SLA Enforcement on Pull Requests

SLA Enforcement helps teams gradually enforce remediation SLAs for security findings without immediately blocking all development.

When enabled, Jit evaluates the target branch (usually main) for overdue security findings. If overdue findings exist and are not resolved by the pull request, Jit will either:

Warn (the PR can still be merged), or
Block (the PR cannot be merged)

Availability: This policy may be behind a feature flag. If you don’t see it, contact Jit support.

How the policy works

When a PR is opened or updated:

Jit runs the standard PR scan (existing behavior for new findings in the PR).
In parallel, Jit runs the SLA policy check (if enabled):
- Looks at the current state of the target branch (main)
- Identifies open findings that exceeded the configured SLA
- Checks whether this PR resolves any of those overdue findings

A finding is considered resolved by the PR only if it disappears after the PR scan.

If overdue findings exist and are not resolved:

Warn mode → PR check passes but displays a warning
Block mode → PR check fails and can block merging (if configured as a required check in your SCM)

Configure the policy

Scope

Choose where the policy applies:

All repositories, or
Selected repositories

The policy is tenant-level and works across supported SCMs.

Enforcement mode

Choose the enforcement behavior:

Warn - PR check passes -> warning message is shown (recommended for rollout)
Block - PR check fails -> merging can be blocked

SLA definition

Time-based SLA only
Configured per severity (for example: Critical / High / Medium)
Only open findings are evaluated
Ignored findings are excluded

Policy conflicts (important)

Only one SLA policy may apply to any given repository.

A conflict exists when multiple SLA policies target the same repository (directly or indirectly), which could create unclear behavior (for example, one policy warns and another blocks).

Rules:

A repository can be associated with only one active SLA policy
Policies that target overlapping repositories are not allowed
A repo-specific policy overrides a global (all-repos) policy
Multiple global SLA policies are not allowed

If a conflict exists, saving the policy is blocked and the UI should show which repositories are conflicting.

PR check messages

Block mode (example)

🚫 Merge blocked: overdue security findings

This repository has open security findings that exceeded the configured SLA and were not resolved by this PR.

How to proceed:

Fix the overdue findings in this PR, or
Merge another PR that resolves them, then re-run the check, or
Ask an admin to override this check

🔎 View affected findings → (link to Findings page filtered by this repository)

Warn mode (example)

⚠️ SLA warning: overdue security findings

This repository has open security findings that exceeded the configured SLA.
The PR is allowed to proceed because the policy is currently set to warning mode.

Recommended action:

Plan to resolve these findings in an upcoming PR

🔎 View affected findings → (link to Findings page filtered by this repository)

Re-evaluation behavior

The SLA policy check is evaluated against:

The current state of the target branch (main), and
The latest commit of the PR

If another PR merges and resolves the overdue findings, PRs that were blocked by this policy should become unblocked after the checks are re-evaluated.

Re-evaluation happens when:

New commits are pushed to the PR (automatic)

Admin override

If a PR is blocked by this policy, admins can manually bypass the block (similar to bypassing new findings checks).