Skip to Content
SCA & DependenciesSLA & Data Retention

SLA Management

Service Level Agreement (SLA) policies define how quickly vulnerabilities must be remediated based on severity. CodeStax tracks these deadlines and alerts your team when vulnerabilities are at risk of breaching.

Default Deadlines

Default SLA deadlines are configured per severity level. Customize via Settings → Policies.

KEV deadlines override severity-based deadlines. A vulnerability that appears in CISA’s KEV catalog receives a shorter KEV deadline instead of the standard severity-based deadline.

Customizing Deadlines

Organization admins can adjust deadlines under SCA > Settings > SLA Policy:

  1. Navigate to SCA > Settings > SLA Policy.
  2. Edit the number of days for each severity level.
  3. Set a custom KEV deadline if the default does not fit your compliance requirements.
  4. Click Save to apply. Changes take effect for newly discovered vulnerabilities; existing deadlines are not retroactively updated.

SLA Status Tracking

Each vulnerability displays an SLA status badge:

  • Breached (red) — The remediation deadline has passed without resolution.
  • At Risk (amber) — Less than 25% of the deadline window remains.
  • On Track (green) — The vulnerability is within its remediation window.

Filter the SCA results table by SLA status to prioritize work. The SLA Breach count is shown prominently on the SCA dashboard overview.

Integration with Triage

When you triage a vulnerability and set its status to one of the accepted risk states (e.g., “Risk Accepted” or “False Positive”), the SLA clock stops. Vulnerabilities triaged as “In Progress” or “Open” continue to be tracked against their deadlines.

Reopening a previously accepted vulnerability restarts the SLA clock from the reopen date.

Data Retention Policies

SCA data retention is configurable per organization:

  • Retention Period — Number of days to keep scan results (default: 365 days).
  • Minimum Scans to Keep — The minimum number of recent scans preserved regardless of age (default: 5).

These settings ensure you retain enough history for trend analysis while keeping storage manageable.

Cleanup Operations

Administrators can trigger manual cleanup from SCA > Settings > Data Retention:

  • Purge Old Scans — Removes scan results older than the configured retention period, respecting the minimum scan count.
  • Archive — Exports old scan data to a downloadable JSON file before deletion.

Automatic cleanup runs weekly and respects the same retention rules.

Compliance Tips

  • Align SLA deadlines with your organization’s compliance framework (PCI-DSS, SOC 2, FedRAMP).
  • Use the KEV deadline to satisfy CISA BOD 22-01 requirements.
  • Export SLA breach reports for audit evidence via SCA > Reports > SLA Summary.
Webhooks & NotificationsGitHub