The following table describes the urgency classification criteria for each scanner type:
Issue Type | Top Urgent | Urgent | Not Urgent | Not Applicable |
|---|---|---|---|---|
Vulnerabilities | High EPSS score, listed in CISA KEV, deployed to production, internet-exposed, critical application, active exploit maturity | Moderate EPSS score, fixable, deployed to staging, or moderate application criticality | Low EPSS score, not reachable, not deployed, or development/testing environment with low application criticality | No code to cloudtrace and no SCA-specific signals (EPSS, KEV, Reachability) available |
Secrets | Valid or Privileged validation, public repository, deployed to production, critical application | Valid validation, private repository, or staging environment | Not validated (Unavailable), private repository, or development/testing environment with low application criticality | No code to cloudtrace and no secrets-specific signals (validation, visibility) available |
IaC Misconfigurations | Deployed to production, internet-exposed, critical application | Deployed to staging, or moderate application criticality | Not deployed, or development/testing environment with low application criticality | No code to cloud trace |
Code Weaknesses | CWE Top 25 membership, deployed to production, internet-exposed, critical applications | OWASP Top 10 membership, deployed to staging, or moderate application criticality | Not deployed, or development/testing environment with low application criticality | No code to cloud trace |