The grace period provides a buffer between the discovery of a vulnerability and the enforcement of blocking policies.
Select Vulnerabilities as the finding type.
Enable the Grace Period filter.
Enter the duration in days (1–365).
Calculation logic
Fix Date available:
Expiry = Fix Date + Grace Period DaysNo Fix Date:
Expiry = Publish Date + Grace Period Days
Behavioral matrix
Scenario | System behavior |
|---|---|
Grace period active + Block action | The match is recorded, but the block is suspended. A note is added to the PR/CLI indicating the remaining days |
Grace period expired + Block action | The block action executes normally |
Grace period active + Create Issue | The issue is created immediately with a Grace Period status indicator |
Multiple matching grace periods | The system enforces the policy with the closest (soonest) expiry date |
Common SLA alignment patterns
Use these durations to align security enforcement with your business unit’s Service Level Agreements (SLAs).
Grace period | Recommended use case | SLA alignment |
|---|---|---|
7 days | Critical CVEs with a fix available | Top Urgent |
30 days | High severity CVEs (standard sprint cycle) | Urgent |
90 days | Medium severity or CVEs without a fix | Not Urgent |
Strategic Alignment
Match grace period durations to the organization's SLA targets by Urgency tier Shorter grace periods for higher-Urgency findings enforce faster remediation; longer grace periods for lower-Urgency findings reduce developer friction without compromising security posture.