After selecting finding types, configure filters to narrow the scope of matched findings. The available filters depend on the selected policy type and finding types.
Code scanners condition filters
When multiple finding types are selected, only filters common to all types are displayed. To apply type-specific filters, define separate condition groups and combine them with
ORinstead of selecting multiple types in a single groupFilters are segmented by relevance: Code and Image, Code, and Image
When a filter from the Code or Image segment is selected, subsequent filter options are restricted to that category
The values of the filters are also dependent and filtered by the selected finding types. For example, if IaC Misconfiguration is included in the condition, the AppSec rule filter displays only IaC-related rules
Common filters (all Code Scanners finding types)
Filter | Category | Description |
|---|---|---|
Finding Type | Code and Image | The type of security finding (such as Vulnerability, Secret, IaC). Required as the first filter in every group |
Severity | Code and Image | Filters findings by their assigned risk impact level (Critical, High, Medium, Low) |
Backlog Status | Code and Image | Distinguishes between technical debt (Backlog) and newly introduced findings (New) |
Finding Category | Code and Image | A higher-level grouping that can encompass multiple related finding types |
Vulnerabilities filters
Filter | Category | Description |
|---|---|---|
Exploitable | Code and Image | Whether the vulnerability is confirmed exploitable based on reachability analysis |
CVE ID | Code and Image | The unique Common Vulnerabilities and Exposures identifier (such as CVE-2021-44228) |
CVSS Severity | Code and Image | The qualitative CVSS severity rating (Critical, High, Medium, Low, None) |
CVSS | Code and Image | The numerical CVSS score, ranging from |
EPSS | Code and Image | The Exploit Prediction Scoring System probability score, indicating the likelihood of exploitation |
Has A Fix | Code and Image | Whether a fix version exists for the vulnerability |
Is Kev | Code and Image | Whether the vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog |
CVE Fix Available Date | Code and Image | The date when a fix version became available |
Package Name | Code and Image | The name of the affected software package |
Package Version | Code and Image | The version of the affected software package |
CVE Publish Date | Code and Image | The date the CVE was published |
CVE Risk Factors | Code and Image | Risk factors associated with the CVE (such as Remote Code Execution, Has Exploit) |
CVE Description | Code and Image | Text search within the CVE description |
Exploit Level | Code and Image | The level of exploit availability (Proof of Concept, Functional, Weaponized) |
Fix Versions | Code and Image | The specific versions that contain the fix |
Grace Period | Code and Image | The description of the grace period status for the vulnerability fix |
RiskFactors | Code | Risk factors specific to code-level vulnerability analysis |
Package Popularity | Code | The popularity score of the affected package |
Package Deprecated | Code | Whether the affected package is deprecated |
Package Maintained | Code | Whether the affected package is actively maintained |
Package Operational Risk | Code | The operational risk level of the affected package |
Repository File Path | Code | The file path within the repository where the vulnerability was detected |
Package Dependency | Code | Whether the package is a direct or transitive dependency |
Is AI/ML | Code | Whether the package is an AI/ML library |
Respect Developer Suppression | Code | Whether to honor developer-level suppression annotations |
Affected Software | Image | The affected software component within the container image |
Base Image Vulnerability | Image | Whether the vulnerability originates from the base image |
File Path | Image | The file path within the container image |
Layer ID | Image | The container image layer where the vulnerability was detected |
Operating System | Image | The operating system of the container image |
Operating System Distribution | Image | The OS distribution (such as Ubuntu, Alpine) |
Operating System Distro Release | Image | The specific OS distribution release version |
Operating System Family | Image | The OS family (such as Debian, Red Hat) |
Package File Creation Time | Image | The creation timestamp of the package file in the image |
Package Licenses | Image | The licenses associated with the package in the image |
Package PURL | Image | The Package URL (PURL) identifier |
Package Type | Image | The type of package (such as deb, rpm, apk) |
Platform ID | Image | The platform identifier for the container image |
Image Provider | Image | The provider or registry of the container image |
Remediation | Image | The recommended remediation action |
Type ID | Image | The vulnerability type identifier |
Secrets filters
Filter | Category | Description |
|---|---|---|
Detection Method | Code and Image | The logic or engine used to find the secret |
Secret Validity | Code | Whether the secret is active/valid or expired/revoked |
AppSec Rule | Code | The specific detection rule that triggered |
AppSec Rule Label | Code | Custom labels attached to the secret detection rule |
AppSec Rule Category | Code | The classification category for the rule |
Repository File Path | Code | Path to the source file containing the secret |
Respect Developer Suppression | Code | Honors developer-applied bypasses or suppressions |
Secret Type | Image | The type of secret found in the image (such as Private Key) |
File Path / Name | Image | Location and name of the file containing the secret |
File Size / Line | Image | The size of the file and specific line where the secret is |
File Owner / Group | Image | Owner and Group IDs/Names for the file in the image |
File Permissions | Image | Permissions for Owner, Group, and Others |
IaC Misconfigurations filters
Filter | Category | Description |
|---|---|---|
AppSec Rule | Code | Filters findings generated by a specific AppSec detection rule (such as Ensure S3 bucket has public access blocks) |
AppSec Rule Label | Code | Filters based on custom labels attached to the matched AppSec rules (such as Compliance, Team-A, or Production-Only) |
AppSec Rule Category | Code | Filters based on the classification of the rule, such as Networking, Storage, or IAM |
Has An Automated Fix | Code | Filters for misconfigurations that can be automatically resolved via a generated fix or pull request |
