Statuses & Severity
A quick reference for the statuses, severity levels, and check results you'll encounter in Oplane's PR/MR reviews and threat models.
Requirement Status
Each security requirement has a status indicating whether it has been addressed:
| Icon | State | Meaning |
|---|---|---|
| 🔴 | Not Implemented | The security requirement has not been addressed in the code |
| 🟡 | Partially Implemented | Some aspects are addressed but gaps remain |
| ✅ | Implemented | Fully addressed in the code |
| ℹ️ | Out of Scope | Handled at a different layer (e.g. infrastructure, gateway) |
| ⚠️ | Accepted Risk | Risk acknowledged with justification, not mitigated |
| ➖ | Not Applicable | Irrelevant to this context |
Severity Levels
Severity indicates how urgent a requirement is and guides your response:
| Severity | Description | Expected Response |
|---|---|---|
| Critical | Exploitable vulnerability with severe impact | Address before merging |
| High | Significant security risk | Address before merging or document accepted risk |
| Medium | Moderate risk | Address in normal workflow |
| Low | Minor risk | Address when convenient |
| Info | Informational, no direct risk | Review and acknowledge |
Check Status
Oplane reports a check status on each PR/MR:
| Status | Condition |
|---|---|
| Pass (green) | No unresolved requirements |
| Neutral | Unresolved requirements exist but none are critical |
| Fail (red) | Review encountered an error |
Comment Structure
Each review comment Oplane posts on your PR/MR contains requirements grouped by resolution:
Unresolved Requirements
Requirements that still need attention. Each row shows the requirement title, severity, and current state.
Resolved Requirements
Requirements that have been addressed — either implemented, marked as out of scope, or accepted as risk.
See also: Working with Requirements for how to respond to requirements and run local checks.