DeepScans will suppress the finding when the same fingerprint is detected, so it does not reappear as a new finding.

When you include context in the text box:

  • That context is stored and used in future evaluations to further suppress like or similar false positive findings.
  • This is useful for cases where a finding is safe because of your framework behavior, implementation pattern, or a design constraint that makes exploitation unrealistic.

Dismissal from the PR workflow (GitHub and GitLab)

Developers can also mark findings as False Positive and add context from the developer comment workflow in GitHub and GitLab. When they do, DryRun Security treats the dismissal the same way as if it were done in the Risk Register UI. This lets AppSec and developers both contribute to tuning and cleanup without adding extra steps.

FAQs

How are severities determined?
We normalize outputs to Critical/High/Medium/Low. For PR scans, this aligns closely with Fail, Risky, and Info. These values are set in the Default or Custom Configs.

What is Finding Dismissal?
Finding Dismissal lets you dismiss a finding and record why, using a dismissal reason and optional supporting context. Dismissals help reduce noise by suppressing repeat and similar false positives in future scans.

What happens when I dismiss a finding as a False Positive?
DryRun Security fingerprints the vulnerability. If the same fingerprint is detected in a future PR scan, the system suppresses it so it does not produce a new finding for that vulnerability.

How is the context field used?
Context is stored with the dismissal and used in future scan evaluations to further suppress like or similar false positive findings, especially when the “why it’s safe” depends on framework behavior, code patterns, or architectural constraints.

Can developers dismiss findings too?
Yes. Developers can mark findings as False Positive from GitHub and GitLab comments. Those dismissals are treated the same as dismissals made in the Risk Register UI.

Which columns can I sort today?
Risk is sortable now. Type, File, Repo, Detected Date, Agent, and PR Status will be sortable in an upcoming release.

What filters are available?
Filter by Date range, Risk level, Agent (DeepScan, PR), and Status (Merged, Open, Closed).

See DryRun Security in ActionCreate a Natural Language Code Policy