|
| 1 | +--- |
| 2 | +title: "SLA Configuration" |
| 3 | +description: "Configure Service Level Agreements for different Products" |
| 4 | +weight: 2 |
| 5 | +--- |
| 6 | + |
| 7 | +Each Product in DefectDojo can have its own Service Level Agreement (SLA) configuration, which represents the days your organization has to remediate or otherwise manage a Finding. |
| 8 | + |
| 9 | +SLA can be set based on either **[Finding Severity](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/#findings)** or **[Finding Risk](/en/working_with_findings/finding_priority/)** (in DefectDojo Pro). |
| 10 | + |
| 11 | + |
| 12 | + |
| 13 | +SLAs apply a countdown of days to a Finding based on the day that the Finding was created in DefectDojo. If a Finding is not Closed within the countdown, the Finding will be labeled as in breach of SLA. |
| 14 | + |
| 15 | +## Working with SLAs |
| 16 | + |
| 17 | +You can use SLAs as a way to represent your organizations remediation policies. You can also use them as a way to prioritize the longest-active, most critical Findings in your DefectDojo instance. |
| 18 | + |
| 19 | +* You can sort or filter Finding tables by SLA days. |
| 20 | +* SLA violations can be configured to trigger [Notifications](/en/customize_dojo/notifications/about_notifications/) to DefectDojo users assigned to the related Product. |
| 21 | +* In **DefectDojo Pro**, SLA performance is also tracked on the [Executive Insights and Remediation](/en/customize_dojo/dashboards/pro_dashboards/) Metrics Dashboards. |
| 22 | +* SLA compliance can also be used to create custom [Dashboard Tiles](/en/customize_dojo/dashboards/about_custom_dashboard_tiles/#sla-violation-tile) in **DefectDojo Pro**. |
| 23 | + |
| 24 | +### Mitigated Within SLA status |
| 25 | + |
| 26 | +If a Finding is successfully Mitigated by the SLA deadline, the Finding will record a ✅ green check mark in the Mitigated Within SLA column. |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +If a Finding was Mitigated, but not before the SLA was violated, the Finding will record a ❌ red X in the Mitigated Within SLA column. |
| 31 | + |
| 32 | +### Breaching SLAs |
| 33 | + |
| 34 | +When an SLA for a given Finding is violated (the Finding is not Closed within the SLA timeline) the ✅ green check will switch to a ❌ red X. The SLA will continue to be tracked with a negative number, to represent how many days the SLA has been breached by. |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | +## Managing SLA Configurations (Pro) |
| 39 | + |
| 40 | +In DefectDojo Pro, one or more SLA Configurations are managed under the **Configuration > Service Level Agreements** part of the sidebar. You can create a **New Service Level Agreement** or work with existing SLA configurations from the **All Service Level Agreements** page. |
| 41 | + |
| 42 | + |
| 43 | + |
| 44 | +SLA Configurations can only be edited by Superusers or by a user with the corresponding [Configuration Permission](/en/customize_dojo/user_management/user_permission_chart/#configuration-permission-chart). |
| 45 | + |
| 46 | +### Configuring SLA |
| 47 | + |
| 48 | +SLA configurations contain the days assigned to each **Severity** or **Risk** value of DefectDojo. |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +Each Service Level Agreement can have a unique name, along with an optional description. |
| 53 | + |
| 54 | +**Restart SLA on Finding Reactivation**: if enabled, this option will start an SLA over when a Finding is Reopened. Otherwise, the SLA will be based on when the Finding was created. |
| 55 | + |
| 56 | +When editing an SLA, you can choose whether that SLA will use **Severity** or **Risk** as a benchmark for assigning Days To Remediate. This is done by selecting the related option from the **Service Level configuration Type** section of the form. |
| 57 | + |
| 58 | +From here, you can set the number of days allowed for each **Severity** or **Risk** level. You can also selectively enforce SLAs; by unchecking the **Enforce ___ Finding Days** you can ignore SLA calculation for those levels of Severity or Risk. |
| 59 | + |
| 60 | +## Apply an SLA Configuration to a Product (Pro) |
| 61 | + |
| 62 | +Newly created Products in DefectDojo will always apply the **Default SLA Configuration**, which can be set to different values if you wish. |
| 63 | + |
| 64 | +If you have SLA configurations, you can choose which of these is applied to your Product from the **Edit Product** form. |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +### SLA Recalculation |
| 69 | + |
| 70 | +Once a new SLA has been selected for a Product, all of the associated Findings' SLAs will need to be recalculated by DefectDojo. While this process is running, a Product's SLA cannot be changed. |
| 71 | + |
| 72 | +## Notes on SLAs |
| 73 | + |
| 74 | +* SLAs can be optionally restarted once a [Risk Accepted](/en/working_with_findings/findings_workflows/risk_acceptances/) Finding reactivates. This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field. |
| 75 | +* Reimporting a Finding does not restart the SLA - SLAs are always calculated from when a Finding was first detected unless **Restart SLA on Finding Reactivation** is enabled. |
| 76 | +* Risk Acceptance expiry or reactivation of a Closed Finding are the only ways to reset or recalculate an SLA for a Finding once it is created (without changing the Product's SLA configuration). |
0 commit comments