A finding is a discovery of significance made following the completion of a scan. Findings result from the default out-of-the-box implementation of rule sets called Finding policies.
View all findings
To view different types of findings associated with all projects or packages in your tenant:
- From the left sidebar, navigate to Findings.
- The preset filters help you in locating the findings that matter most to you.
- Choose Prioritized Findings to view a list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
- Choose from a list of options under Code Dependenciesto view a list of Vulnerability, Operational, License Risk, or Malware findings.
- Choose Secrets to find a list of findings related to exposed secrets.
- Choose from a list of options under CI/CD to view findings related to GitHub Actions, CI/CD Tools, and RSPM.
- Choose Containers to view container findings.
- Use Saved Filters to create and save your frequently used searches, helping you save time.
- Search for findings using basic filters.
- Toggle Advanced and search for findings using advanced filters.
- To apply exceptions to findings, select findings and click Actions > Add Exception.
- To export findings, select the findings, and click Actions > Export Selected or Export All.
.
View findings associated with a project
To view the findings associated with a project:
- From the left sidebar, navigate to Projects.
- Select the project for which you want to view the findings. The Findings page includes the list of findings specific to the project.
- Review the list of findings. Click the finding to see its details.
View findings associated with a package
To view the findings associated with a package:
- From the left sidebar, navigate to My Packages.
- Select the package for which you want to view the findings. You might need to use the search bar to find your package.
- Select the version for which you want to view the findings. The Findings page appears with the list of findings specific to the package version.
- Review the list of findings. Click the finding to see its details.
Finding attributes
Finding attributes are characteristics or properties associated with each discovered issue or result obtained from a scan. These attributes could include the following details and metadata.
Attribute | Description |
---|---|
Blocker | Finding was marked as blocking by an action policy. |
Direct | Finding applies to a direct dependency. |
Exception | Finding was marked as exempt from action policies by an exception policy. |
External Path Only | Finding applies to a transitive dependency that can only be reached via external, non-OSS, project paths. |
First Party | Finding applies to a dependency that belongs to the same namespace. |
Fix Available | A fix is available for the CVE reported in this finding. |
Invalid Secret | Finding applies to an invalid secret. |
Malware | Finding applies to a malicious package. |
Normal | Finding applies to a normal, non-test, dependency. |
Notification | Finding triggered a notification based on an action policy. |
Phantom | Finding applies to a phantom dependency. |
Policy Based | Finding was generated by a Rego based finding policy. |
Potentially Reachable Dependency | Finding applies to a potentially reachable dependency. |
Potentially Reachable Function | Finding applies to a potentially reachable function. |
Reachable Dependency | Finding applies to a reachable dependency. |
Reachable Function | Finding applies to a reachable function. |
Same Repository | Finding applies to a dependency that belongs to the same project. |
Self | Finding applies only to the analyzed package version, there is no dependency involved. |
Test | Finding applies to a dependency that is not in production code. |
Transitive | Finding applies to a transitive (indirect) dependency. |
Under Review | Finding applies to suspicious package under review. |
Unfixable | There is no fix available for the CVE reported in this finding. |
Unreachable Dependency | Finding applies to an unreachable dependency. |
Unreachable Function | Finding applies to an unreachable function. |
Valid Secret | Finding applies to a valid secret. |
Warning | Finding triggered a warning based on an action policy. |
View GitHub Action findings
GitHub Actions is a CI/CD platform that allows you to automate your build, test, and deployment pipelines. You can create workflows that build and test pull requests to your repository, or deploy merged pull requests to production. To mitigate vulnerabilities within the supply chain, comprehensive visibility into GitHub Action workflows and their relationships in your repository is crucial. You can then proceed to identify and fix weak points within the system.
When you run an endorctl scan, it detects GitHub Action workflows used in your repository. It proceeds to scan all the repositories included in the detected workflows and creates findings. The GitHub Action is mapped as a package and discovers direct and transitive dependencies.
To view GitHub Action findings:
- From the left sidebar, navigate to Projects.
- Search for and select a project and select Findings.
- Click CI Workflows to view GitHub Actions findings.
