1. What specific scenarios do you think to be happen where adding comments to policy violations would be beneficial?

There are a lot of cases where the policy violation cannot be addressed immediately due to business reasons. The security team needs to keep track of their violation which are temporary or permanent added as exceptions and/or risk acceptance.

The above can be done outside of RedHat platform (ACS) but aggregating more manual work and in the best-case scenario should also be possible in the tool.

2. What kind of information do you expect to include in these comments?

Information like: "Risk acceptance number", "Exception to policy number", "Approved by [name]", "Waiting for decision", "Exception approved until [date]"

3. What specific data do you want to be included in the API response for policy violations?

Due to the lack of report functionality for the policy violations in RH ACS unlike vulnerabilities and compliance, we are forced to use API to extract a report in csv from the command line (not from the user graphic interface). In a separate (new) column we would like to see the data entered under question 2.