Goal Summary:

Enable platform security managers to automatically generate distinct, actionable vulnerability reports for different teams (e.g., Infrastructure vs. Development) by allowing regex-based exclusion of specific namespaces (e.g., infrastructure components) from report Filters, significantly improving report relevance and distribution efficiency.

Goals and Expected User Outcomes:

• Primary User Type/Persona: Platform Security Manager or Security Analyst.

• Observable Functionality:

• • Users will be able to define report filters using negative regex patterns (exclusion logic) on the namespace field.

• • Users can create a report that only contains vulnerabilities from application namespaces, by excluding the known infrastructure namespaces (e.g., kube-system, monitoring-*, or specific vendor names).

• • Users can set up automated report scheduling to directly deliver the filtered, relevant vulnerability data to the appropriate owning teams.

• Expanded Existing Features: Expands the Vulnerability Reporting and Scope Filtering functionality by adding negative selection logic for namespaces.

Acceptance Criteria

Functional Requirements

• The Report Filter configuration UI must provide an option to apply regex logic for namespace exclusion (e.g., an "Excludes Namespaces matching Regex" field).

• The system must successfully apply the exclusion regex to filter the list of namespaces considered for the report scope.

• Reports generated using the exclusion filter must only contain data from namespaces that do not match the defined exclusion regex pattern.

• The system must handle a high volume of namespaces (hundreds to thousands) efficiently when applying the exclusion filter.

• The system must continue to support existing positive inclusion filters for namespaces and allow for simple string matching alongside the new regex capabilities.

Nonfunctional Requirements (NFRs)

• Usability: The regex input field must include clear inline help and examples for defining exclusion patterns.

• Performance: Generating a report using a namespace exclusion regex must not significantly increase the overall report generation time compared to an inclusion-based report. The filtering process should complete in under 5 seconds for environments with up to 1,000 namespaces.

• Maintainability: The implementation must utilize the existing Golang regexp package, strictly adhering to its supported feature set (avoiding unsupported lookahead/lookbehind for compatibility).

• Reliability: Reports must be generated correctly every time the scheduled job runs. Failure to generate should trigger an alert to the platform administrator.

• Scalability: The new regex filtering logic must scale linearly with the number of images/deployments being scanned and the number of namespaces, ensuring stable performance as the environment grows.

Success Criteria or KPIs Measured

• Adoption: 75% of active users utilizing the automated reporting feature adopt the new namespace exclusion logic within 60 days of launch.

• Efficiency: Time spent manually filtering reports by Security Analysts decreases by 50%.

• Report Relevance: Zero support tickets reporting irrelevant findings (i.e., Infra data appearing in the App Dev report) within the first 90 days.

• Usage: Average number of automated, scheduled reports segmented using the exclusion feature increases by 20% quarter over quarter.

Use Cases

The primary use case is enabling the Security Manager to efficiently route vulnerability information via automated reporting.

1. The Security Manager needs to create a report intended solely for the Development Team, excluding infrastructure vulnerabilities managed by a separate team.

1. The Manager navigates to Report Configuration and defines a new Report Filter.

1. They utilize the new feature to exclude namespaces that match infrastructure-specific patterns (e.g., a regex like ^(kube-system|monitoring-|infra-.*)).

1. The report is scheduled to run weekly and is configured to email the output directly to the Development Team's mailing list.

1. The system automatically generates a highly-targeted report that contains only application-related vulnerabilities, ensuring the Development Team receives relevant, actionable data without manual preprocessing.

Out of Scope (Optional)

• Adding support for advanced regex features like lookahead and lookbehind (due to platform/language limitations).

• Applying exclusion logic to fields other than namespace (e.g., excluding specific images or labels via regex).

• Integration with external ticketing systems (JIRA, ServiceNow).