Triage States & Lifecycle

Every finding has a status. Most transitions are explicit (a user marks something false-positive); one — auto_fixed — is applied by Vygl automatically when a previously-seen fingerprint disappears from a full scan of the default branch.

Statuses

Status	Meaning
open	New finding, not yet triaged. The default state when a finding first appears.
acknowledged	Triaged but not yet fixed — “we see it, working on it”.
fixed	Manually marked fixed (e.g. when the fix is in a separate fix-only branch).
false_positive	Rule fired incorrectly. The fix is to the rule, not the code.
ignored	Accepted risk or deliberate suppression — for example, an intentionally-insecure test fixture. Can have an expiry.
auto_fixed	Vygl detected that the issue disappeared from a clean default-branch scan.

Any status can transition to any other status — there’s no enforced workflow DAG. Common paths:

• open → acknowledged — “I see it, will fix later”
• open → false_positive — “Rule is wrong”
• open → ignored — “Accepted risk”
• acknowledged → fixed (or auto_fixed) — “Done”

Triaging a finding

From the finding detail page:

1. Click the Status dropdown.
2. Pick the new status.
3. Add a reason — required for non-open statuses.
4. Save.

Bulk triage works the same way from the Findings list — select multiple, use the bulk-action dropdown.

Snoozable ignore

ignored can be temporary. When marking ignored, optionally set an expiry:

• 7 days, 30 days, 90 days — common policy windows.
• Custom — any future date.
• Permanent — no expiry.

If the finding is re-detected after expiry, it automatically flips back to open and a system audit entry is recorded. This is the safest pattern for “we’ll deal with this in Q3” type findings — the suppression is temporary by construction.

What “fixed” really means

There are two paths to a fixed status:

• fixed — explicit, manual. Use when the fix is verifiable (e.g. you applied the suggested fix and re-scanned).

• auto_fixed — automatic. Vygl marks findings auto-fixed when:

  1. A scan completes with full_scan=true.
  2. The scan is on the project’s default branch.
  3. A previously-seen fingerprint isn’t present in the new scan.

  See Auto-Fix Reconciliation for the full rules.

Both statuses preserve triage history (comments, AI verdicts, prior status changes) — a fixed finding isn’t deleted.

Why bulk triage is capped at 500

To keep the API responsive and prevent accidental denial-of-service from over-broad selections, bulk triage operations are capped at 500 findings per request. For larger sweeps, narrow the filter and submit multiple requests, or script against the API.

Status changes are audited

Every status transition is logged to the audit log with actor, timestamp, prior status, new status, and reason. False-positive abuse (mass-marking findings FP to silence them) is trivially detectable — query the audit log for status changes by user.

Required scope

Status changes require an API key with the triage:write scope. The read scope can view findings but not modify state. See API Keys.