--- title: Security Findings description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Security Findings --- # Security Findings This dataset provides access to Datadog Security Findings, which represent the results of evaluating cloud resources, code repositories, container images, and host configurations against compliance and vulnerability rules. Each finding produces a Pass or Fail status and includes the resource configuration, applied compliance rules mapped to industry frameworks, severity scores, and remediation guidance. Resources are scanned at regular intervals and findings are retained for up to 15 months. ``` dd.security_findings ``` Cloud Security Misconfigurations Findings Public Documentation {% icon name="icon-external-link" /%} Security Findings API Public Documentation {% icon name="icon-external-link" /%} ## Query Parameters This dataset uses a **polymorphic table function**. You must specify parameters when querying. | Parameter | Type | Required | Description | | --------- | --------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `columns` | `array` | Yes | List of fields to return for each finding (e.g., 'timestamp', '@status', '@severity', '@rule.name', '@resource_id'). Must follow with AS (…) to name and type outputs. | | `filter` | `string` | No | Optional search string. For example: filter => '@status:open AND @severity:high'. | ## Example Queries ```sql -- Fetch open high-severity findings SELECT * FROM dd.security_findings( columns => ARRAY[ 'timestamp', '@status', '@severity', '@rule.name', '@rule.type', '@resource_id', '@resource_name', '@cloud_resource.cloud_provider', '@compliance.evaluation' ], filter => '@status:open AND @severity:high' ) AS ( ts TIMESTAMP, status VARCHAR, severity VARCHAR, rule_name VARCHAR, rule_type VARCHAR, resource_id VARCHAR, resource_name VARCHAR, cloud_provider VARCHAR, evaluation VARCHAR ); ``` ## Fields | Title | ID | Type | Data Type | Description | | ------------------------------------------ | ------------------------------------------------------------------ | --------------- | ------------- | --------------------------------------------------------------------------------------- | | Severity | @severity | event_attribute | string | Severity level of the finding (e.g., info, low, medium, high, critical). | | Status | @status | event_attribute | string | Evaluation status of the finding (e.g., passed, failed). | | Resource ID | @resource_id | event_attribute | string | Unique identifier of the evaluated resource. | | Resource Name | @resource_name | event_attribute | string | Human-readable name of the evaluated resource. | | Resource Category | @resource_category | event_attribute | string | Category of the evaluated resource. | | Title | @title | event_attribute | string | Display title of the finding. | | Origin | @origin | event_attribute | array | Sources that detected this finding (e.g., cspm, sca, infra). | | Description | @description | event_attribute | string | Detailed description of the finding and the rule that generated it. | | Exposure Time | @exposure_time_seconds | event_attribute | int64 | Duration in seconds the resource has been in the current finding state. | | Finding Type | @finding_type | event_attribute | string | Type of finding (e.g., misconfiguration, vulnerability, identity_risk). | | Finding ID | @finding_id | event_attribute | string | Unique identifier for the finding. | | First Seen At | @first_seen_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the finding was first detected. | | Last Seen At | @last_seen_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the finding was most recently seen. | | Detection Changed At | @detection_changed_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the detection status last changed. | | Schema Version | @metadata.schema_version | event_attribute | string | Version of the finding metadata schema. | | Source Finding Raw Data | @source_finding_raw_data | event_attribute | json | Raw finding data from the source detection engine. | | Base Severity Value | @severity_details.base.value | event_attribute | json | Base severity value object. | | Base Severity Value ID | @severity_details.base.value_id | event_attribute | int64 | Numeric identifier for the base severity value. | | Base Severity Score | @severity_details.base.score | event_attribute | float64 | Base severity score (e.g., CVSS score for vulnerabilities). | | Base Severity Vector | @severity_details.base.vector | event_attribute | string | CVSS vector string describing the base severity. | | Adjusted Severity | @severity_details.adjusted | event_attribute | json | Adjusted severity details after applying contextual risk factors. | | Assignee Name | @workflow.triage.assignee.name | event_attribute | string | Name of the user assigned to triage this finding. | | Assignee ID | @workflow.triage.assignee.id | event_attribute | string | Unique identifier of the assigned user. | | Assignee Updated At | @workflow.triage.assignee.updated_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the assignee was last updated. | | Assignee Updated By ID | @workflow.triage.assignee.updated_by.id | event_attribute | string | ID of the user who last updated the assignee. | | Assignee Updated By Name | @workflow.triage.assignee.updated_by.name | event_attribute | string | Name of the user who last updated the assignee. | | Time to Acknowledge | @workflow.triage.time_to_acknowledge_seconds | event_attribute | int64 | Time in seconds from finding creation to first acknowledgement. | | Time to Resolution | @workflow.triage.time_to_resolution_seconds | event_attribute | int64 | Time in seconds from finding creation to resolution. | | Auto Closed At | @workflow.auto_closed_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the finding was automatically closed. | | Due At | @workflow.due_date.due_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the finding is due for remediation. | | Is Overdue | @workflow.due_date.is_overdue | event_attribute | bool | Whether the finding has passed its remediation due date. | | Due Date Rule ID | @workflow.due_date.rule_id | event_attribute | string | ID of the rule that set the due date. | | Is Muted | @workflow.mute.is_muted | event_attribute | bool | Whether the finding is currently muted. | | Mute Reason | @workflow.mute.reason | event_attribute | string | Reason why the finding was muted. | | Mute Description | @workflow.mute.description | event_attribute | string | Detailed description of why the finding was muted. | | Mute Expire At | @workflow.mute.expire_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the mute expires. | | Is Muted By Rule | @workflow.mute.is_muted_by_rule | event_attribute | bool | Whether the finding was muted by an automated rule. | | Mute Rule ID | @workflow.mute.rule_id | event_attribute | string | ID of the rule that muted this finding. | | Mute Rule Name | @workflow.mute.rule_name | event_attribute | string | Name of the rule that muted this finding. | | Muted At | @workflow.mute.muted_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the finding was muted. | | Muted By ID | @workflow.mute.muted_by.id | event_attribute | string | ID of the user who muted this finding. | | Muted By Name | @workflow.mute.muted_by.name | event_attribute | string | Name of the user who muted this finding. | | Automations | @workflow.automations | event_attribute | json | JSON structure with automation configurations applied to this finding. | | Integration Cases | @workflow.integrations.cases | event_attribute | json | JSON structure with linked case management entries. | | Integration Jira | @workflow.integrations.jira | event_attribute | array | Array of linked Jira ticket identifiers. | | Integration Pull Requests | @workflow.integrations.pull_requests | event_attribute | json | JSON structure with linked pull request information. | | Has Sensitive Data | @risk.has_sensitive_data | event_attribute | bool | Whether the resource is known to contain sensitive data. | | Is Function Reachable | @risk.is_function_reachable | event_attribute | bool | Whether a vulnerable function is reachable in the call graph. | | Is Exposed to Attacks | @risk.is_exposed_to_attacks | event_attribute | bool | Whether the resource is exposed to active attacks. | | Has Privileged Access | @risk.has_privileged_access | event_attribute | bool | Whether the resource has privileged access. | | Is Production | @risk.is_production | event_attribute | bool | Whether the resource is in a production environment. | | Is Publicly Accessible | @risk.is_publicly_accessible | event_attribute | bool | Whether the resource is publicly accessible. | | Has Exploit Available | @risk.has_exploit_available | event_attribute | bool | Whether a known exploit exists for the vulnerability. | | Has High Exploitability Chance | @risk.has_high_exploitability_chance | event_attribute | bool | Whether the vulnerability has a high chance of being exploited (based on EPSS). | | Sensitive Data Impact CVSS | @risk_detail.has_sensitive_data.impact_cvss | event_attribute | string | CVSS impact adjustment for sensitive data presence. | | Sensitive Data Value | @risk_detail.has_sensitive_data.value | event_attribute | bool | Whether sensitive data was detected. | | Sensitive Data SDS ID | @risk_detail.has_sensitive_data.evidence.sds_id | event_attribute | string | Sensitive Data Scanner rule ID that detected the data. | | Function Reachable Impact CVSS | @risk_detail.is_function_reachable.impact_cvss | event_attribute | string | CVSS impact adjustment for function reachability. | | Function Reachable Value | @risk_detail.is_function_reachable.value | event_attribute | bool | Whether a vulnerable function is reachable. | | Reachable Location Filename | @risk_detail.is_function_reachable.evidence.locations.filename | event_attribute | string | Filename where the reachable function is located. | | Reachable Location Start Line | @risk_detail.is_function_reachable.evidence.locations.start.line | event_attribute | int64 | Start line of the reachable function. | | Reachable Location Start Column | @risk_detail.is_function_reachable.evidence.locations.start.col | event_attribute | int64 | Start column of the reachable function. | | Reachable Location End Line | @risk_detail.is_function_reachable.evidence.locations.end.line | event_attribute | int64 | End line of the reachable function. | | Reachable Location End Column | @risk_detail.is_function_reachable.evidence.locations.end.col | event_attribute | int64 | End column of the reachable function. | | Reachable Location Is Test File | @risk_detail.is_function_reachable.evidence.locations.is_test_file | event_attribute | bool | Whether the reachable function is in a test file. | | Reachable Location URL | @risk_detail.is_function_reachable.evidence.locations.url | event_attribute | string | URL to the reachable function location in source control. | | Reachable Location Symbol | @risk_detail.is_function_reachable.evidence.locations.symbol | event_attribute | string | Symbol name of the reachable function. | | Exposed to Attacks Impact CVSS | @risk_detail.is_exposed_to_attacks.impact_cvss | event_attribute | string | CVSS impact adjustment for attack exposure. | | Exposed to Attacks Value | @risk_detail.is_exposed_to_attacks.value | event_attribute | bool | Whether the resource is exposed to attacks. | | Attack Trace Example | @risk_detail.is_exposed_to_attacks.evidence.trace_example | event_attribute | json | Example trace showing attack exposure. | | Attack Trace Query | @risk_detail.is_exposed_to_attacks.evidence.trace_query | event_attribute | string | Query to find traces showing attack exposure. | | Attack Details | @risk_detail.is_exposed_to_attacks.evidence.attacks_details | event_attribute | json | Details about detected attacks. | | Privileged Access Impact CVSS | @risk_detail.has_privileged_access.impact_cvss | event_attribute | string | CVSS impact adjustment for privileged access. | | Privileged Access Value | @risk_detail.has_privileged_access.value | event_attribute | bool | Whether the resource has privileged access. | | Privileged Access CCRID | @risk_detail.has_privileged_access.evidence.ccrid | event_attribute | string | Cloud Configuration Resource ID with privileged access. | | Production Impact CVSS | @risk_detail.is_production.impact_cvss | event_attribute | string | CVSS impact adjustment for production environment. | | Production Value | @risk_detail.is_production.value | event_attribute | bool | Whether the resource is in production. | | Production Evidence | @risk_detail.is_production.evidence | event_attribute | json | Evidence supporting the production classification. | | Publicly Accessible Impact CVSS | @risk_detail.is_publicly_accessible.impact_cvss | event_attribute | string | CVSS impact adjustment for public accessibility. | | Publicly Accessible Value | @risk_detail.is_publicly_accessible.value | event_attribute | bool | Whether the resource is publicly accessible. | | Publicly Accessible CCRID | @risk_detail.is_publicly_accessible.evidence.ccrid | event_attribute | string | Cloud Configuration Resource ID that is publicly accessible. | | Exploit Available Impact CVSS | @risk_detail.has_exploit_available.impact_cvss | event_attribute | string | CVSS impact adjustment for exploit availability. | | Exploit