Description
Add first-class support for a "Risk Acceptance" remediation type so teams can record when a vulnerability is accepted as an acceptable risk (including reason, who accepted it, and when). This enables correct UI grouping of remediated vs unremediated vulnerabilities, consistent storage and querying of remediations, and full auditability. Related: #1520
Objectives
- Add RISK_ACCEPTANCE to the remediation type enum and persist audit fields (reason, acceptedBy, acceptedAt).
- Provide GraphQL queries to fetch remediations by vulnerability IDs and remediation type.
- Update frontend flows to fetch remediations in bulk and render Vulnerability vs Remediated lists without duplicates.
- Provide UI to create and revoke Risk Acceptance remediations with validation and auditability.
- Add tests, migrations, and documentation.
Acceptance Criteria
- Backend stores remediations with type RISK_ACCEPTANCE linked to vulnerability IDs and includes reason, acceptedBy, acceptedAt.
- GraphQL exposes a remediations(vulnerabilityIds: [ID!], type: RemediationType) (or equivalent) that returns correct results for batched queries.
- Frontend shows vulnerabilities without remediations in the Vulnerability List and those with RISK_ACCEPTANCE in the Remediated List (no duplicates).
- UI provides create and revoke flows for Risk Acceptance with validations, confirmations, and audit fields.
- Unit and integration tests cover backend resolvers and frontend matching logic; CI passes.
Description
Add first-class support for a "Risk Acceptance" remediation type so teams can record when a vulnerability is accepted as an acceptable risk (including reason, who accepted it, and when). This enables correct UI grouping of remediated vs unremediated vulnerabilities, consistent storage and querying of remediations, and full auditability. Related: #1520
Objectives
Acceptance Criteria