Findings
A finding is a discovery of significance made following the completion of a scan. Findings result from the default out-of-the-box implementation of rule sets called Finding policies.
View findings
To view the findings associated with a project or package:
- From the left sidebar, navigate to Projects.
- To view a list of the findings associated with your project you can click the findings tab in the upper navigation.
- If you’d like to see the projects with an associated package only, select that package and then click the findings tab in the upper navigation.
- Review the list of findings. To see more information about a specific finding click the finding to see the finding details.
Understand finding attributes
Finding attributes are characteristics or properties associated with each discovered issue or result obtained from a scan. These attributes could include the following details and metadata.
| Attribute | Description |
|---|---|
| Blocker | Finding was marked as blocking by an action policy. |
| Direct | Finding applies to a direct dependency. |
| Exception | Finding was marked as exempt from action policies by an exception policy. |
| External Path Only | Finding applies to a transitive dependency that can only be reached via external, non-oss, project path(s). |
| First Party | Finding applies to a dependency that belongs to the same namespace. |
| Fix Available | There is a fix available for the CVE reported in this finding. |
| Invalid Secret | Finding applies to an invalid secret. |
| Malware | Finding applies to a malicious package. |
| Normal | Finding applies to a normal, non-test, dependency. |
| Notification | Finding triggered a notification based on an action policy. |
| Phantom | Finding applies to a phantom dependency. |
| Policy Based | Finding was generated by a Rego based finding policy. |
| Potentially Reachable Dependency | Finding applies to a potentially reachable dependency. |
| Potentially Reachable Function | Finding applies to a potentially reachable function. |
| Reachable Dependency | Finding applies to a reachable dependency. |
| Reachable Function | Finding applies to a reachable function. |
| Same Repository | Finding applies to a dependency that belongs to the same project. |
| Self | Finding applies only to the analyzed package version, there is no dependency involved. |
| Test | Finding applies to a dependency that is not in production code. |
| Transitive | Finding applies to a transitive (indirect) dependency. |
| Under Review | Finding applies to suspicious package under review. |
| Unfixable | There is no fix available for the CVE reported in this finding. |
| Unreachable Dependency | Finding applies to an unreachable dependency. |
| Unreachable Function | Finding applies to an unreachable function. |
| Valid Secret | Finding applies to a valid secret. |
| Warning | Finding triggered a warning based on an action policy. |
View GitHub Action findings (Beta)
GitHub Actions is a CI/CD platform that allows you to automate your build, test, and deployment pipelines. You can create workflows that build and test pull requests to your repository, or deploy merged pull requests to production. To mitigate vulnerabilities within the supply chain, comprehensive visibility into GitHub Action workflows and their relationships in your repository is crucial. You can then proceed to identify and fix weak points within the system.
When you run an endorctl scan, it detects GitHub Action workflows used in your repository. It proceeds to scan all the repositories included in the detected workflows and creates findings. The GitHub Action is mapped as a package and discovers direct and transitive dependencies.
To view GitHub Action findings:
- From the left sidebar, navigate to Projects.
- Search for and select a project and select Findings.
- Click CI Workflows to view GitHub Actions findings.
Note
- Vulnerabilities and dependencies associated with GitHub Action packages written in JavaScript or TypeScript are detected by Endor Labs.
- Private GitHub Actions and private reusable workflows referenced from other repositories are not detected.
Search for findings using basic filters
Use the following basic filters to search for information in your findings.
- C - Findings with critical severity.
- H - Findings with high severity.
- M - Findings with medium severity.
- L - Findings with low severity.
- Category - Choose from CI/CD, Malware, license risks, operational risks, SCPM, secrets, security, supply chain, or vulnerability and view related findings.
- Hide Dismissed - Select to hide dismissed findings. You can view active findings without clutter.
- Attributes - Narrow down the list based on a range of factors such as, if a patch is available, if the vulnerable function is reachable, if the dependency is reachable, if the dependency originates from a current repository or a current tenant, is a test dependency, is a phantom dependency, or if the finding originates from itself, direct, or a transitive dependency.
- EPSS Probability - Choose the Exploit Prediction Scoring System (EPSS) score range.
- All Time - Choose a time range.
- Eco System - Choose from available options to filter based on a language or an ecosystem.
Search for findings using advanced filters
Use advanced filters to create powerful queries that drill deeper into the dataset to fetch results with a specific context.
Important
Search using the advanced filters applies to the default branch of a repository and does not yield results from other branches.
As an example, if the default branch for the abccorp/devproject project is set to main and there is a second branch named bugfix/bug-description, then using advanced filters in the search will not yield search results from the bugfix/bug-description branch, even if you try to filter on the context id or type.
Check Projects to see the default branch of your project. To change the default branch, use --as-default-branch while performing the endorctl scan. See scanning strategies for information on testing and monitoring different versions of your code.
The Advanced Filters use the GetFinding API call to fetch results.
The following table lists some example attributes that you can use in your custom API calls. See also example combinations below.
| Attribute | API Query |
|---|---|
| Severity | spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] |
| Category | spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] |
| Fixable | spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] |
| Reachability | spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] |
| Ecosystem | spec.ecosystem in ["ECOSYSTEM_MAVEN"] |
| EPSS score greater than 10% | spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1 |
| EPSS score less than or equal to 100 | spec.finding_metadata.vulnerability.spec.epss_score.probability_score <= 1 |
| Only query a given project | spec.project_uuid=="UUID of the project" |
Examples
Show all findings of critical vulnerability and high severity that have a fix available, with a reachable function and EPSS score greater than 10%
spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] and spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] and spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] and spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1
Show vulnerabilities for a specific project
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"
Show vulnerabilities for a specific language in a specific project
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.ecosystem in ["ECOSYSTEM_PYPI"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"
Save search
You can save the advanced search filters that you created to fetch curated search results. When you save a search, it allows you to easily access the target results and save time.
After typing in the query in the Advance Filter, enter a title in the field on the top right corner and click the Save icon or Save New Filter.
Saved queries are visible in the drop-down list.
Manage findings
See Finding policies for details on how to configure findings.
Act on findings
See Action policies for details on how to define and trigger workflows based on findings that meet a given set of criteria.
Dismiss findings
Users can dismiss a specific finding if they think it is expected behavior, low priority, or if it is an already addressed incident. This can help reduce clutter.
- From the left sidebar, navigate to Projects.
- Search for and select a project and select Findings.
- Search for findings using advanced or basic filters.
- Click a finding and select Dismiss Finding. The finding is tagged as Dismissed.
Export findings
Users can export finding details to a CSV file for offline analysis.
- From the left sidebar, navigate to Projects.
- Search for and select a project and select Findings.
- Search for findings using advanced or basic filters.
- Click Export Findings and select the fields that you want to include in the CSV file.
- Click Export to CSV. The file is downloaded to your system.
Feedback
Was this page helpful? Send your feedback to support@endor.ai