--- title: Security Findings Schema Reference description: >- Complete reference for the Security Findings schema, including all attributes, namespaces, and data model for querying vulnerabilities, misconfigurations, and security risks. breadcrumbs: Docs > Datadog Security > Security Guides > Security Findings Schema Reference --- # Security Findings Schema Reference ## Overview{% #overview %} Security findings in Datadog represent vulnerabilities, misconfigurations, and security risks identified across your infrastructure and applications. Each finding contains structured data organized into namespaces that describe the nature, impact, status, and context of the security issue. All findings share a common schema that enables unified querying and analysis across different security products. {% callout %} Learn about migrating to this new schema so you can avoid any interruptions to your workflows. [LEARN MORE](https://docs.datadoghq.com/security/guide/security-findings-migration.md) {% /callout %} ## Examples{% #examples %} There are eleven different categories for security findings. Click on a category to view a sample security finding belonging to that category. {% tab title="API Security" %} ```json { "api_endpoint": { "method": "GET", "operation_name": "http.request", "path": "/api/v2/users/{userID}/profile", "resource_name": "GET /api/v2/users/{userID}/profile" }, "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "The API endpoint exposes user profile data through a route that uses predictable sequential IDs, allowing an attacker to enumerate and access other users' profiles by incrementing the ID parameter.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "api_security", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "remediation": { "is_available": false }, "resource_id": "api-endpoint-001", "resource_name": "GET /api/v2/users/{userID}/profile", "resource_type": "api_endpoint", "rule": { "default_rule_id": "def-000-abc", "id": "api-sec-001", "name": "Read operations on routes use predictable IDs", "type": "api_security", "version": 3 }, "service": { "name": "chatbot-api" }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Read operations on routes use predictable IDs", "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Attack Path" %} ```json { "base_severity": "critical", "cloud_resource": { "account": { "account": "Main production account", "account_id": "123456789012" }, "cloud_provider": "AWS", "cloud_provider_url": "https://us-east-1.console.aws.amazon.com/ec2/home#Instances:instanceId=i-0123456789abcdef0", "configuration": { "account_id": "123456789012", "ami_launch_index": 0, "architecture": "x86_64", "aws_ami_key": "abcdef0123456789abcdef0123456789", "aws_iam_instance_profile_key": "abcdef0123456789abcdef0123456789", "aws_subnet_key": "abcdef0123456789abcdef0123456789", "aws_vpc_key": "abcdef0123456789abcdef0123456789", "block_device_mappings": [ { "device_name": "/dev/sdf", "ebs": { "attach_time": 1734064859000, "delete_on_termination": true, "status": "attached", "volume_id": "vol-0123456789abcdef0" } } ] }, "display_name": "i-012abcd34efghi56", "key": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56" }, "compliance": { "evaluation": "fail" }, "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A publicly accessible EC2 instance with an attached IAM role has overly permissive policies that allow lateral movement to sensitive S3 buckets containing production data.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "attack_path", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "resource_id": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56", "resource_name": "i-012abcd34efghi56", "resource_type": "aws_ec2_instance", "risk_details": { "is_publicly_accessible": { "evidence": { "resource_key": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef" } } }, "rule": { "default_rule_id": "def-000-abc", "id": "def-000-ap1", "name": "EC2 instance with public access and overprivileged IAM role", "type": "attack_path", "version": 3 }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Publicly accessible instance with overprivileged IAM role", "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Host & Container Vulnerability" %} ```json { "advisory": { "aliases": [ "CVE-2024-12345" ], "cve": "CVE-2024-12345", "id": "TRIVY-CVE-2024-12345" }, "base_severity": "critical", "cloud_resource": { "account": { "account": "Main production account", "account_id": "123456789012" }, "cloud_provider": "AWS", "cloud_provider_url": "https://us-east-1.console.aws.amazon.com/ec2/home#Instances:instanceId=i-0123456789abcdef0", "configuration": { "account_id": "123456789012", "ami_launch_index": 0, "architecture": "x86_64", "aws_ami_key": "abcdef0123456789abcdef0123456789", "aws_iam_instance_profile_key": "abcdef0123456789abcdef0123456789", "aws_subnet_key": "abcdef0123456789abcdef0123456789", "aws_vpc_key": "abcdef0123456789abcdef0123456789", "block_device_mappings": [ { "device_name": "/dev/sdf", "ebs": { "attach_time": 1734064859000, "delete_on_termination": true, "status": "attached", "volume_id": "vol-0123456789abcdef0" } } ] }, "display_name": "i-012abcd34efghi56", "key": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56" }, "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A buffer overflow vulnerability in the Linux kernel allows a local attacker to escalate privileges by exploiting a race condition in the netfilter subsystem.