Automations: Do not fail on found CVE lacking a fix

Here is how to set up an automation rule that ensures the pipeline fails only if a CVE is found of a certain level AND a fix for it exists.

1. Set up a rule: "If CVSS is at least High then flag as vulnerable".

2. From the Repositories view, click a specific repository and then filter it by review status "= Vulnerable".

3. Check each vulnerability for any available fix. If not, select “Pause until a fix is available” under “Pause rule triggering” in the Action section.

4. In the opening dialog, choose an appropriate max pause time in the drop-down.

5. Click Save to confirm your selection and pause automation rules for the vulnerability.