Skip to content
Firmis

firmis accept - Risk Acceptance

The firmis accept command manages risk acceptance for findings you’ve reviewed and decided to keep. Every acceptance includes a justification, expiry date, and audit trail stored in .firmisrc.json.

Synopsis

Section titled “Synopsis”
Terminal window
firmis accept [options]

Modes

Section titled “Modes”

Interactive (default)

Section titled “Interactive (default)”

Accept findings from your last scan result interactively:

Terminal window
firmis accept

Walks through each finding, lets you choose a reason and write a justification.

Direct

Section titled “Direct”

Accept a specific finding via flags:

Terminal window
firmis accept \
  --rule mcp-no-permissions-boundary \
  --component src/adapters/mcp-proxy.ts \
  --reason mitigated \
  --justification "Isolated container with network ACLs"

AI-Suggested

Section titled “AI-Suggested”

Accept findings that deep scan flagged as safe:

Terminal window
firmis accept --ai-suggested

Deep scan returns a suggestedDisposition (accept/fix/investigate) with confidence and reasoning. This mode lets you bulk-accept the AI’s “accept” suggestions after review.

List

Section titled “List”

View all accepted risks:

Terminal window
firmis accept --list
firmis accept --list --json
firmis accept --list --expired

Revoke

Section titled “Revoke”

Remove an acceptance:

Terminal window
firmis accept --revoke \
  --rule mcp-no-permissions-boundary \
  --component src/adapters/mcp-proxy.ts

Options

Section titled “Options”
FlagDescription
--listShow all accepted risks
--jsonOutput as JSON (with --list)
--expiredInclude expired/invalidated acceptances (with --list)
--revokeRemove an acceptance (requires --rule and --component)
--rule <id>Rule ID (e.g., mcp-no-permissions-boundary)
--component <path>Component path relative to project root
--reason <type>One of: by-design, mitigated, low-exposure, wont-fix
--justification <text>Free-text explanation for audit trail
--expires <date>ISO 8601 expiry date (default: 6 months from now)
--pin-version <ver>Invalidate acceptance if component version changes
--accepted-by <email>Email of the person accepting (audit trail)
--ai-suggestedAccept deep scan AI-suggested dispositions
--quietSuppress non-essential output

Acceptance Reasons

Section titled “Acceptance Reasons”
ReasonWhen to Use
by-designIntentionally written this way, not a threat in context
mitigatedExternal control (firewall, auth, encryption) mitigates the threat
low-exposureThreat surface too small or constrained (internal tool, feature-flagged)
wont-fixKnown issue, no plans to fix. Document the workaround

Expiry and Invalidation

Section titled “Expiry and Invalidation”

Acceptances expire automatically:

  • Time-based: Default 6 months. When expiresAt passes, the finding reverts to its prior state.
  • Version-pinned: If --pin-version is set and the component version changes (detected from package.json), the acceptance is invalidated.

Expired entries remain in .firmisrc.json for audit trail. View them with --list --expired.

Grade Impact

Section titled “Grade Impact”

When you run firmis scan with accepted risks, the output shows a grade comparison:

Grade: B (without accepted risks: C)

This lets you see the impact of your risk register on your security posture.

Cloud Sync

Section titled “Cloud Sync”
  • Free tier: Accepted risks are local only (stored in .firmisrc.json)
  • Pro and above: When scanning with --sync, accepted risks sync to workspace and are shared across your team

Configuration

Section titled “Configuration”

Accepted risks are stored in .firmisrc.json at your project root:

{
  "acceptedRisks": [
    {
      "ruleId": "mcp-no-permissions-boundary",
      "componentPath": "src/adapters/mcp-proxy.ts",
      "reason": "mitigated",
      "justification": "MCP server runs in isolated container with strict network ACLs.",
      "acceptedBy": "[email protected]",
      "acceptedAt": "2026-03-15T10:30:00Z",
      "expiresAt": "2026-09-15T10:30:00Z",
      "pinnedVersion": null,
      "aiSuggested": false,
      "priorState": "detected"
    }
  ]
}

See the Configuration Reference for the full .firmisrc.json schema.

Best Practices

Section titled “Best Practices”
  1. Commit .firmisrc.json to version control for team visibility
  2. Write detailed justifications so future reviewers understand the decision
  3. Set reasonable expiry (6 months forces re-evaluation)
  4. Use version pinning for dependency-related acceptances with upgrade plans
  5. Review expired acceptances quarterly (--list --expired)
  6. Never accept CVEs (use firmis fix or upgrade)