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "host_and_container_vulnerability", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "package": { "name": "linux", "normalized_name": "linux", "version": "5.4.0-205.225" }, "remediation": { "is_available": false }, "resource_id": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56", "resource_name": "i-012abcd34efghi56", "resource_type": "aws_ec2_instance", "risk_details": { "has_exploit_available": { "evidence": { "exploit_sources": [ "GitHub" ], "exploit_urls": [ "https://github.com/example/POC-CVE-2024-12345" ] } }, "has_high_exploitability_chance": { "evidence": { "epss_score": 0.70718, "epss_severity": "high" } }, "is_publicly_accessible": { "evidence": { "resource_key": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef" } } }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Buffer overflow in Linux kernel netfilter subsystem", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890", "stack": { "ecosystem": "deb" } }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="IaC Misconfiguration" %} ```json { "base_severity": "critical", "cloud_resource": { "account": { "account": "Main production account", "account_id": "123456789012" }, "cloud_provider": "AWS", "cloud_provider_url": "https://us-east-1.console.aws.amazon.com/ec2/home#Instances:instanceId=i-0123456789abcdef0", "configuration": { "account_id": "123456789012", "ami_launch_index": 0, "architecture": "x86_64", "aws_ami_key": "abcdef0123456789abcdef0123456789", "aws_iam_instance_profile_key": "abcdef0123456789abcdef0123456789", "aws_subnet_key": "abcdef0123456789abcdef0123456789", "aws_vpc_key": "abcdef0123456789abcdef0123456789", "block_device_mappings": [ { "device_name": "/dev/sdf", "ebs": { "attach_time": 1734064859000, "delete_on_termination": true, "status": "attached", "volume_id": "vol-0123456789abcdef0" } } ] }, "display_name": "i-012abcd34efghi56", "key": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56" }, "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A Terraform configuration defines an S3 bucket without server-side encryption enabled, leaving stored objects unencrypted at rest.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "iac_misconfiguration", "first_seen_at": 1738575592659, "git": { "author": { "authored_at": 1738575599859, "email": "alice@example.com", "name": "Alice" }, "branch": "main", "committer": { "committed_at": 1738575599859, "email": "bob@example.com", "name": "Bob" }, "default_branch": "main", "is_default_branch": false, "repository_id": "123456789", "repository_url": "https://github.com/example-org/terraform/", "sha": "abcdef1234567890abcdef1234567890abcdef12" }, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "remediation": { "is_available": false }, "resource_id": "github.com/example-org/terraform/main.tf:aws_s3_bucket.data", "resource_name": "aws_s3_bucket.data", "resource_type": "terraform_resource", "rule": { "default_rule_id": "def-000-abc", "id": "def-000-iac", "name": "S3 bucket should have server-side encryption enabled", "type": "cloud_configuration", "version": 3 }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "S3 bucket without server-side encryption", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Identity Risk" %} ```json { "base_severity": "critical", "cloud_resource": { "account": { "account": "Main production account", "account_id": "123456789012" }, "cloud_provider": "AWS", "cloud_provider_url": "https://us-east-1.console.aws.amazon.com/ec2/home#Instances:instanceId=i-0123456789abcdef0", "configuration": { "account_id": "123456789012", "ami_launch_index": 0, "architecture": "x86_64", "aws_ami_key": "abcdef0123456789abcdef0123456789", "aws_iam_instance_profile_key": "abcdef0123456789abcdef0123456789", "aws_subnet_key": "abcdef0123456789abcdef0123456789", "aws_vpc_key": "abcdef0123456789abcdef0123456789", "block_device_mappings": [ { "device_name": "/dev/sdf", "ebs": { "attach_time": 1734064859000, "delete_on_termination": true, "status": "attached", "volume_id": "vol-0123456789abcdef0" } } ] }, "display_name": "i-012abcd34efghi56", "key": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56" }, "compliance": { "evaluation": "fail" }, "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "An IAM user account has not been used in over 90 days and still has active access keys with administrative privileges, creating an unnecessary attack surface.