Dependency Findings (SCA)

You can view findings globally across your organization, highlighting the impact across your code and services.

• Active Findings - Vulnerabilities present in the environment that are not fixed in code.

• Fixed Findings - Vulnerabilities that are present in the environment but have been fixed in code.

• Deployed Findings - Vulnerabilities that have been resolved in all active deployments.

Critical attributes such as Fixability can easily filter down the results, allowing you to focus on specific types of findings. You can quickly search for a particular CVE and understand the impact across repositories and services.

Key Filters

• Vulnerability - Search by a particular CVE to identify impact and recommended remediation

• Risk - Filter remediations by their security impact

• Fixability - Identify the low hanging fruit and what can be automated

• Classification - Identify vulnerabilities on Direct dependencies to for simplified remediation that has downstream transitive remediation impact

"Override" Filters

In addition to the key filters described above, there are two powerful "override" filters: Risk and SLO.

The Risk Override filter allows you to filter by:

• Not Reachable - The vulnerable code path cannot be executed in the current application or runtime environment

• Unpinned Version - The vulnerability is present because the dependency version is not explicitly pinned, allowing an outdated or vulnerable version to be installed

• False Positive - The reported vulnerability does not apply to the actual dependency version or usage context

• Environment Configuration - The vulnerability is mitigated due to the way the application or infrastructure is configured

• Other - The vulnerability does not fit into the predefined evaluation categories and requires additional context

• None - No risk exception or mitigation applies. The vulnerability is valid and requires remediation

The SLO Override filter allows you to filter by:

• No Fix Available - There is currently no vendor-provided patch, upgrade, or mitigation available to remediate the vulnerability

• Fix Complexity - Remediation requires significant architectural, operational, or cross-team effort beyond a simple dependency upgrade

• Not a Priority - The vulnerability presents low business or operational risk relative to higher-impact findings and is intentionally deprioritized

• Other - The reason for exceeding the SLO does not fit predefined categories and requires additional explanation

• None - No exception applies. The vulnerability is expected to be remediated within the configured SLO