Reviewer quick-reference card

One page, for printing. Every table below is generated from the constants the engine enforces, so this card cannot drift from the tool. The full walkthrough is the reviewer runbook.

Important

SBOMFlow observed; you decide. No status the engine writes is a review
decision, and under_investigation means nobody has decided yet — never
this is fine.

Review states (workflow only)

StateWhat it means
openNobody has picked this up. Not a judgement about the item.
in_reviewSomeone claimed it with review --start. Coordination only — no evidence authority.
decidedA decision was recorded. The decision, not the state, is what counts.

A claim (review --start <key> --as ROLE) can target evidence (an observed evidence signal), vulnerability (an advisory finding), gap (a requirement with no evidence at all).

Evidence decisions (reviews.json)

DecisionWhen to use it
acceptedYou looked at it and it really is evidence. Cite what convinced you with --evidence-ref.
rejectedThe observed signal is not evidence for this requirement (stale config, wrong file).
needs_more_evidenceNot a no. Say precisely what is missing in --note.

Finding triage — VEX status (vulnerability_reviews.json)

StatusWhat it asserts
not_affectedA claim about your product. Requires a CISA justification — the CLI refuses without one.
affectedThe product is affected. Fix it, or waive it with a reason and an expiry.
fixedAlready remediated in this release. Say where.
under_investigationThe engine's default. It means nobody has decided yet — never 'this is fine'.

The five CISA justifications for not_affected

JustificationClaim you are making
component_not_presentThe affected component does not ship in this product.
vulnerable_code_not_presentThe component ships, but the vulnerable code does not.
vulnerable_code_not_in_execute_pathThe vulnerable code ships but can never be reached.
vulnerable_code_cannot_be_controlled_by_adversaryReachable, but an attacker cannot influence the inputs.
inline_mitigations_already_existA compensating control in the product prevents exploitation.

A category alone is not an explanation. sbomflow review <output> --template <justification> prints the scaffold of what a reader needs.

Why a release gate blocked

Reason codeMeaning
GATE_ADVISORY_FINDINGSUnresolved advisory findings at/above the severity threshold
GATE_DENIED_LICENSEComponent(s) declare a license on the operator deny list
GATE_DRIFT_UNAVAILABLEA drift policy was enforced with no previous release to compare
GATE_EPSS_THRESHOLDFinding(s) at/above the configured FIRST EPSS threshold
GATE_EVIDENCE_GAPSMissing-evidence gaps at/above the severity threshold
GATE_EVIDENCE_REGRESSIONPreviously-accepted evidence regressed
GATE_KEV_PRESENTFinding(s) in the CISA KEV catalog (known exploited)
GATE_MISSING_APPROVALSRequired multi-role release approvals are incomplete
GATE_NEW_ADVISORY_FINDINGSNew advisory finding(s) vs the previous release
GATE_NEW_CRITICAL_OR_HIGHNew or escalated critical/high finding(s) vs the previous release
GATE_NEW_KEVNewly known-exploited finding(s) vs the previous release
GATE_NEW_REACHABLE_FINDINGSFinding(s) that became source-referenced in this release
GATE_REACHABLE_FINDINGSSource-referenced (reachable) advisory finding(s)
GATE_SUPPORT_PERIOD_MISSINGCurrent release does not declare a support period
GATE_UNREVIEWED_EVIDENCEObserved evidence items not yet human-reviewed

Run sbomflow explain <output> --gate to see which of these fired.

The five commands

bash
# See what needs a decision
sbomflow review ./evidence
# Understand one item first
sbomflow explain ./evidence --gate
# Record an evidence decision
sbomflow review ./evidence --accept secure_boot_configured --reviewer you@example.com
# Sign off your role
sbomflow approve ./evidence --role product-security --reviewer alice@example.com --author bob@example.com
# Hand it to the auditor
sbomflow bundle ./evidence

Escalation

If a finding is genuinely exploitable in your product and cannot be fixed before release, that is an escalation to your release owner. It is not a status you can pick in this tool, and no flag makes it go away.

SBOMFlow never sets a VEX status for you, never treats an observed signal as accepted evidence, never files or signs a regulatory report, and never says you are compliant.