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "identity_risk", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "resource_id": "arn:aws:iam::123456789012:user/legacy-admin", "resource_name": "legacy-admin", "resource_type": "aws_iam_user", "rule": { "default_rule_id": "def-000-abc", "id": "def-000-idr", "name": "IAM user inactive for 90+ days with active access keys", "type": "cloud_configuration", "version": 3 }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Inactive IAM user with administrative access keys", "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Library Vulnerability" %} ```json { "advisory": { "aliases": [ "CVE-2024-67890" ], "cve": "CVE-2024-67890", "id": "TRIVY-CVE-2024-67890" }, "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A remote code execution vulnerability in the logging library allows an attacker to execute arbitrary code by sending a crafted log message that exploits unsafe deserialization.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "library_vulnerability", "first_seen_at": 1738575592659, "git": { "author": { "authored_at": 1738575599859, "email": "alice@example.com", "name": "Alice" }, "branch": "main", "committer": { "committed_at": 1738575599859, "email": "bob@example.com", "name": "Bob" }, "default_branch": "main", "is_default_branch": false, "repository_id": "123456789", "repository_url": "https://github.com/example-org/my-app/", "sha": "abcdef1234567890abcdef1234567890abcdef12" }, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "package": { "name": "lodash", "normalized_name": "lodash", "scope": "production", "version": "4.17.20" }, "remediation": { "is_available": false }, "resource_id": "lodash:4.17.20", "resource_name": "lodash", "resource_type": "software_package", "risk_details": { "has_exploit_available": { "evidence": { "exploit_sources": [ "GitHub" ], "exploit_urls": [ "https://github.com/example/POC-CVE-2024-67890" ] } }, "has_high_exploitability_chance": { "evidence": { "epss_score": 0.70718, "epss_severity": "high" } } }, "service": { "name": "chatbot-api" }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Remote code execution in logging library", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890", "stack": { "ecosystem": "npm" } }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Misconfiguration" %} ```json { "base_severity": "critical", "cloud_resource": { "account": { "account": "Main production account", "account_id": "123456789012" }, "cloud_provider": "AWS", "cloud_provider_url": "https://us-east-1.console.aws.amazon.com/ec2/home#Instances:instanceId=i-0123456789abcdef0", "configuration": { "account_id": "123456789012", "ami_launch_index": 0, "architecture": "x86_64", "aws_ami_key": "abcdef0123456789abcdef0123456789", "aws_iam_instance_profile_key": "abcdef0123456789abcdef0123456789", "aws_subnet_key": "abcdef0123456789abcdef0123456789", "aws_vpc_key": "abcdef0123456789abcdef0123456789", "block_device_mappings": [ { "device_name": "/dev/sdf", "ebs": { "attach_time": 1734064859000, "delete_on_termination": true, "status": "attached", "volume_id": "vol-0123456789abcdef0" } } ] }, "display_name": "i-012abcd34efghi56", "key": "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56" }, "compliance": { "evaluation": "fail" }, "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "An AWS security group allows unrestricted inbound SSH access from any IP address (0.0.0.0/0), exposing the associated instances to brute-force and unauthorized access attempts.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "misconfiguration", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "resource_id": "arn:aws:ec2:us-east-1:123456789012:security-group/sg-0123456789abcdef0", "resource_name": "sg-0123456789abcdef0", "resource_type": "aws_security_group", "risk_details": { "is_publicly_accessible": { "evidence": { "resource_key": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef" } } }, "rule": { "default_rule_id": "def-000-abc", "id": "def-000-cfg", "name": "Security group should not allow unrestricted SSH access", "type": "cloud_configuration", "version": 3 }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Security group allows unrestricted SSH access", "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Runtime Code Vulnerability" %} ```json { "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A SQL injection vulnerability was detected at runtime in the application's search endpoint. User-supplied input is concatenated directly into a SQL query without parameterized statements.