Findings & evidence
Each finding carries enough context to decide without guessing: identity, location, evidence, replay, delta, and suppression state.
Anatomy of a finding
Each persisted finding carries:
- Severity, category, confidence, exploitability, and source phase.
- Stable fingerprint, primary file, line range, scanner, and rule metadata.
- Title, description, attack path, affected files, evidence, and remediation guidance.
- Runtime replay, interaction replay, proof-of-concept, and bundle artifacts when present.
- Delta state:
new,recurring,regressed,fixed, orsuppressed. - Repo-scoped or user-scoped suppression memory.
Severity & merge blocking
Severity is one of:
| Severity | Effect on PR check |
|---|---|
critical | Blocks merge. |
high | Blocks merge. |
medium | Reported, non-blocking. |
low | Reported, non-blocking. |
info | Reported, non-blocking. Excluded from the unique-vulnerabilities count on the dashboard overview. |
Set the minimum severity persisted to findings via scan configuration’s severity threshold.
Delta state
Delta is computed against the previous successful scan on the same target. Each finding is exactly one of:
| State | Meaning |
|---|---|
new | Fingerprint not seen on the prior scan. |
recurring | Same fingerprint as prior scan, comparable severity. |
regressed | Same fingerprint as prior scan, but severity or exploitability worsened. |
fixed | Present on the prior scan, absent on this one. |
suppressed | An active suppression (repo-scoped or user-scoped) hides this fingerprint. |
Exploitability
Each finding has one of three exploitability states:
verified— confirmed through runtime or interaction testing. Stronger than a static-only hit.unverified— reported by analysis but not confirmed runtime-side.not_tested— runtime testing didn’t reach this surface (for example, missing credentials, the app couldn’t be served, or the relevant runtime agent was disabled).
Evidence & replay
Where applicable, a finding includes a replay artifact and a downloadable proof bundle. The bundle packages identity, location, replay data, proof-of-concept variants, and expected behavior into a single export — useful for handing off to engineering or filing an issue.
GET /api/security-findings/{id}/replay # latest replay artifact
GET /api/security-findings/{id}/bundle # proof bundleSuppressions
Suppressions are fingerprint-based:
- Repo scope — hides the finding only for that repository.
- User scope — applies across that user’s matching findings, regardless of repo.
When multiple suppressions match the same fingerprint, the most recent one wins. Deleting a suppression restores the finding presentation without touching history.
GET /api/finding-suppressions # paginated; max 100/page
POST /api/finding-suppressions # { query, scope, reviewId?, scanRunId?, repoFullName? }
DELETE /api/finding-suppressions/{id} # 204 on success