Skip to main content

Risk Orchestration

Risk Orchestration provides a unified view of all scan results across your security engines in a single, consolidated table. Instead of reviewing findings separately in each scanner, you can see everything in one place, organized by severity, and act on it without switching contexts.

Risk Orchestration is designed for everyone involved in application security:

  • Developers can quickly locate and understand specific vulnerabilities in their code, review fix suggestions, and see exactly which file and line is affected.

  • AppSec managers can monitor vulnerability trends across projects, track triage activity, and see who initiated each scan, helping identify whether development teams are reducing the vulnerabilities they introduce over time.

  • CISOs can assess overall risk exposure at a glance, prioritize internet-facing assets, and have confidence that all scanner results are visible in one authoritative view.

Accessing Risk Orchestration

You can open Risk Orchestration from two entry points.

From the ASPM menu

  1. In the left navigation pane, go to ASPM > Risk Orchestration.

  2. In the Select a project panel, search for or select a project.

  3. Click Load Project.

From the Projects page

  1. Go to Applications and Projects > Projects.

  2. Locate the project you want to review. The Scanner Results column shows which engines ran on the project during the last scan. Color indicates severity: darker colors represent more critical findings.

  3. Click anywhere on the project row to open Risk Orchestration for that project.

Note

To open the project's overview page instead, click the project name directly.

Reviewing Scan Results

The Risk Orchestration table displays all findings from the last scan, across all engines. By default, results are grouped by severity (Critical, High, Medium, Low, Info). Each group can be expanded or collapsed.

Each row shows:

Column

Description

Severity

The risk level of the finding

Scanner

Which engine detected it (SAST, SCA, or IaC)

Risk Name & Status

The vulnerability name and whether it is a new finding

State

The current triage state

Source & Origin

The branch or reference from which the scan was triggered

Asset

The repository or resource where the vulnerability was found

Sub Asset

The specific file, function, or component within the asset

First Detection

When the vulnerability was first identified

Changing the grouping

  1. Click Groups, Filters & Dependencies at the top of the table.

  2. Under Grouped by, switch from Severity to Scanner (or another available option) to reorganize the table.

Sorting and filtering

Every column supports sorting and filtering. Click the filter icon next to any column header to apply a filter. Use these controls to focus on specific scanners, severities, states, or assets.

Viewing Vulnerability Details

  1. Click any row in the results table.

  2. A side panel opens on the right, showing the vulnerability name, severity, scanner, and current state.

  3. Use the tabs in the panel to explore different aspects of the finding. To open the full details page, click Full Details in the top-right corner of the panel at any time.

Issue

The Issue tab shows the precise location of the vulnerability in your code. It includes the full file path, the file type, and a syntax-highlighted code snippet with the affected line flagged.

For SAST findings, the Full Details view expands the Issue tab to show the complete Attack Vector - the end-to-end data flow from the tainted input to the vulnerable sink. The attack vector is represented as a sequential list of nodes (source node, intermediate propagation steps, and sink node), each linked to the corresponding line in the code. The Best Fix Location (BFL) - the point in the flow where the vulnerability is most efficiently remediated - is marked inline in the code view.

Suggestion

The Suggestion tab provides remediation guidance tailored to the specific finding. It includes:

  • Found Value: The exact condition or configuration detected that constitutes the vulnerability.

  • Expected Value: The secure value, pattern, or configuration that should replace it.

For SCA findings, the tab also includes recommended package upgrades where a safer version is available.

Change Log

The Change Log tab provides a full audit trail of all triage activity on the vulnerability. Each entry includes:

  • The previous and new state (e.g., To Verify → Proposed Not Exploitable)

  • The previous and new severity, if it was changed

  • Any note attached at the time of triage

  • The user who performed the action

  • The date and time the action was taken

If no triage actions have been taken, the tab displays "No data available."

Info

The Info tab is organized into three sections:

  • Vulnerability Details: Technical metadata about the finding, including: Similarity ID, Source Node, Source File, Sink Node, and Sink File. For SCA findings, this section also includes: affected package name, manifest file, dependency type, risk score, exploitability rating, reachability, exploitability method, and exploitability path (where detected).

  • Description: A plain-language explanation of the vulnerability class, why it represents a risk, and its potential impact.

  • About Your Scan: Metadata about the scan that produced the finding, including the scan initiator. This information helps AppSec managers and CISOs track whether development teams are reducing the vulnerabilities they introduce over time.

AI-assisted triage and remediation

Customers with a Triage & Remediation (T&R) license see two additional actions in the side panel alongside Triage:

  • Triage by AI: Analyzes the vulnerability in context and suggests a triage state with a rationale, reducing manual review time.

  • Remediation with AI: Generates a suggested code fix for the vulnerability.

For more information about AI-assisted triage and remediation, see Checkmarx Developer Assist

Triaging a Vulnerability

Triaging lets you update the state and severity of a vulnerability and attach a note for your team. You can triage directly from the side panel without losing your place in the results table.

  1. Click a row to open the side panel.

  2. Click Triage →.

  3. In the Triage Result panel, update the State using the dropdown.

  4. Optionally, adjust the Severity.

  5. To add a note, check Attach Note and type your comment in the text field.

  6. Click Save.

The results table updates immediately to reflect the new state. The vulnerability row remains selected so you can continue reviewing without losing context. The triage action and any note you added are recorded in the Change Log.

In this section: