Skip to content

Findings

Findings are individual security vulnerabilities discovered by scanners and ingested into servasec.

Lifecycle

A finding follows this status lifecycle:

Open -> Confirmed -> Fixed -> Closed
       |
    Dismissed
  • Open - newly ingested, awaiting review
  • Confirmed - triaged and acknowledged as a real issue
  • Fixed - remediation applied, pending verification
  • Closed - verified as resolved
  • Dismissed - determined to be a false positive or acceptable risk

Finding detail

Each finding page includes:

  • Severity - Critical, High, Medium, Low, or Info
  • Scanner - source scanner (Semgrep, Trivy, etc.)
  • Location - file path and line number
  • Description - detailed explanation of the vulnerability
  • Remediation - suggested fix
  • References - links to relevant documentation or CVEs
  • Comments - threaded discussion per finding
  • Assignee - responsible team member
  • Timeline - status change history

Assigning findings

Users can be assigned to findings for accountability:

PATCH /api/findings/{id}
Content-Type: application/json

{
  "assigned_to": "user-uuid"
}

Review and comments

Each finding supports a review workflow with threaded comments:

POST /api/findings/{id}/comments
Content-Type: application/json

{
  "content": "Reviewed the code, this is a valid XSS vector."
}