This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Findings

Find and manage priority issues

A finding is a discovery of significance made following the completion of a scan. Findings result from the default out-of-the-box implementation of rule sets called Finding policies.

View all findings

To view different types of findings associated with all projects or packages in your tenant:

  1. From the left sidebar, navigate to Findings.
  2. The preset filters help you in locating the findings that matter most to you.
    • Choose Prioritized Findings to view a list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
    • Choose from a list of options under Code Dependenciesto view a list of Vulnerability, Operational, License Risk, or Malware findings.
    • Choose Secrets to find a list of findings related to exposed secrets.
    • Choose from a list of options under CI/CD to view findings related to GitHub Actions, CI/CD Tools, and RSPM.
    • Choose Containers to view container findings.
  3. Use Saved Filters to create and save your frequently used searches, helping you save time.
  4. Search for findings using basic filters.
  5. Toggle Advanced and search for findings using advanced filters.
  6. To apply exceptions to findings, select findings and click Actions > Add Exception.
  7. To export findings, select the findings, and click Actions > Export Selected or Export All.

Findings IA.

View findings associated with a project

To view the findings associated with a project:

  1. From the left sidebar, navigate to Projects.
  2. Select the project for which you want to view the findings. The Findings page includes the list of findings specific to the project.
  3. Review the list of findings. Click the finding to see its details.

View findings associated with a package

To view the findings associated with a package:

  1. From the left sidebar, navigate to My Packages.
  2. Select the package for which you want to view the findings. You might need to use the search bar to find your package.
  3. Select the version for which you want to view the findings. The Findings page appears with the list of findings specific to the package version.
  4. Review the list of findings. Click the finding to see its details.

Finding attributes

Finding attributes are characteristics or properties associated with each discovered issue or result obtained from a scan. These attributes could include the following details and metadata.

Attribute Description
Blocker Finding was marked as blocking by an action policy.
Direct Finding applies to a direct dependency.
Exception Finding was marked as exempt from action policies by an exception policy.
Exploited The CVE reported in this finding is actively exploited and is listed in the Known Exploited Vulnerabilities (KEV) database.
External Path Only Finding applies to a transitive dependency that can only be reached via external, non-OSS, project paths.
First Party Finding applies to a dependency that belongs to the same namespace.
Fix Available A fix is available for the CVE reported in this finding.
Invalid Secret Finding applies to an invalid secret.
Malware Finding applies to a malicious package.
Normal Finding applies to a normal, non-test, dependency.
Notification Finding triggered a notification based on an action policy.
Phantom Finding applies to a phantom dependency.
Policy Based Finding was generated by a Rego based finding policy.
Potentially Reachable Dependency Finding applies to a potentially reachable dependency.
Potentially Reachable Function Finding applies to a potentially reachable function.
Reachable Dependency Finding applies to a reachable dependency.
Reachable Function Finding applies to a reachable function.
Same Repository Finding applies to a dependency that belongs to the same project.
Self Finding applies only to the analyzed package version, there is no dependency involved.
Test Finding applies to a dependency that is not in production code.
Transitive Finding applies to a transitive (indirect) dependency.
Under Review Finding applies to suspicious package under review.
Unfixable There is no fix available for the CVE reported in this finding.
Unreachable Dependency Finding applies to an unreachable dependency.
Unreachable Function Finding applies to an unreachable function.
Valid Secret Finding applies to a valid secret.
Warning Finding triggered a warning based on an action policy.

View GitHub Action findings

GitHub Actions is a CI/CD platform that allows you to automate your build, test, and deployment pipelines. You can create workflows that build and test pull requests to your repository, or deploy merged pull requests to production. To mitigate vulnerabilities within the supply chain, comprehensive visibility into GitHub Action workflows and their relationships in your repository is crucial. You can then proceed to identify and fix weak points within the system.

When you run an endorctl scan, it detects GitHub Action workflows used in your repository. It proceeds to scan all the repositories included in the detected workflows and creates findings. The GitHub Action is mapped as a package and discovers direct and transitive dependencies.

To view GitHub Action findings:

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project and select Findings.
  3. Click CI Workflows to view GitHub Actions findings.

View GitHub Actions

Search for findings using basic filters

Use the following basic filters to search for information in your findings.

  • C - Findings with critical severity.
  • H - Findings with high severity.
  • M - Findings with medium severity.
  • L - Findings with low severity.
  • Category - Choose from CI/CD, Malware, license risks, operational risks, RSPM, secrets, security, supply chain, or vulnerability and view related findings.
  • Hide Dismissed - Select to hide dismissed findings. You can view active findings without clutter.
  • Attributes - Narrow down the list based on a range of factors such as, if a patch is available, if the vulnerable function is reachable, if the dependency is reachable, if the dependency originates from a current repository or a current tenant, is a test dependency, is a phantom dependency, or if the finding originates from itself, direct, or a transitive dependency.
  • EPSS Probability - Choose the Exploit Prediction Scoring System (EPSS) score range.
  • All Time - Choose a time range.
  • Eco System - Choose from available options to filter based on a language or an ecosystem.

Search for findings using advanced filters

Use advanced filters to create powerful queries that drill deeper into the dataset to fetch results with a specific context.

The Advanced Filters use the GetFinding API call to fetch results.

The following table lists some example attributes, you can use in your custom API calls. See also example combinations below.

Attribute API Query
Severity spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"]
Category spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"]
Fixable spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"]
Reachability spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"]
Ecosystem spec.ecosystem in ["ECOSYSTEM_MAVEN"]
EPSS score greater than 10% spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1
EPSS score less than or equal to 100 spec.finding_metadata.vulnerability.spec.epss_score.probability_score <= 1
Only query a given project spec.project_uuid=="UUID of the project"

Examples

Show all findings of critical vulnerability and high severity that have a fix available, with a reachable function and EPSS score greater than 10%

spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] and spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] and spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] and spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1

Show vulnerabilities for a specific project

spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"

Show vulnerabilities for a specific language in a specific project

spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.ecosystem in ["ECOSYSTEM_PYPI"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"

You can save the advanced search filters that you created to fetch curated search results. You can easily access the target results and save time.

After typing in the query in the Advance Filter, enter a title in the field on the top right corner and click the Save icon or Save New Filter.

Saved queries are visible in the drop-down list.

Search for exceptions

Findings that are associated with exception policies do not trigger notifications.

To search for findings that are associated with exceptions,

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project, and select Findings.
  3. From the DEPENDENCY tab, choose Basic Filters.
  4. Click Exceptions and toggle Show Exceptions.
  5. You can search for a specific exception policy name, reason, or expiry range to filter the relevant results.

Manage findings

See Finding policies for details on how to configure findings.

Act on findings

See Action policies for details on how to define and trigger workflows based on findings that meet a given set of criteria.

Export findings

Users can export finding details to a CSV file for offline analysis.

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project and select Findings.
  3. Search for findings using advanced or basic filters.
  4. Click Export Findings and select the fields that you want to include in the CSV file.
  5. Click Export to CSV. The file is downloaded to your system.

Apply exception to findings

Add an exception policy to prevent this finding from triggering action policies in future scans.

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project, and select Findings.
  3. Search for findings using advanced or basic filters.
  4. Click a finding and from Actions choose Add Exception. See Create exception policy for details on how to create and apply exceptions.