Available Value | @risk_detail.has_exploit_available.value | event_attribute | bool | Whether an exploit is available. | | Exploit Type | @risk_detail.has_exploit_available.evidence.type | event_attribute | string | Type of exploit available. | | Exploit URLs | @risk_detail.has_exploit_available.evidence.exploit_urls | event_attribute | array | URLs to exploit references. | | Exploit Sources | @risk_detail.has_exploit_available.evidence.exploit_sources | event_attribute | array | Sources where exploits were found. | | High Exploitability Impact CVSS | @risk_detail.has_high_exploitability_chance.impact_cvss | event_attribute | string | CVSS impact adjustment for high exploitability. | | High Exploitability Value | @risk_detail.has_high_exploitability_chance.value | event_attribute | bool | Whether the vulnerability has a high exploitability chance. | | EPSS Score | @risk_detail.has_high_exploitability_chance.evidence.epss_score | event_attribute | float64 | Exploit Prediction Scoring System score (0.0 to 1.0). | | EPSS Severity | @risk_detail.has_high_exploitability_chance.evidence.epss_severity | event_attribute | string | Severity classification based on EPSS score. | | EPSS Threshold | @risk_detail.has_high_exploitability_chance.evidence.threshold | event_attribute | float64 | EPSS threshold used for classification. | | Rule Type | @rule.type | event_attribute | string | Type of the rule that generated the finding (e.g., cloud_configuration, vulnerability). | | Rule Name | @rule.name | event_attribute | string | Name of the rule that generated the finding. | | Rule ID | @rule.id | event_attribute | string | Unique identifier of the rule. | | Rule Version | @rule.version | event_attribute | int64 | Version number of the rule. | | Rule Compatible Version | @rule.compatible_version | event_attribute | int64 | Compatible version number of the rule. | | Default Rule ID | @rule.default_rule_id | event_attribute | string | ID of the default rule this custom rule is based on. | | Advisory ID | @advisory.id | event_attribute | string | Unique identifier of the advisory. | | CVE | @advisory.cve | event_attribute | string | CVE identifier for the vulnerability (e.g., CVE-2024-1234). | | Advisory Aliases | @advisory.aliases | event_attribute | array | Alternative identifiers for the advisory. | | Advisory Published At | @advisory.published_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the advisory was published. | | Advisory Modified At | @advisory.modified_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the advisory was last modified. | | Advisory Summary | @advisory.summary | event_attribute | string | Summary description of the vulnerability advisory. | | Advisory Type | @advisory.type | event_attribute | string | Type of the advisory (e.g., vulnerability, malware). | | Vulnerability Language | @vulnerability.language | event_attribute | string | Programming language of the vulnerable component. | | CWEs | @vulnerability.cwes | event_attribute | array | Common Weakness Enumeration identifiers. | | Vulnerability Hash | @vulnerability.hash | event_attribute | string | Hash identifying the vulnerability instance. | | Vulnerability First Commit | @vulnerability.first_commit | event_attribute | string | First commit SHA where the vulnerability was detected. | | Vulnerability Last Commit | @vulnerability.last_commit | event_attribute | string | Last commit SHA where the vulnerability was detected. | | Vulnerability Key | @vulnerability.key | event_attribute | string | Unique key identifying the vulnerability. | | Remediation Available | @remediation.is_available | event_attribute | bool | Whether a remediation recommendation is available. | | Fixed Advisories | @remediation.recommended.fixed_advisories | event_attribute | json | Advisories fixed by the recommended remediation. | | New Advisories | @remediation.recommended.new_advisories | event_attribute | json | New advisories introduced by the recommended remediation. | | Remaining Advisories | @remediation.recommended.remaining_advisories | event_attribute | json | Advisories remaining after the recommended remediation. | | Recommended Package Name | @remediation.recommended.name | event_attribute | string | Name of the recommended package for remediation. | | Recommended Package Version | @remediation.recommended.version | event_attribute | string | Version of the recommended package for remediation. | | Recommended Remediation