Source Findings (SAST)

The Source Findings page provides visibility into vulnerabilities identified directly in your source code through Static Application Security Testing (SAST). Unlike dependency findings, which originate from third-party packages, source findings highlight security issues introduced in your application code — such as injection risks, insecure configurations, and improper input validation You can view findings globally across your organization, highlighting the impact across your code and services.

• Active Findings - Vulnerabilities that are present in the codebase and have not yet been resolved.

• Fixed Findings - Vulnerabilities that have been resolved in code but not yet fully deployed.

• Deployed Findings - Vulnerabilities that have been resolved in all active deployments.

Critical attributes such as Category are available as filters to narrow down the results, allowing you to focus on specific types of findings. You can also use search for more flexibility.

Key Filters

• Rule - Filter by the specific SAST rule triggered, e.g., rules for command injection, insecure deserialization, hardcoded secrets, URL-based forgery, etc.

• Category - Filter by high-level vulnerability category, e.g., OWASP classifications

• Language - Filter by programming language

• Mitigation - Filter by whether there is any active mitigation or whether the finding has a mitigating factor such as false positive, inaccurate severity, environment configuration, or risk acceptance

• Confidence - Filter by likelihood that the finding represents a true security issue

• State - Filter by whether the finding is Disabled, Experimental, or Production

• Repository/Module/Service - Filter by findings' locations in repository, module, and/or service