Findings
Overview
Triage security findings from repository reports and GitHub advisories in one org-wide queue.
Findings (/app/findings) is the organization-wide queue for security issues that need review. Findings can come from repository reports or GitHub repository security advisories on connected repos.
Finding sources
| Kind | Origin | Typical content |
|---|---|---|
repository_red_team |
A repository report run | Issues discovered during codebase analysis |
github_advisory |
GitHub advisory webhook | Incoming GHSA/CVE-style advisories for connected repos |
Both types appear in the same table so security teams have one place to work.
Findings list
The table includes title, risk level, source, triage status, linked report, and timestamps. Filter and sort to prioritize high-risk or unassigned work.
When no findings exist yet, the empty state links to Reports to create a repository report that can generate findings.
Finding detail
Open a finding at /app/findings/[findingId] to:
- Read description, CWE IDs, CVSS vector, and advisory links
- View triage summary and recommendations when AI triage has run
- Update the finding status and, when resolving, record a resolution (organization owners on supported deployments)
- Start or monitor triage runs with sandbox evidence and logs
- Navigate to the parent report for full scan context
Status lifecycle
Every finding moves through a single four-stage lifecycle:
| Status | Meaning |
|---|---|
| New | The finding arrived from a report or advisory and has not been triaged. |
| Triaging | An automated triage run is in progress (system-managed). |
| In review | Triage produced a verdict, or someone moved the finding into active review. |
| Resolved | The finding is closed with a recorded resolution. |
When a finding is resolved, a resolution captures why it was closed:
| Resolution | Use when |
|---|---|
| Fixed | The vulnerability was remediated. |
| Accepted risk | The issue is real but the risk is accepted. |
| False positive | The finding is not a real vulnerability. |
| Won't fix | The issue will not be addressed (also used by bulk archive). |
Resolved findings can be reopened, which returns them to New and clears the resolution.
Triage workflow
- A finding appears as New after a report completes or GitHub publishes an advisory.
- Optionally run automated triage. The finding shows Triaging while the sandbox run is active.
- When triage completes, a confirmed or inconclusive verdict lands in In review for a human decision; a not-reproducible verdict auto-resolves the finding as a False positive. If a run fails, the finding returns to its lane with a "Triage failed" indicator.
- Resolve the finding with the appropriate resolution, or drag it to the Resolved column on the board (you'll be prompted for a reason).
- Track remediation in your issue tracker; use the finding page as the system of record in Superagent.
GitHub advisories vs legacy Advisories page
Advisory triage previously lived under Protection → Advisories (/app/protection/advisories). New work should use Findings, which includes GitHub advisories alongside report-derived issues.