Type | @remediation.recommended_type | event_attribute | string | Type of the recommended remediation. | | Remediation Description | @remediation.description | event_attribute | string | Description of the recommended remediation steps. | | Latest No Critical Package | @remediation.package.latest_no_critical | event_attribute | json | Latest package version with no critical vulnerabilities. | | Closest No Critical Package | @remediation.package.closest_no_critical | event_attribute | json | Closest package version with no critical vulnerabilities. | | Latest No Vulnerabilities Package | @remediation.package.latest_no_vulnerabilities | event_attribute | json | Latest package version with no known vulnerabilities. | | Closest No Vulnerabilities Package | @remediation.package.closest_no_vulnerabilities | event_attribute | json | Closest package version with no known vulnerabilities. | | Latest No Vulnerabilities Host Image | @remediation.host_image.latest_no_vulnerabilities | event_attribute | json | Latest host image version with no known vulnerabilities. | | Closest No Vulnerabilities Container Image | @remediation.container_image.closest_no_vulnerabilities | event_attribute | json | Closest container image version with no known vulnerabilities. | | Code Update Type | @remediation.code_update.update_type | event_attribute | string | Type of code update for remediation. | | Code Update Edits | @remediation.code_update.edits | event_attribute | json | Suggested code edits for remediation. | | Compliance Evaluation | @compliance.evaluation | event_attribute | string | Compliance evaluation result (e.g., pass, fail). | | Compliance Frameworks | @compliance.frameworks | event_attribute | json | JSON structure listing compliance frameworks and controls this finding maps to. | | Framework Requirements | @compliance.framework_requirements | event_attribute | array | Array of compliance framework requirement identifiers. | | Framework Requirement Controls | @compliance.framework_requirement_controls | event_attribute | array | Array of compliance framework requirement control identifiers. | | Cloud Resource Tags | @cloud_resource.tags | event_attribute | hstore | Tags associated with the cloud resource. | | Cloud Resource Type | @cloud_resource.type | event_attribute | string | Type of the cloud resource (e.g., aws_s3_bucket, gcp_compute_instance). | | Cloud Resource Category | @cloud_resource.category | event_attribute | string | Category of the cloud resource. | | Cloud Resource Key | @cloud_resource.key | event_attribute | string | Unique key for the cloud resource. | | Cloud Provider URL | @cloud_resource.cloud_provider_url | event_attribute | string | URL to the resource in the cloud provider's console. | | Cloud Provider | @cloud_resource.cloud_provider | event_attribute | string | Cloud provider of the resource (e.g., aws, gcp, azure). | | Cloud Resource Configuration | @cloud_resource.configuration | event_attribute | json | Full JSON configuration of the cloud resource. | | Cloud Account | @cloud_resource.account | event_attribute | string | Cloud account or project identifier. | | Cloud Resource Display Name | @cloud_resource.display_name | event_attribute | string | Human-readable display name of the cloud resource. | | Cloud Region | @cloud_resource.region | event_attribute | string | Cloud region where the resource is deployed. | | Cloud Availability Zone | @cloud_resource.availability_zone | event_attribute | string | Availability zone within the cloud region. | | Public Accessibility Paths | @cloud_resource.public_accessibility_paths | event_attribute | array | Paths through which the resource is publicly accessible. | | Public Port Ranges | @cloud_resource.public_port_ranges | event_attribute | json | Port ranges that are publicly accessible. | | IaC Provider | @iac_resource.provider | event_attribute | string | Infrastructure-as-Code provider (e.g., terraform, cloudformation). | | IaC Platform | @iac_resource.platform | event_attribute | string | IaC platform (e.g., terraform, ansible). | | IaC Resource Type | @iac_resource.type | event_attribute | string | Type of the IaC resource. | | IaC Resource Name | @iac_resource.name | event_attribute | string | Name of the IaC resource. | | Kubernetes Cluster ID | @k8s.cluster_id | event_attribute | string | Kubernetes cluster identifier. | | Host Name | @host.name | event_attribute | string | Name of the host associated with the finding. | | Host