Skip to main content

Triaging SAST Results

Each risk instance in your project is assigned a risk state. When a new risk is identified, its initial state is set to To Verify, meaning it hasn't been assessed by your AppSec team yet. The severity of the risk is primarily based on the CVSS score of the vulnerability. Your AppSec team can then update the risk state to one of the following options:

  • Not Exploitable - Select this state if your team has determined that this risk doesn’t threaten your application (and isn’t expected to cause a risk at any time in the future).

  • Proposed Not Exploitable - Select this state if your team has tentatively suggested that this risk doesn’t threaten your application.

  • Confirmed - Select this state if your team has confirmed that this risk poses a threat and requires mitigation.

  • Urgent - Select this state if your team has determined that this risk poses an imminent threat and requires urgent mitigation.

When changing the Result State to Not Exploitable or Proposed Not Exploitable, a note is required to confirm the change. A change log at the bottom tracks all past changes for a single result. When multiple results are updated, the Edit title includes the number of selected results, and hovering over the State dropdown displays them.

Notice

You need update-result-not-exploitable, update-result-state-propose-not-exploitable, and add-notes permissions to use this feature.

Important

Known limitation: this functionality is not enforced via plugins; it will be added later.

mandatory_comment.png
edit_multiresults.png

Based on your AppSec team's determination, the score can be adjusted to a score between 0.0 and 10.0 with the following severity breakdown:

  • Critical - 9.0 to 10.0

  • High - 7.0 to 8.9

  • Medium - 4.0 to 6.9

  • Low - 0.1 to 3.9

  • Info - 0.0

Note

Users with permissions such as Update-result-severity or Update-result-severity-if-in-group can change the risk severity or score.

There are three ways to triage the results:

  • From the Table View: Select a result from the table to open a new job. Change the severity or state using the Edit dropdown and click Save.   

    triagesast2.png

  •  Using Checkboxes: Select one or more results by checking their boxes. Then, use the Edit dropdown above the table to change their severity or state and click Save.   

  • Through the View Code Tab: Select one or multiple results in the View Code tab, adjust the severity or state using the Edit dropdown, and click Save.

    triagesast1.png

Adding Notes

Use notes to document your work with a vulnerability or improve collaboration by sharing it with colleagues. Clicking Add Note opens the note panel, where you can view the highlighted risk, add a new note, or view previous notes. Make sure to click Save Note before exiting.

Hover over the Add Note icon note_icon.png to view the latest notes and the number of notes of a vulnerability. Notes are only available for one result at a time and are viewable by multiple users. Previous notes are only visible one at a time and may be deleted by hovering over them and selecting Delete.

In this section: