Skip to main content
Filters enable targeted queries on findings based on attributes such as severity, category, reachability, ecosystem, and policy status. This guide explains how finding filters work, how to apply and combine them effectively, and provides practical examples to support triage, audit, and reporting workflows across your finding inventory.

How filters work

Each filter consists of three parts.
  • Key: The attribute you want to filter (for example, Severity, Category, and Ecosystems).
  • Operator: The comparison logic (for example, equals, in, and contains).
  • Value: The target value to evaluate (for example, Critical and Vulnerability).
Finding filters use standard comparison operators to evaluate criteria. See Filter operators for detailed information about available operators and their usage when using the API.

Filter implementation techniques

You can use the following filter types to manage your findings effectively.
  • Basic filters: Use the filter bar in the Endor Labs user interface to quickly segment findings by common attributes.
  • Advanced filters: Use advanced filters to create powerful queries that drill deeper into the dataset to fetch results with a specific context.
  • Saved filters: Save your custom filters for reuse across projects.

Search for findings using basic filters

Use the following basic filters to search for information in your findings.
  • Finding Level: Limit results by finding severity level.
  • Dismissed: Include or exclude dismissed findings. See Filter dismissed findings to learn more about filtering dismissed findings.
  • Category: Choose from CI/CD, Malware, license risks, operational risks, RSPM, GitHub Actions, SAST, AI models, containers, secrets, security, supply chain, or vulnerability and view related findings.
  • Projects: Narrow findings by one or more project names.
  • Custom Tags: Narrow down the list based on custom tags.
  • Attributes: Narrow down the list based on a range of factors such as:
    • if a patch is available to fix the findings
    • if the vulnerable function is reachable
    • if the dependency is reachable
    • if the dependency originates from a current repository or a current tenant
    • if the dependency is a test dependency
    • if the dependency’s discovery type is manifest, phantom, or segment match
    • if the finding originates from itself, direct, or a transitive dependency
    • if the SAST finding is generated by the AI SAST detection agent
    • if AI SAST analysis has classified the SAST finding as a true positive or false positive
    • filter the findings by the Exploited tag from CISA KEV
    • filter the findings by the Warn or Break the Build options set in the action policy
  • EPSS Probability: Choose the Exploit Prediction Scoring System (EPSS) score range.
  • Ecosystems: Filter by language or ecosystem.
  • Location: Narrow findings by where they occur (for example, path or location in the repository).
  • Confidence: Narrow findings by detection confidence.
  • SAST Languages: Narrow SAST findings by programming language.
  • Container Layers: Narrow container findings by image layer.
  • Remediation: Narrow vulnerability findings by fix status.
    • Endor Patch Available: Filters findings where an Endor-provided patch is available to fix the vulnerability.
    • Recommended Upgrade Available: Filters findings where a recommended version upgrade is available.
  • All Time: Choose a time range.

Search for findings using advanced filters

For complex queries, use the advanced filter syntax to combine multiple attributes and apply logical operators. Toggle the Advanced option in the filter bar to enter API-style filter expressions directly in the Endor Labs application.
Search using the advanced filters applies to all the branches of a repository. You can retrieve results from any branch by specifying the relevant context ID or type. See View findings associated with a project for an example of scoping findings to a specific branch.
The Advanced Filters use the GetFinding API call to fetch results. The following table lists the available attributes for finding filters.

API filter use cases

The following examples demonstrate how to combine these attributes for common security and compliance workflows.
Find critical and high-severity findings where a fix is available and the vulnerable function is reachable.
spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] and spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] and spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"]
Identify vulnerability findings with an EPSS score greater than 10% to focus on issues most likely to be exploited in the wild.
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1
Retrieve all active, non-dismissed vulnerability findings for a single project.
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.project_uuid == "<project-uuid>" and spec.dismiss == false
List all vulnerability findings from PyPI packages across the namespace.
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.ecosystem in ["ECOSYSTEM_PYPI"]
Review all dismissed findings across the namespace to verify exception policies are applied correctly.
spec.dismiss == true
Retrieve findings scoped to a specific branch or repository version by providing the context ID.
context.id == "<context-id>"
Find findings tied to CVEs in the CISA KEV database that have no available fix, to assess unmitigatable risk.
spec.finding_tags contains ["FINDING_TAGS_EXPLOITED"] and spec.finding_tags contains ["FINDING_TAGS_UNFIXABLE"]
Surface supply chain findings that affect only direct dependencies to prioritize the most actionable issues.
spec.finding_categories contains ["FINDING_CATEGORY_SUPPLY_CHAIN"] and spec.finding_tags contains ["FINDING_TAGS_DIRECT"]

Saved filters

Saved filters are customizable filter settings that users can create and reuse across projects in Endor Labs. They improve efficiency by eliminating the need to manually recreate filters. You can save the advanced search filters that you created to fetch curated search results. Saved queries are visible in the drop-down list. To create a saved filter:
  1. Select Findings from the left sidebar.
  2. Toggle Advanced in the top right corner.
  3. Type or build your query in the filter bar.
  4. Click Saved Filters in the top right corner.
  5. Click Save Current.
  6. Enter a name in the Choose filter name field.
  7. Click Save.
Create saved filter

Manage saved filters

To delete a saved filter:
  1. Select User menu > Settings from the left sidebar.
  2. Select Saved Filters.
  3. Click the vertical three dots on the right side of the filter you want to delete and click Delete.
To edit a saved filter:
  1. Select User menu > Settings from the left sidebar.
  2. Select Saved Filters.
  3. Click Edit next to the filter you want to edit.
  4. You can update the name, query, and tags.
  5. Click Update to save the updated changes.
Update saved filter