prpl
Sign in
← All documentation
Review and respond

Maintain repository knowledge

Document knowledge cards, appropriate content, lifecycle, and their effect on later scans.

userorg admin capture: repository-knowledge

Outcome

You can read everything prpl remembers about a repository across every scan and branch, pin your own durable notes, and retire cards that no longer apply. Knowledge cards are code-anchored facts — reviewed finding verdicts captured automatically, plus notes you author — and they are fed back to future scans and shown as pins in the CPG Explorer, so your team's context is not rediscovered (or re-reported) on the next run.

Who can do it

  • View the Knowledge tab: anyone who can open the repository's detail page — the customer who connected the repository, the mapped organization owner, an active organization member with this repository in their granted access, or a site admin.
  • Author or retire cards: requires review access on this specific repository — the same permission that lets you acknowledge or reject findings. Customers hold it by default on their own repositories. An invited organization member holds it through their seat's default grants or a Findings reviewer / Repo owner role, and the repository must be in the access the owner granted them. Waitlist accounts can browse but cannot author. See Roles and permissions.

Before you begin

  • The repository must be connected and have at least one Harness build or scan so it appears in your inventory — see Connect your first repository.
  • Reviewed verdicts arrive automatically: when a finding is acknowledged as a true positive or rejected as a false positive during review, the decision is captured as a knowledge card. You never hand-author those card types — see Acknowledge true positives or reject false positives.
  • Cards are visible to everyone with access to the repository. Do not paste secrets, tokens, or private URLs into card titles or bodies.

Steps

  1. Open Attack surface in the top navigation and select the repository.
  2. Select the Knowledge tab. The tab shows a running card count, and the panel header shows N active / M total once cards exist.
  3. Read the existing groups. Cards are grouped by type: Confirmed vulnerabilities, Known false positives, Accepted behavior, Invariants, Analysis notes, and Hotspots. A stale badge means the anchored code has changed since the card was written (the card becomes advisory only); a retired badge means the card is kept for audit but no longer fed to scans.
  4. To pin your own card, use the Pin a note form: choose a Type (analysis note, invariant, or accepted behavior), enter a Title, the File (repo-relative) path, and optionally Line, Symbol, CWE, and a Body explaining why the fact matters.
  5. Select Save knowledge card.
  6. To retire a card that no longer applies, select retire on the card and confirm the prompt (“Retire this knowledge card? It stays on record but is no longer fed to scans.”). Retiring is a soft status change — there is no hard delete, so the audit history stays intact.
The repository detail page with captured verdicts and notes grouped by type; call out the Knowledge tab.
The Pin a note form filled in with an example invariant; call out the Save knowledge card button.
An active card row with its provenance line; call out the retire button.

Verification

  • A “Knowledge card saved.” banner appears and the page returns to the Knowledge tab.
  • Your card is listed under its type group with source: operator and your login in the provenance line, and the N active / M total counter increases.
  • After retiring, the card dims, shows the retired badge, and the active count drops.
  • Longer term: active cards appear as pins in the CPG Explorer for this repository's runs and are supplied to future scans as prior context.

Troubleshooting

  • The Pin a note form is not shown. You do not have review access on this repository. Ask the organization owner to grant you repository access and the Findings reviewer role — see Assign repository access and roles.
  • “you do not have review access to this repository”. Same cause as above: your account holds no review permission for this repository, or you are not an owner or member of the organization that owns it.
  • “knowledge store schema is newer than this server”. A newer platform component wrote the store and this server refuses to modify it. Retry after the platform is updated, or contact support.
  • A card turned stale. The code at the card's anchor changed. If the fact still holds, pin it again at the new location; the stale card can be retired.
  • Saving “duplicated” a card — or didn't. Card identity is derived from the anchor and type, so re-saving the same file, line, and type edits the existing card instead of creating a duplicate. This is intentional.

Next step

Keep the rest of the repository view tidy by archiving finished history — Archive scans, findings, and history. Related reading: Understand findings and Acknowledge true positives or reject false positives.

Last verified against commit c0bf54d on 2026-07-10 · capture scenario: repository-knowledge