Key | @host.key | event_attribute | string | Unique key for the host. | | Host Cloud Provider | @host.cloud_provider | event_attribute | string | Cloud provider of the host. | | Host Image | @host.image | event_attribute | string | Image used to create the host. | | Host OS Name | @host.os.name | event_attribute | string | Operating system name of the host. | | Host OS Version | @host.os.version | event_attribute | string | Operating system version of the host. | | Service Name | @service.name | event_attribute | string | Name of the service associated with the finding. | | Service Git Commit SHA | @service.git_commit_sha | event_attribute | string | Git commit SHA of the service deployment. | | Service Git Repository URL | @service.git_repository_url | event_attribute | string | Git repository URL of the service. | | Container Image Registries | @container_image.registries | event_attribute | array | Container registries where the image is hosted. | | Container Image Repository | @container_image.repository | event_attribute | string | Repository of the container image. | | Container Image Repo Digests | @container_image.repo_digests | event_attribute | array | Repository digests of the container image. | | Container Image Git Commit SHA | @container_image.git_commit_sha | event_attribute | string | Git commit SHA associated with the container image. | | Container Image Git Repository URL | @container_image.git_repository_url | event_attribute | string | Git repository URL associated with the container image. | | Container Image OSes | @container_image.oses | event_attribute | json | Operating systems in the container image. | | Container Image Architectures | @container_image.architectures | event_attribute | array | CPU architectures supported by the container image. | | Container Image Layer Digests | @container_image.image_layer_digests | event_attribute | array | Digests of individual layers in the container image. | | Container Image Layer Diff IDs | @container_image.image_layer_diff_ids | event_attribute | array | Diff IDs of layers in the container image. | | Container Image Name | @container_image.name | event_attribute | string | Name of the container image. | | Container Image Tags | @container_image.tags | event_attribute | hstore | Tags associated with the container image. | | Git Repository ID | @git.repository_id | event_attribute | string | Unique identifier of the git repository. | | Git Repository URL | @git.repository_url | event_attribute | string | URL of the git repository. | | Git Repository Visibility | @git.repository_visibility | event_attribute | string | Visibility of the git repository (e.g., public, private). | | Git Branch | @git.branch | event_attribute | string | Git branch where the finding was detected. | | Git Default Branch | @git.default_branch | event_attribute | string | Default branch of the git repository. | | Is Default Branch | @git.is_default_branch | event_attribute | bool | Whether the finding is on the default branch. | | Git SHA | @git.sha | event_attribute | string | Git commit SHA where the finding was detected. | | Git Author Name | @git.author.name | event_attribute | string | Name of the commit author. | | Git Author Email | @git.author.email | event_attribute | string | Email of the commit author. | | Git Author Authored At | @git.author.authored_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the commit was authored. | | Git Committer Name | @git.committer.name | event_attribute | string | Name of the committer. | | Git Committer Email | @git.committer.email | event_attribute | string | Email of the committer. | | Git Committer Committed At | @git.committer.committed_at | event_attribute | int64 | Timestamp (epoch milliseconds) when the commit was committed. | | Git Codeowners | @git.codeowners | event_attribute | array | Codeowners for the file where the finding was detected. | | Code Location Filename | @code_location.filename | event_attribute | string | Filename where the finding was detected. | | Code Location Start Line | @code_location.start.line | event_attribute | int64 | Start line of the code finding. | | Code Location Start Column | @code_location.start.col | event_attribute | int64 | Start column of the code finding. | | Code Location End Line | @code_location.end.line | event_attribute | int64 | End line of the code finding. | | Code Location End Column | @code_location.end.col | event_attribute | int64 | End column of the code finding. | | Code Location Is Test File | @code_location.is_test_file | event_attribute | bool | Whether the finding is in a test file. | | Code Location URL | @code_location.url | event_attribute | string | URL to the code location in source control. | | Code Location Symbol | @code_location.symbol | event_attribute | string | Symbol name at the code location. | | API Endpoint Operation Name | @api_endpoint.operation_name | event_attribute | string | Operation name of the API endpoint. | | API Endpoint Path | @api_endpoint.path | event_attribute | string | Path of the API endpoint. | | API Endpoint Method | @api_endpoint.method | event_attribute | string | HTTP method of the API endpoint. | | API Endpoint Resource Name | @api_endpoint.resource_name | event_attribute | string | Resource name of the API endpoint. | | Package Ecosystem | @package.ecosystem | event_attribute | string | Package manager ecosystem (e.g., Maven, npm, PyPI). | | Package Name | @package.name | event_attribute | string | Name of the vulnerable package. | | Package Version | @package.version | event_attribute | string | Version of the vulnerable package. | | Package Additional Names | @package.additional_names | event_attribute | array | Additional names for the package. | | Package Normalized Name | @package.normalized_name | event_attribute | string | Normalized name of the package for deduplication. | | Package Manager | @package.manager | event_attribute | string | Package manager (e.g., npm, pip, maven). | | Package Relation | @package.relation | event_attribute | string | Dependency relation type (e.g., direct, transitive). | | Package Component Loading Type | @package.component_loading_type | event_attribute | string | How the package component is loaded. | | Package Dependency Location Text | @package.dependency_location_text | event_attribute | string | Text representation of the dependency location. | | Package Declaration File Name | @package.declaration.block.file_name | event_attribute | string | File name where the package is declared. | | Package Declaration Line Start | @package.declaration.block.line_start | event_attribute | int64 | Start line of the package declaration. | | Package Declaration Line End | @package.declaration.block.line_end | event_attribute | int64 | End line of the package declaration. | | Package Declaration Column Start | @package.declaration.block.column_start | event_attribute | int64 | Start column of the package declaration. | | Package Declaration Column End | @package.declaration.block.column_end | event_attribute | int64 | End column of the package declaration. | | Package Declaration Symbol | @package.declaration.block.symbol | event_attribute | string | Symbol of the package declaration. | | Package Declaration Name | @package.declaration.name | event_attribute | json | Declared name of the package. | | Package Declaration Version | @package.declaration.version | event_attribute | json | Declared version of the package. | | Package Scope | @package.scope | event_attribute | string | Dependency scope (e.g., production, test, development). | | Package Root Parent Name | @package.root_parent.name | event_attribute | string | Name of the root parent dependency. | | Package Root Parent Version | @package.root_parent.version | event_attribute | string | Version of the root parent dependency. | | Package Root Parents | @package.root_parents | event_attribute | json | All root parent dependencies. | | Secret Resource Type | @secret.resource_type | event_attribute | string | Type of resource where the secret was found. | | Secret Validation Status | @secret.validation_status | event_attribute | string | Validation status of the detected secret. | | Additional Resources | @additional_resources | event_attribute | json | Additional resource information related to the finding. | | Runtime Context Span ID | @runtime_context.span_id | event_attribute | string | APM span ID associated with the finding. | | Runtime Context Trace ID | @runtime_context.trace_id | event_attribute | string | APM trace ID associated with the finding. | | Runtime Context Stacktrace ID | @runtime_context.stacktrace_id | event_attribute | string | Stacktrace ID associated with the finding. | | Related Services | @related_services | event_attribute | array | Services related to the finding. | | Tags | tags | core | hstore | Tags associated with the finding, represented as key-value pairs. |