Each policy must include at least one finding type. The available finding types depend on the selected policy type
Code scanners finding types
Finding Type | Applicable To | Description |
|---|---|---|
Vulnerabilities | Code and Image | CVEs detected in open-source dependencies or container images |
Secrets | Code and Image | Hardcoded credentials, API keys, and tokens detected in source code or container images |
IaC Misconfigurations | Code only | Security misconfigurations in Terraform, CloudFormation, Kubernetes, and Helm templates |
Code Weaknesses | Code only | SAST findings include injection flaws, authentication issues, and insecure patterns |
License Issues | Code only | Non-compliant open-source license usage detected by SCA |
Operational Risks | Code only | Deprecated dependencies, unmaintained packages, and supply chain risks |
Malware | Image only | Malicious software detected in container images |
CI/CD Configuration scanners finding types
Finding Type | Description |
|---|---|
CI/CD Risks | Insecure configurations detected in CI/CD pipelines and Version Control System (VCS) environments, mapped to the OWASP CI/CD Top 10 security risks |
Drift Detection scanner finding types
Finding Type | Description |
|---|---|
IaC Drift | Configuration drift detected between deployed cloud resources and their IaC definitions, indicating that a compliant IaC baseline has drifted into a non-compliant cloud state |
Policy selection notes
When the CI/CD Configuration scanners policy type is selected, the CI/CD Risks finding type is the only available option and is automatically selected
When the Drift Detection scanner policy type is selected, the IaC Drift finding type is the only available option and is automatically selected
Other finding types such as Vulnerabilities, Secrets, IaC Misconfigurations, Code Weaknesses, License Issues, Operational Risks, and Malware are not available for CI/CD Configuration scanners or Drift Detection scanner policies