Describe the feature
Currently, Maester supports a fixed set of test result states (Passed, Failed, Investigate, Skipped, NotRun, Error). While Skipped and Investigate offer some ability to annotate non-passing tests, they may not be sufficient for organizations that need to track why a test is not passing and how it has been handled.
It would be great if two related enhancements could be considered:
- Custom disposition tags: Administrators could define and assign custom tags to individual tests, such as RiskAccepted, Mitigated, CompensatingControl, PendingRemediation, or FalsePositive. These tags could f.e. be configurable per test ID in maester-config.json, alongside existing Severity overrides, and surfaced in the report and filter UI, similar to how severity levels are already customizable.
- Per-test comments: It would also be very helpful if a free-text Comment field could be supported per test entry in maester-config.json, allowing teams to document remediation notes, risk acceptance rationale, ticket references, or other context directly within the Maester configuration, without requiring an external system.
Impact and importance
Security teams using Maester in a continuous monitoring pipeline tend to accumulate non-passing tests over time. Without structured disposition tracking, there is no easy way to distinguish between a known accepted risk, an actively investigated issue, or an unreviewed failure, all three currently look identical in the report.
Such a feature could benefit:
- Security engineers and analysts who need to document treatment decisions for audit purposes.
- Compliance and GRC teams who require evidence that each finding has been formally reviewed and handled.
- Organizations running Maester in CI/CD pipelines, where a single source of truth for test configuration and disposition would be particularly valuable.
- All users who currently maintain remediation notes in separate tools (wikis, ticketing systems, spreadsheets) and would appreciate keeping this context co-located with the test configuration.
Alternatives you've considered
Using Skipped to suppress known non-passing tests: This loses the distinction between "intentionally skipped", "risk accepted", and "mitigated with a compensating control".
Using Investigate as a catch-all: This tag is semantically tied to active investigation and does not lend itself to representing a closed, documented decision.
Maintaining disposition and comments in an external system: This works, but breaks the single-source-of-truth principle and increases operational overhead, especially in automated pipeline runs.
Using custom Pester tags: The existing -Tag mechanism could carry some of this information, but it is not applicable to built-in Maester tests and does not support free-text comments.
Additional context
The maester-config.json pattern already used for severity overrides and emergency access account configuration seems like a natural and consistent extension point for both of these ideas. The precedence model established for severity levels could potentially apply in the same way to disposition and comments.
It would also be nice if custom disposition tags could be surfaced as an additional filter dimension in the report UI, for example, to filter all tests tagged RiskAccepted for periodic risk review cycles.
Many thanks to everyone contributing to this project.
Describe the feature
Currently, Maester supports a fixed set of test result states (Passed, Failed, Investigate, Skipped, NotRun, Error). While Skipped and Investigate offer some ability to annotate non-passing tests, they may not be sufficient for organizations that need to track why a test is not passing and how it has been handled.
It would be great if two related enhancements could be considered:
Impact and importance
Security teams using Maester in a continuous monitoring pipeline tend to accumulate non-passing tests over time. Without structured disposition tracking, there is no easy way to distinguish between a known accepted risk, an actively investigated issue, or an unreviewed failure, all three currently look identical in the report.
Such a feature could benefit:
Alternatives you've considered
Using Skipped to suppress known non-passing tests: This loses the distinction between "intentionally skipped", "risk accepted", and "mitigated with a compensating control".
Using Investigate as a catch-all: This tag is semantically tied to active investigation and does not lend itself to representing a closed, documented decision.
Maintaining disposition and comments in an external system: This works, but breaks the single-source-of-truth principle and increases operational overhead, especially in automated pipeline runs.
Using custom Pester tags: The existing -Tag mechanism could carry some of this information, but it is not applicable to built-in Maester tests and does not support free-text comments.
Additional context
The maester-config.json pattern already used for severity overrides and emergency access account configuration seems like a natural and consistent extension point for both of these ideas. The precedence model established for severity levels could potentially apply in the same way to disposition and comments.
It would also be nice if custom disposition tags could be surfaced as an additional filter dimension in the report UI, for example, to filter all tests tagged RiskAccepted for periodic risk review cycles.
Many thanks to everyone contributing to this project.