To access CVE findings, under Modules, select → → → .
The Findings tab on the Vulnerabilities page displays the complete set of raw CVE vulnerability findings produced by the SCA scanner across all monitored repositories. Unlike the Issues tab, which shows only findings that matched a policy, the Findings tab shows every detected CVE vulnerability regardless of policy evaluation status.
The Findings tab enables the following workflows:
Audit scanner coverage: Review the full scope of CVE vulnerabilities detected by the scanner to verify that detection rules are identifying the expected vulnerability patterns across all monitored repositories and package ecosystems
Identify policy gaps: Compare findings in the Findings tab against issues in the Issues tab to identify findings that are not covered by existing unified policies. Create new policies to promote high-risk findings to actionable issues
Review excluded findings: Investigate findings that were excluded by policy filters to confirm that exclusions are intentional and do not suppress critical CVE vulnerabilities
Validate detection rules: Verify that detection rules are producing accurate findings and not generating excessive false positives for specific package ecosystems or dependency types
Note
Findings in the Findings tab are raw scanner output and do not have resolution statuses, SLA tracking, or assignees. To track remediation for a specific finding, create or update a unified policy that matches the finding pattern to generate an actionable issue in the Issues tab.
The CVE vulnerability findings inventory includes the following exposed attributes. Use the Table Settings Menu to view additional properties.
Field/attribute | Description |
|---|---|
CVSS Severity | The Common Vulnerability Scoring System (CVSS) severity level assigned to the finding |
CVE | Common Vulnerabilities and Exposures identifier associated with the finding |
CVSS Score | The Common Vulnerability Scoring System severity score representing the severity of the vulnerability |
EPSS Score | Exploit Prediction Scoring System: The probability (0-1) that estimates the likelihood of the vulnerability being exploited in the wild within the next 30 days |
Name | The CVE identifier |
Package Manager | The package management system used (such as npm, Maven, pip) |
Asset Name | Name of the asset affected by the finding. Selecting an Asset Name in the table opens the asset's side card, displaying information about the asset, without having to navigate away from the Findings page. |
Risk Factors | Quantifiable attributes of a finding, allowing you to analyze and assess the risk. Options: Found in history, Valid, Privileged |
Dependency Type | Type of dependency (direct, transitive) |
Repository | Name of the repository hosting the asset in which the finding was detected |
Branch | The specific branch or version of the code where the vulnerability finding was detected |
File Path | Path to the file or location within the code where the vulnerability finding was detected |
Data Source | Source of the finding information (the version control system) |
Scanner | The type of scanner that detected the finding |
Backlog Status | Backlog Status: Indicates if the finding is categorized as Backlog (pre-existing technical debt) or New (a recently introduced vulnerability). To understand how findings are categorized as backlog/new, refer to Issue/Finding classification by scanner |
Investigate findings
Clicking on a finding in the inventory table opens the Findings side card which provides additional details.
Finding summary: Found at the top of the card. Includes the finding ID and type (Vulnerability for CVE vulnerability findings)
Description: A description of the finding including its location
Impact: The potential security risk the finding poses to your environment
Timestamp: When the finding was last updated
Asset details: Includes Asset (The impacted asset, such as cookie. Clicking on the asset opens the asset side card without needing to navigate away to the asset section) and Asset Type (The specific asset type in which the CVE vulnerability was identified, such as JavaScript Package)
Evidence: Provides evidence and contextual details within your software development lifecycle containing the finding:
Finding source
Data Source: The system or integration from which the finding data was originally pulled (such as GitHub or a CI/CD pipeline). Click the icon next to the data source to navigate to the data source itself
Run ID: The unique identifier of the specific scan execution during which this finding was detected
Code context
Repository: The name of the version control repository where the finding was located
Package Manager: The dependency management system (such as npm, Maven) used to include or declare the software component where the finding was detected
Branch: The specific branch within the repository containing the finding
File Path: The exact location of the finding within the repository file structure
First Hash: The commit hash of the first commit where this specific finding was introduced or detected
First Commit Date: The date of the commit that introduced the problematic code or dependency into the repository. This helps understand how long an issue has existed and for prioritizing remediation efforts based on its age
Root Package Name: The name of the primary software component analyzed by the scan
Root Package Version: The version of the primary software component analyzed by the scan
CVE Information
CVE ID: A unique identifier assigned to publicly known cybersecurity vulnerabilities, allowing for standardized tracking and referencing.
CVE Description: A concise summary detailing the nature of the vulnerability, including its affected products, impacts, and potential exploitation methods.
CVSS Severity: A qualitative ranking (e.g., Low, Medium, High, Critical) derived from the CVSS score, indicating the overall severity of the vulnerability.
CVSS Score: A numerical score (0-10) representing the Common Vulnerability Scoring System assessment of the vulnerability's characteristics and severity.
EPSS Score: The Exploit Prediction Scoring System score, a probability (0-1) estimating the likelihood of a vulnerability being exploited in the wild within the next 30 days.
Fix Version: The specific software or component version in which the vulnerability has been patched or resolved by the vendor.
Vendor Link: A direct URL to the official advisory, patch, or documentation provided by the vendor regarding the vulnerability.
Risk Factors: Specific attributes or conditions that contribute to an issue's likelihood or the severity of its impact, such as a lack of validation, hardcoded secrets, or unpatched vulnerabilities.
Traced Runtime Findings: A list of vulnerabilities findings that were detected in your running application