Statuses & Severity
A quick reference for the statuses, severity levels, and check results you'll encounter in Oplane's PR/MR reviews and threat models.
Requirement Status
Each security requirement has a status indicating whether it has been addressed:
| Icon | State | Meaning |
|---|---|---|
| 🔴 | Not Implemented | The security requirement has not been addressed in the code |
| 🟡 | Partially Implemented | Some aspects are addressed but gaps remain |
| ✅ | Implemented | Fully addressed in the code |
| ℹ️ | Out of Scope | Handled at a different layer (e.g. infrastructure, gateway) |
| ⚠️ | Accepted Risk | Risk acknowledged with justification, not mitigated |
| ➖ | Not Applicable | Irrelevant to this context |
Severity Levels
Severity indicates how urgent a requirement is and guides your response:
| Severity | Description | Expected Response |
|---|---|---|
| Critical | Exploitable vulnerability with severe impact | Address before merging |
| High | Significant security risk | Address before merging or document accepted risk |
| Medium | Moderate risk | Address in normal workflow |
| Low | Minor risk | Address when convenient |
| Info | Informational, no direct risk | Review and acknowledge |
Check Status
Oplane reports a check status on each PR/MR:
| Status | Condition |
|---|---|
| Pass (green) | No unresolved requirements |
| Neutral | Unresolved requirements exist but none are critical |
| Fail (red) | Review encountered an error |
Comment Structure
Each review comment Oplane posts on your PR/MR contains requirements grouped by resolution:
Unresolved Requirements
Requirements that still need attention. Each row shows the requirement title, severity, and current state.
Resolved Requirements
Requirements that have been addressed, either implemented, marked as out of scope, or accepted as risk.
See also: Working with Requirements for how to respond to requirements and run local checks.