Note
- Vulnerabilities and dependencies associated with GitHub Action packages written in JavaScript or TypeScript are detected by Endor Labs.
- Private GitHub Actions and private reusable workflows referenced from other repositories are not detected.
Search for findings using basic filters
Use the following basic filters to search for information in your findings.
- C - Findings with critical severity.
- H - Findings with high severity.
- M - Findings with medium severity.
- L - Findings with low severity.
- Category - Choose from CI/CD, Malware, license risks, operational risks, RSPM, secrets, security, supply chain, or vulnerability and view related findings.
- Hide Dismissed - Select to hide dismissed findings. You can view active findings without clutter.
- Attributes - Narrow down the list based on a range of factors such as, if a patch is available, if the vulnerable function is reachable, if the dependency is reachable, if the dependency originates from a current repository or a current tenant, is a test dependency, is a phantom dependency, or if the finding originates from itself, direct, or a transitive dependency.
- EPSS Probability - Choose the Exploit Prediction Scoring System (EPSS) score range.
- All Time - Choose a time range.
- Eco System - Choose from available options to filter based on a language or an ecosystem.
Search for findings using advanced filters
Use advanced filters to create powerful queries that drill deeper into the dataset to fetch results with a specific context.
Important
Search using the advanced filters applies to the default branch of a repository and does not yield results from other branches.
As an example, if the default branch for the abccorp/devproject
project is set to main
and there is a second branch named bugfix/bug-description
, then using advanced filters in the search won’t yield search results from the bugfix/bug-description
branch, even if you try to filter on the context id or type.
Check Projects to see the default branch of your project. To change the default branch, use --as-default-branch
while performing the endorctl
scan. See scanning strategies for information on testing and monitoring different versions of your code.
The Advanced Filters use the GetFinding
API call to fetch results.
The following table lists some example attributes, you can use in your custom API calls. See also example combinations below.
Attribute | API Query |
---|---|
Severity | spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] |
Category | spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] |
Fixable | spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] |
Reachability | spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] |
Ecosystem | spec.ecosystem in ["ECOSYSTEM_MAVEN"] |
EPSS score greater than 10% | spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1 |
EPSS score less than or equal to 100 | spec.finding_metadata.vulnerability.spec.epss_score.probability_score <= 1 |
Only query a given project | spec.project_uuid=="UUID of the project" |
Examples
Show all findings of critical vulnerability and high severity that have a fix available, with a reachable function and EPSS score greater than 10%
spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] and spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] and spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] and spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1
Show vulnerabilities for a specific project
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"
Show vulnerabilities for a specific language in a specific project
spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.ecosystem in ["ECOSYSTEM_PYPI"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"
Save search
You can save the advanced search filters that you created to fetch curated search results. You can easily access the target results and save time.
After typing in the query in the Advance Filter, enter a title in the field on the top right corner and click the Save icon or Save New Filter.
Saved queries are visible in the drop-down list.
Search for exceptions
Findings that are associated with exception policies do not trigger notifications.
To search for findings that are associated with exceptions,
- From the left sidebar, navigate to Projects.
- Search for and select a project, and select Findings.
- From the DEPENDENCY tab, choose Basic Filters.
- Click Exceptions and toggle Show Exceptions.
- You can search for a specific exception policy name, reason, or expiry range to filter the relevant results.
Manage findings
See Finding policies for details on how to configure findings.
Act on findings
See Action policies for details on how to define and trigger workflows based on findings that meet a given set of criteria.
Export findings
Users can export finding details to a CSV file for offline analysis.
- From the left sidebar, navigate to Projects.
- Search for and select a project and select Findings.
- Search for findings using advanced or basic filters.
- Click Export Findings and select the fields that you want to include in the CSV file.
- Click Export to CSV. The file is downloaded to your system.
Apply exception to findings
Add an exception policy to prevent this finding from triggering action policies in future scans.
- From the left sidebar, navigate to Projects.
- Search for and select a project, and select Findings.
- Search for findings using advanced or basic filters.
- Click a finding and from Actions choose Add Exception. See Create exception policy for details on how to create and apply exceptions.