To access code weakness findings, navigate to the Code Weaknesses issues page and click the Findings tab.
The Findings tab displays all raw ingested code weakness findings
Note
Findings in the Findings tab are raw scanner output. They do not have resolution statuses, SLA tracking, or assignees. To track remediation for a specific finding, create or update a unified policy that matches the finding pattern to generate an actionable issue in the Issues tab.
The Findings tab enables the following workflows:
Audit scanner coverage: Review the full scope of code weaknesses detected by the SAST scanner to verify that detection rules are identifying the expected weakness types (CWE categories) across all monitored repositories and programming languages
Identify policy gaps: Compare findings in the Findings tab against issues in the Issues tab to identify findings that are not covered by existing unified policies. Create new policies to promote high-risk findings, such as injection flaws, authentication bypasses, or insecure deserialization patterns, to actionable issues
Review excluded findings: Investigate findings that were excluded by policy filters to confirm that exclusions are intentional and do not suppress critical code weakness exposures. Verify that excluded CWE categories, file paths, or branches do not contain exploitable weaknesses
Validate detection rules: Verify that SAST detection rules are producing accurate findings and not generating excessive false positives for specific CWE categories, programming languages, or repositories. Use the Findings tab to assess detection rule precision and tune rules that produce noisy or low-value results
Investigate a finding
The following table displays selected code weakness findings properties.
Property | Description |
|---|---|
Name | Short, descriptive name of the CWE finding (such as "SQL Injection," "Cross-Site Scripting") |
CWE(s) | CWE identifier(s) associated with the finding (such as CWE-79, CWE-119) |
OWASP Categories | Relevant Top 10 OWASP categories associated with the finding (but can be from different years) |
Asset Name | Name of the repository affected by the CWE finding |
Language | Programming language in which the CWE finding was detected (such as Java, Python, JavaScript) |
Branch | The specific branch or version of the code where the CWE finding was detected |
File Path | Path to the file or location to the code wherein the CWE finding was detected |
Git User | Username of the Git user who last modified the file containing the finding |
Data Source | Source of the CWE finding information |
Created | Timestamp of when the CWE finding was first detected. |
Finding ID | Unique identifier assigned to a specific finding |
Selecting a finding from the table provides additional details:
Overview: Includes when the finding was last updated, the category associated with the finding, and the name and link to the asset where the finding was detected
Details: The location of the finding, the third party data source that detected the finding, the CWE category, the initial hash and commit, and rule ID