IaC Tag | Code | Filters based on metadata tags defined within the IaC resource (such as Environment: Production or Owner: DevOps) |
Compliance Standards | Code | Filters findings mapped to specific regulatory frameworks (such as PCI-DSS, SOC2, HIPAA, NIST) |
Compliance Controls | Code | Filters by specific security controls within a compliance standard (such as CIS Benchmark 1.2) |
Respect Developer Suppression | Code | Determines whether the policy should honor manual suppression annotations or comments added directly to the code by developers to skip a specific check |
Code Weaknesses filters (SAST)
Filter | Category | Description |
|---|---|---|
CWE ID | Code | The Common Weakness Enumeration ID (such as CWE-79) |
Language | Code | The programming language (such as Java, Python, Go) |
OWASP Category | Code | Mapping to the OWASP Top 10 categories |
Source | Code | The specific scanner engine that detected the weakness |
Respect Developer Suppression | Code | Honors developer-applied suppressions |
License issue filters
Filter | Category | Description |
|---|---|---|
License Type | Code | The specific name of the detected license (such as MIT, GPL-3.0, Apache-2.0) |
License Category | Code | The classification of the license based on its requirements (such as Weak copyleft, Strong copyleft, Non-permissive) |
Package Name | Code | The name of the package associated with the license issue |
Package Version | Code | The specific version of the package |
Package Deprecated | Code | Indicates if the package with this license is no longer supported by its maintainers |
Package Maintained | Code | Indicates if the package is receiving active updates and security patches |
Package Popularity | Code | A score representing the community adoption and usage level of the package |
Package Operational Risk | Code | The overall risk score regarding the package's health and maintenance status |
Respect Developer Suppression | Code | Determines whether to honor manual suppression annotations or comments added to the code by developers |
Operational Risks filters
Filter | Category | Description |
|---|---|---|
Package Name | Code | The name of the software package or library |
Package Version | Code | The version of the software package |
Deprecated | Code | Filters for packages that have been officially marked as deprecated by the author |
Maintained | Code | Filters for packages based on whether they are actively updated or have become abandonware |
Popularity | Code | Filters based on the package's usage frequency and community traction |
Respect Developer Suppression | Code | Determines whether to honor manual suppression annotations or comments added to the code by developers |
Malware filters
Filter | Category | Description |
|---|---|---|
Malware Verdict | Image | The detection result or classification (such as Malicious, Suspicious) |
File SHA256 | Image | The unique SHA-256 hash of the malicious file, useful for blocking known indicators of compromise (IOCs) |
Detection Method | Image | The specific engine or logic used to identify the malware (such as Signature-based, Heuristics) |
File Path | Image | The full directory path where the malware was detected within the container image |
File Name | Image | The specific name of the malicious file |
File Size | Image | The size of the detected malware file |
File Owner Name | Image | The name of the user account that owns the malicious file in the image filesystem |
File Owner ID | Image | The numerical UID of the file owner |
File Group Name | Image | The name of the group that owns the malicious file |
File Group ID | Image | The numerical GID of the file group |
File Permissions - owner | Image | The specific permissions assigned to the owner (such as read, write, execute) |
File Permissions - group | Image | The specific permissions assigned to the group |
File Permissions - others | Image | The permissions assigned to all other users (world permissions) |
Finding ID | Image | The unique system identifier for the specific malware finding |
CI/CD configuration scanners condition filters
Filter | Description |
|---|---|
Severity | Filters findings by their assigned risk impact level (such as Critical, High, Medium, or Low) |
Finding Category | The category of detected security findings. A category can include multiple finding types |
Backlog Status | Indicates whether a finding is part of the security technical debt or newly introduced. Backlog: Findings that existed before the Cortex scanner was first enabled or before a third-party scanner was first ingested for the repository. New: Findings detected afterward |
AppSec Rule | Filters findings generated by a specific AppSec detection rule |
AppSec Rule Label | Filters findings based on labels attached to the matched AppSec rules, allowing filtering and selection of multiple rules at once |
AppSec Rule Category | Filters based on the category of findings generated by the rule |
Compliance Standards | Filters findings based on specific regulatory frameworks like PCI-DSS, SOC2, or HIPAA |
Compliance Controls | Specific security controls related to the finding within a compliance standard (such as Encryption at Rest) |
Drift detection scanners condition filters
Filter | Description |
|---|---|
Severity | Filters findings by their assigned risk impact level (such as Critical, High, Medium, or Low) |
Resource Type | Filters findings by the type of cloud resource where drift was detected (such as aws_s3_bucket, azurerm_virtual_network) |
Configuring multiple condition groups (OR logic)
By default, all filters added to a single condition group are evaluated using AND logic (a finding must meet all criteria in that group to trigger the policy)
To create policies that handle distinct risk profiles simultaneously, you can configure multiple condition groups combined with the OR operator. If a finding matches any of the defined groups, the policy actions are executed
Example Configuration: You can create a single Zero Tolerance block policy that targets both valid secrets and highly exploitable vulnerabilities by setting up two distinct groups:
Group 1 (Secrets Focus):
Finding Type= Secrets ANDValidity= Valid
[OR]Group 2 (Vulnerability Focus):
Finding Type= Vulnerabilities ANDSeverity= Critical ANDHas a Fix= Yes
Note
When multiple finding types are selected within a single condition group, only the Common filters (such as Severity or Backlog Status) are available for selection.