VEX Exception Approval Flow

Module

Scanner

VERIFIED

Approval endpoints for VEX exception workflows with propose/approve two-step process are implemented.

VEX Gate Controller:
- src/Scanner/StellaOps.Scanner.WebService/Controllers/VexGateController.cs - VexGateController REST API including exception proposal and approval endpoints for VEX exception workflows
VEX Gate Query Service:
- src/Scanner/StellaOps.Scanner.WebService/Services/VexGateQueryService.cs - VexGateQueryService querying VEX gate decisions including exception status
Contracts:
- src/Scanner/StellaOps.Scanner.WebService/Contracts/VexGateContracts.cs - API contracts for VEX gate operations including exception proposal and approval
VEX Gate Service:
- src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs - VexGateService processing VEX gate decisions and exception workflows
- src/Scanner/__Libraries/StellaOps.Scanner.Gate/IVexGateService.cs - Interface for VEX gate operations
- src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateDecision.cs - VexGateDecision model including exception status
- src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateAuditLogger.cs - VexGateAuditLogger logging exception proposals and approvals for audit trail

Propose a VEX exception for a blocked finding and verify it enters the "proposed" state awaiting approval
Approve a proposed VEX exception and verify the finding's gate decision changes from Block to Pass
Reject a proposed VEX exception and verify the finding remains in Block state with rejection reason
Verify the audit logger captures all exception proposals and approvals with user attribution and timestamps
Verify the two-step process prevents a single user from both proposing and approving the same exception