Managing Findings
Findings are security issues discovered during scans. The findings workflow lets you triage, track, and resolve vulnerabilities across all your repositories.
Findings List
Navigate to Findings in the sidebar to see all findings. The table shows:
| Column | Description |
|---|---|
| Severity | Color-coded badge: Critical (red), High (orange), Medium (yellow), Low (green) |
| Title | Short description of the vulnerability (clickable) |
| Type | SAST, SBOM, CVE, GDPR, or OAuth |
| Scanner | Tool that found the issue (e.g. semgrep, syft) |
| File | Source file path where the issue was found |
| Status | Current triage status |
Filtering
Use the filter bar at the top to narrow results:
- Repository — Filter to a specific repository or view all
- Severity — Critical, High, Medium, Low, or Info
- Type — SAST, SBOM, CVE, GDPR, OAuth
- Status — Open, Triaged, Resolved, False Positive, Ignored
Filters can be combined. Results are paginated with 20 findings per page.
Finding Detail
Click any finding title to view its full detail page, which includes:
Metadata
- Severity level with CWE identifier and CVSS score (when available)
- Scanner tool and scan type
- File path and line number
Description
Full explanation of the vulnerability, why it's a risk, and what conditions trigger it.
Code Evidence
The source code snippet where the issue was found, with syntax highlighting and the file path.
Remediation
Step-by-step guidance on how to fix the vulnerability.
Suggested Fix
A code example showing the corrected implementation.
Linked Issue
If the finding was pushed to an issue tracker (GitHub, GitLab, Jira), a direct link to the external issue.
Updating Status
On the finding detail page, change the finding's status using the status buttons:
| Status | When to Use |
|---|---|
| Open | New finding, not yet reviewed |
| Triaged | Reviewed and confirmed as a real issue, pending fix |
| Resolved | Fix has been applied |
| False Positive | Finding is not a real vulnerability in this context |
| Ignored | Known issue that won't be fixed (accepted risk) |
Status changes are persisted immediately.
Severity Levels
| Severity | Description | Typical Examples |
|---|---|---|
| Critical | Immediate exploitation risk, data breach likely | SQL injection, RCE, hardcoded secrets |
| High | Serious vulnerability, exploitation probable | XSS, authentication bypass, SSRF |
| Medium | Moderate risk, exploitation requires specific conditions | Insecure deserialization, weak crypto |
| Low | Minor risk, limited impact | Information disclosure, verbose errors |
| Info | Informational, no direct security impact | Best practice recommendations |