Skip to content

feat(scanner-tuning): add suppression lifecycle model and drift evidence gates (#2724)#2754

Closed
zeroknowledge0x wants to merge 3 commits into
UnitOneAI:mainfrom
zeroknowledge0x:bounty/2724-REVIEW-scanner-tuning-add-suppression-
Closed

feat(scanner-tuning): add suppression lifecycle model and drift evidence gates (#2724)#2754
zeroknowledge0x wants to merge 3 commits into
UnitOneAI:mainfrom
zeroknowledge0x:bounty/2724-REVIEW-scanner-tuning-add-suppression-

Conversation

@zeroknowledge0x

@zeroknowledge0x zeroknowledge0x commented Jun 18, 2026

Copy link
Copy Markdown

Closes #2724

Summary

Adds a Suppression Lifecycle Model and Drift Evidence Gates to the scanner-tuning skill, addressing two review gaps identified in #2724:

  1. Indefinite suppressions becoming hidden true positives after drift — skill now requires expiry dates, named owners, and auto-re-open triggers on all suppressions
  2. Compensating controls misclassified as false positives — FP Record and suppression dispositions now enforce the distinction between confirmed FP and compensated risk

Changes

Suppression Lifecycle Model (Step 2)

  • Risk Tiers table: Safe / Moderate / Risky / Dangerous with scope, evidence, owner, expiry, and re-open trigger requirements per tier
  • Safe Suppression Requirements template: mandatory fields including scope, disposition (FP vs compensated risk), evidence (rescan ID, package manager status, vendor advisory, compensating control ID), owner, expiry (never null), and auto-re-open triggers
  • Critical distinction note: confirmed FP ≠ compensated risk — enforced throughout

Drift Evidence Gates (Step 2)

  • Four drift gates: plugin update, asset exposure change, package change, compensating control removal
  • Drift Gate Check template with suppression age, expiry status, and per-gate verdicts (Keep / Re-evaluate / Reopen)

Output Format Updates

  • Suppression Inventory table: plugin/CVE, scope, disposition, owner, created, expires, age, re-open triggers, tier
  • Drift Gate Audit table: per-suppression drift check results
  • Metrics: orphaned count, expired count, indefinite count, compensated-risk-as-FP misclassification count

Disposition Enforcement

  • Updated FP Record disposition options: confirmed FP (lifecycle model applies) | compensated risk (document separately, NOT a false positive)
  • Added lifecycle note after Step 1 template
  • Added suppression lifecycle rules to Prompt Injection Safety section

Common Pitfalls

@zeroknowledge0x
feat(scanner-tuning): add suppression lifecycle model and drift evide…
e992edd 
…nce gates

Addresses review feedback from UnitOneAI#2724:

- Add Suppression Risk Tiers (Safe/Moderate/Risky/Dangerous) to distinguish
  evidence-backed, time-bounded, owner-approved suppressions from blanket
  indefinite exclusions
- Add Safe Suppression Requirements with mandatory fields: named owner,
  expiry date, scope, evidence, and auto-reopen triggers
- Add Drift Evidence Gates (6 gates): suppression age, plugin update, asset
  exposure change, package change, compensating control status, quarterly review
- Add Suppression Inventory and Drift Gate Audit to Output Format sections
- Enforce critical distinction: compensated risk != confirmed false positive
- Update FP Validation Workflow disposition to require lifecycle compliance
- Update Prompt Injection Safety Notice with suppression lifecycle constraints
- Add pitfalls UnitOneAI#6 (indefinite suppressions) and UnitOneAI#7 (compensated risk as FP)

Closes UnitOneAI#2724
@zeroknowledge0x
feat(scanner-tuning): add suppression lifecycle fields and clarify dr…
3a263ad 
…ift evidence gates
@zeroknowledge0x
fix: remove duplicate suppression inventory lines and finalize lifecy…
7bc42f7 
…cle model

- Remove duplicated 'Indefinite (no expiry)' and 'Compensated risk misclassified as FP' lines in output
- Suppression lifecycle model with risk tiers, drift gates, and evidence requirements
- Enforce FP vs compensated-risk disambiguation throughout
- Add drift evidence gates: plugin update, exposure change, package change, control removal
- Common pitfalls UnitOneAI#6 (indefinite suppressions) and UnitOneAI#7 (compensated-as-FP)

Closes UnitOneAI#2724
@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

@github-actions github-actions Bot closed this Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kamalsrini kamalsrini Awaiting requested review from kamalsrini kamalsrini is a code owner

Assignees

No one assigned

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] scanner-tuning: add suppression lifecycle and drift evidence gates

1 participant

@zeroknowledge0x