Findings

Overview

Triage security findings from repository reports and GitHub advisories in one org-wide queue.

Findings (/app/findings) is the organization-wide queue for security issues that need review. Findings can come from repository reports or GitHub repository security advisories on connected repos.

Finding sources

Kind Origin Typical content
repository_red_team A repository report run Issues discovered during codebase analysis
github_advisory GitHub advisory webhook Incoming GHSA/CVE-style advisories for connected repos

Both types appear in the same table so security teams have one place to work.

Findings list

The table includes title, risk level, source, triage status, linked report, and timestamps. Filter and sort to prioritize high-risk or unassigned work.

When no findings exist yet, the empty state links to Reports to create a repository report that can generate findings.

Finding detail

Open a finding at /app/findings/[findingId] to:

  • Read description, CWE IDs, CVSS vector, and advisory links
  • View triage summary and recommendations when AI triage has run
  • Update the finding status and, when resolving, record a resolution (organization owners on supported deployments)
  • Start or monitor triage runs with sandbox evidence and logs
  • Navigate to the parent report for full scan context

Status lifecycle

Every finding moves through a single four-stage lifecycle:

Status Meaning
New The finding arrived from a report or advisory and has not been triaged.
Triaging An automated triage run is in progress (system-managed).
In review Triage produced a verdict, or someone moved the finding into active review.
Resolved The finding is closed with a recorded resolution.

When a finding is resolved, a resolution captures why it was closed:

Resolution Use when
Fixed The vulnerability was remediated.
Accepted risk The issue is real but the risk is accepted.
False positive The finding is not a real vulnerability.
Won't fix The issue will not be addressed (also used by bulk archive).

Resolved findings can be reopened, which returns them to New and clears the resolution.

Triage workflow

  1. A finding appears as New after a report completes or GitHub publishes an advisory.
  2. Optionally run automated triage. The finding shows Triaging while the sandbox run is active.
  3. When triage completes, a confirmed or inconclusive verdict lands in In review for a human decision; a not-reproducible verdict auto-resolves the finding as a False positive. If a run fails, the finding returns to its lane with a "Triage failed" indicator.
  4. Resolve the finding with the appropriate resolution, or drag it to the Resolved column on the board (you'll be prompted for a reason).
  5. Track remediation in your issue tracker; use the finding page as the system of record in Superagent.

GitHub advisories vs legacy Advisories page

Advisory triage previously lived under Protection → Advisories (/app/protection/advisories). New work should use Findings, which includes GitHub advisories alongside report-derived issues.

Next steps