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "runtime_code_vulnerability", "first_seen_at": 1738575592659, "git": { "author": { "authored_at": 1738575599859, "email": "alice@example.com", "name": "Alice" }, "branch": "main", "committer": { "committed_at": 1738575599859, "email": "bob@example.com", "name": "Bob" }, "default_branch": "main", "is_default_branch": false, "repository_id": "123456789", "repository_url": "https://github.com/example-org/my-app/", "sha": "abcdef1234567890abcdef1234567890abcdef12" }, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "remediation": { "is_available": false }, "resource_id": "my-app:/api/search", "resource_name": "my-app", "resource_type": "application_service", "rule": { "default_rule_id": "def-000-abc", "id": "rtcv-001-sqli", "name": "SQL injection detected in application endpoint", "type": "application_code_vulnerability", "version": 3 }, "service": { "name": "chatbot-api" }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "SQL injection in search endpoint", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Secret" %} ```json { "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "An AWS access key was found hardcoded in a configuration file committed to the repository. Exposed credentials can be used to gain unauthorized access to cloud resources.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "secret", "first_seen_at": 1738575592659, "git": { "author": { "authored_at": 1738575599859, "email": "alice@example.com", "name": "Alice" }, "branch": "main", "committer": { "committed_at": 1738575599859, "email": "bob@example.com", "name": "Bob" }, "default_branch": "main", "is_default_branch": false, "repository_id": "123456789", "repository_url": "https://github.com/example-org/my-app/", "sha": "abcdef1234567890abcdef1234567890abcdef12" }, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "remediation": { "is_available": false }, "resource_id": "github.com/example-org/my-app/config/settings.py:42", "resource_name": "settings.py", "resource_type": "source_code_file", "rule": { "default_rule_id": "def-000-abc", "id": "sct-001-aws", "name": "AWS access key detected in source code", "type": "credential_exposure", "version": 3 }, "service": { "name": "chatbot-api" }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Hardcoded AWS access key in configuration file", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Static Code Vulnerability" %} ```json { "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A cross-site scripting (XSS) vulnerability was found in the application's template rendering. User input is inserted into HTML output without proper escaping, allowing script injection.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "static_code_vulnerability", "first_seen_at": 1738575592659, "git": { "author": { "authored_at": 1738575599859, "email": "alice@example.com", "name": "Alice" }, "branch": "main", "committer": { "committed_at": 1738575599859, "email": "bob@example.com", "name": "Bob" }, "default_branch": "main", "is_default_branch": false, "repository_id": "123456789", "repository_url": "https://github.com/example-org/my-app/", "sha": "abcdef1234567890abcdef1234567890abcdef12" }, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "remediation": { "is_available": false }, "resource_id": "github.com/example-org/my-app/src/templates/profile.html:18", "resource_name": "profile.html", "resource_type": "source_code_file", "rule": { "default_rule_id": "def-000-abc", "id": "sast-001-xss", "name": "Reflected XSS via unescaped user input in template", "type": "application_code_vulnerability", "version": 3 }, "service": { "name": "chatbot-api" }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Cross-site scripting in template rendering", "vulnerability": { "hash": "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" }, "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} {% tab title="Workload Activity" %} ```json { "base_severity": "critical", "container_image": { "name": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:v1.0.0", "registries": [ "123456789012.dkr.ecr.us-east-1.amazonaws.com" ], "repo_digests": [ "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890" ] }, "description": "A container process executed a binary that was not part of the original container image. This unexpected process execution may indicate a compromised workload or unauthorized modification.", "detection_changed_at": 1738575599859, "exposure_time_seconds": 300, "finding_id": "AbCdEfGhIjKlMnOpQrStUvWx", "finding_type": "workload_activity", "first_seen_at": 1738575592659, "is_in_security_inbox": false, "last_seen_at": 1738624280889, "metadata": { "schema_version": "2" }, "origin": [ "agentless-scanner" ], "resource_id": "k8s-pod:default/my-app-7b9d5c8f4-x2k9m", "resource_name": "my-app-7b9d5c8f4-x2k9m", "resource_type": "kubernetes_pod", "rule": { "default_rule_id": "def-000-abc", "id": "def-000-wka", "name": "Process launched from unexpected path in container", "type": "workload_security", "version": 3 }, "severity": "critical", "severity_details": { "adjusted": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" }, "base": { "score": 9.8, "value": "Critical", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/RC:C" } }, "status": "open", "title": "Unexpected process execution in container", "workflow": { "auto_closed_at": 1738575600859, "automations": { "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "rule_name": "mute misconfigs with free text query", "rule_type": "mute" }, "due_date": { "due_at": 1738575599859, "is_overdue": false, "rule_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }, "integrations": { "cases": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "created_at": 1738575599859, "created_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "jira_issue": { "key": "PROJ-12345", "status": "To Do", "url": "https://your-org.atlassian.net/browse/PROJ-12345" }, "key": "CASE-42", "status": "open", "updated_at": 1738575599859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } }, "mute": { "description": "Free text", "expire_at": 1738575599859, "is_muted": false, "is_muted_by_rule": false, "muted_at": 1738575599859, "muted_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" }, "reason": "Resource deleted" }, "triage": { "assignee": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice", "updated_at": 1738575600859, "updated_by": { "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Alice" } } } }, "tags": [ "origin:agentless-scanner", "source:vulnerability_management" ] } ``` {% /tab %} ## Schema Reference{% #schema-reference %} The following sections describe all available attributes in the Security Findings schema, organized by namespace. {% collapsible-section #core-attributes %} ### Core Attributes These attributes are present on all security findings and describe the fundamental nature and status of the finding. | Attribute name | Type | Description | | ------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `additional_resources` | array (object) | **Path:** `@additional_resources`Additional resources. For example, an AWS EC2 instance can have security groups and Auto Scaling groups as additional resources. | | `base_severity` | string | **Path:** `@base_severity`Base severity level of the finding before any adjustments. Valid values: `critical`, `high`, `medium`, `low`, `info`, `none`, `unknown`. | | `description` | string | **Path:** `@description`Human-readable explanation of the finding. May include Markdown formatting. | | `detection_changed_at` | integer | **Path:** `@detection_changed_at`Timestamp in milliseconds (UTC) when the finding's evaluation or detection state last changed. | | `exposure_time_seconds` | integer | **Path:** `@exposure_time_seconds`Indicates the time elapsed, in seconds, between when the finding was last closed and when it was first detected. | | `finding_id` | string | **Path:** `@finding_id`Unique identifier of the finding. | | `finding_type` | string | **Path:** `@finding_type`Category of the finding. Valid values: `api_security`, `attack_path`, `runtime_code_vulnerability`, `static_code_vulnerability`, `host_and_container_vulnerability`, `iac_misconfiguration`, `identity_risk`, `library_vulnerability`, `misconfiguration`, `secret`, `workload_activity`, `sensitive_data`. | | `first_seen_at` | integer | **Path:** `@first_seen_at`Timestamp in milliseconds (UTC) when the finding was first detected. | | `is_in_security_inbox` | boolean | **Path:** `@is_in_security_inbox``true` if the finding appears in the Security Inbox; `false` otherwise. | | `last_detected_at` | integer | **Path:** `@last_detected_at`Discovery timestamp in milliseconds (UTC) when the last detection was received by the finding platform. | | `last_seen_at` | integer | **Path:** `@last_seen_at`Timestamp in milliseconds (UTC) when the finding was most recently detected. | | `origin` | array (string) | **Path:** `@origin`Detection origins that produced the finding, such as agentless scans, APM, SCA (Software Composition Analysis), or CI (Continuous Integration). | | `related_services` | array (string) | **Path:** `@related_services`Services that are inferred from Source Code Integration (for example, for SAST findings). | | `resource_id` | string | **Path:** `@resource_id`Unique identifier of the resource affected by the finding. | | `resource_name` | string | **Path:** `@resource_name`Human-readable name of the resource affected by the finding. | | `resource_type` | string | **Path:** `@resource_type`Type of the resource. | | `severity` | string | **Path:** `@severity`Final severity level of the finding, after Datadog adjustments and any user-defined severity modifications. Valid values: `critical`, `high`, `medium`, `low`, `info`, `none`, `unknown`. | | `source_finding_raw_data` | object | **Path:** `@source_finding_raw_data`Raw data from third-party integrations that generated the finding. | | `status` | string | **Path:** `@status`Workflow status of the finding. Valid values: `open`, `muted`, `auto_closed`, `resolved`, `in-progress`. | | `time_to_resolution` | integer | **Path:** `@time_to_resolution`Time in seconds between when the finding was first detected and when it was resolved. | | `title` | string | **Path:** `@title`Human-readable title for the finding. | ### Additional Resources{% #additional-resources %} Additional resources. For example, an AWS EC2 instance can have security groups and Auto Scaling groups as additional resources. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `category` | string | **Path:** `@additional_resources.category`Category of the additional resource. Valid values: `cloud_resource`, `k8s`, `host`, `service`, `git`, `iac_resource`. | | `configuration` | object | **Path:** `@additional_resources.configuration`Configuration of the additional resource. | | `key` | string | **Path:** `@additional_resources.key`Canonical Cloud Resource Identifier (CCRID) of the additional resource when the resource is cloud-backed (for example, when `category` is `cloud_resource`). This field may be omitted for non-cloud categories such as `k8s`, `host`, `service`, or `git`. | {% /collapsible-section %} {% collapsible-section #advisory %} ### Advisory Ties a vulnerability to a set of specific software versions. Vulnerability findings with advisories indicate that a vulnerable version of the software was detected (typically through SBOMs). | Attribute name | Type | Description | | -------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `aliases` | array (string) | **Path:** `@advisory.aliases`Additional identifiers referring to the same vulnerability, created by other entities. | | `cve` | string | **Path:** `@advisory.cve`Primary globally recognized identifier for a security vulnerability, following the `CVE-YYYY-NNNN` format. | | `first_remediation_available_at` | integer | **Path:** `@advisory.first_remediation_available_at`Timestamp in milliseconds (UTC) when the first remediation for the advisory became available. | | `id` | string | **Path:** `@advisory.id`Internal identifier for the advisory. | | `modified_at` | integer | **Path:** `@advisory.modified_at`Timestamp in milliseconds (UTC) when the advisory was last updated. | | `published_at` | integer | **Path:** `@advisory.published_at`Timestamp in milliseconds (UTC) when the advisory was published. | | `summary` | string | **Path:** `@advisory.summary`Short summary of the advisory. | | `type` | string | **Path:** `@advisory.type`Type of the advisory. Valid values: `component_with_known_vulnerability`, `unmaintained`, `end_of_life`, `dangerous_workflows`, `risky_license`, `malicious_package`. | {% /collapsible-section %} {% collapsible-section #api-endpoint %} ### API Endpoint HTTP endpoint representation. | Attribute name | Type | Description | | ---------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------- | | `method` | string | **Path:** `@api_endpoint.method`Method of the endpoint (HTTP verb or gRPC method). | | `operation_name` | string | **Path:** `@api_endpoint.operation_name`Name of the entry point into a service (for example, `http.request`, `grpc.server`). | | `path` | string | **Path:** `@api_endpoint.path`Relative templated path of the endpoint. | | `request_path` | string | **Path:** `@api_endpoint.request_path`Relative path of the endpoint. | | `resource_name` | string | **Path:** `@api_endpoint.resource_name`Internal identification of the endpoint in the format ` `. | {% /collapsible-section %} {% collapsible-section #cloud-resource %} ### Cloud Resource Attributes identifying the cloud resource affected by the finding. | Attribute name | Type | Description | | ---------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | `account` | string | **Path:** `@cloud_resource.account`Cloud account that owns the cloud resource (for example, AWS account, Azure subscription, GCP project, OCI tenancy). | | `account_name` | string | **Path:** `@cloud_resource.account_name`Human-readable name of the cloud account owning the resource. | | `category` | string | **Path:** `@cloud_resource.category`Category the resource type belongs to. | | `cloud_provider` | string | **Path:** `@cloud_resource.cloud_provider`Cloud provider hosting the resource. Valid values: `aws`, `azure`, `gcp`, `oci`. | | `cloud_provider_url` | string | **Path:** `@cloud_resource.cloud_provider_url`Link to the resource in the cloud provider console. | | `configuration` | object | **Path:** `@cloud_resource.configuration`Configuration of the cloud resource, as returned by the cloud provider. | | `context` | object | **Path:** `@cloud_resource.context`Context for the cloud resource. | | `display_name` | string | **Path:** `@cloud_resource.display_name`Display name of the resource. | | `key` | string | **Path:** `@cloud_resource.key`Canonical Cloud Resource Identifier (CCRID). | | `public_accessibility_paths` | array (string) | **Path:** `@cloud_resource.public_accessibility_paths`Network paths through which the resource is accessible from the public internet. | | `public_port_ranges` | array (object) | **Path:** `@cloud_resource.public_port_ranges`Port ranges on the resource that are exposed to the public internet. | | `region` | string | **Path:** `@cloud_resource.region`Cloud region where the resource is located. | ### Public Port Ranges{% #public-port-ranges %} Port ranges on the resource that are exposed to the public internet. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------- | | `from_port` | integer | **Path:** `@cloud_resource.public_port_ranges.from_port`Starting port number of the exposed range. | | `to_port` | integer | **Path:** `@cloud_resource.public_port_ranges.to_port`Ending port number of the exposed range. | {% /collapsible-section %} {% collapsible-section #code-location %} ### Code Location Attributes pinpointing the specific file and line numbers where the finding is located. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@code_location.column_end`Ending column position. | | `column_start` | integer | **Path:** `@code_location.column_start`Starting column position. | | `filename` | string | **Path:** `@code_location.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@code_location.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@code_location.line_end`Ending line number. | | `line_start` | integer | **Path:** `@code_location.line_start`Starting line number. | | `symbol` | string | **Path:** `@code_location.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@code_location.url`URL to view the file online (for example, in GitHub), highlighting the code location. | {% /collapsible-section %} {% collapsible-section #compliance %} ### Compliance Information specific to compliance findings, such as compliance rule or evaluation (`pass`/`fail`). | Attribute name | Type | Description | | -------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | `agent` | object | **Path:** `@compliance.agent`Metadata about the compliance agent that produced the finding. | | `evaluation` | string | **Path:** `@compliance.evaluation`Compliance evaluation result. Valid values: `pass` (resource is properly configured), `fail` (resource is misconfigured). | | `frameworks` | array (object) | **Path:** `@compliance.frameworks`Compliance frameworks mapped to the finding. | ### Agent{% #agent %} Metadata about the compliance agent that produced the finding. | Attribute name | Type | Description | | -------------------- | ------ | --------------------------------------------------------------------------------------------------------- | | `agent_framework_id` | string | **Path:** `@compliance.agent.agent_framework_id`Identifier of the compliance framework used by the agent. | | `agent_rule_id` | string | **Path:** `@compliance.agent.agent_rule_id`Identifier of the agent rule that triggered the finding. | | `agent_version` | string | **Path:** `@compliance.agent.agent_version`Version of the compliance agent that produced the finding. | | `data` | object | **Path:** `@compliance.agent.data`Additional data produced by the compliance agent evaluation. | | `evaluator` | string | **Path:** `@compliance.agent.evaluator`Name of the evaluator that assessed the compliance finding. | ### Frameworks{% #frameworks %} Compliance frameworks mapped to the finding. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- | | `control` | string | **Path:** `@compliance.frameworks.control`Identifier of the control within the compliance framework. | | `framework` | string | **Path:** `@compliance.frameworks.framework`Identifier of the compliance framework (e.g., `cis`, `pci-dss`). | | `is_default` | boolean | **Path:** `@compliance.frameworks.is_default``true` if this is the default framework mapping for the finding, `false` otherwise. | | `requirement` | string | **Path:** `@compliance.frameworks.requirement`Identifier of the requirement within the control. | | `version` | string | **Path:** `@compliance.frameworks.version`Version of the compliance framework. | {% /collapsible-section %} {% collapsible-section #container-image %} ### Container Image Container image where the finding was detected, including registry, repository, and digest information. | Attribute name | Type | Description | | ---------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `architectures` | array (string) | **Path:** `@container_image.architectures`Architectures associated with the container image. | | `git_repository_url` | string | **Path:** `@container_image.git_repository_url`URL of the Git repository for the code used to build the container image. Available only when Source Code Integration is configured. | | `image_layer_diff_ids` | array (string) | **Path:** `@container_image.image_layer_diff_ids`Diff IDs of the image layers, in the order they were applied. Each diff ID is the SHA256 of the uncompressed layer contents. | | `image_layer_digests` | array (string) | **Path:** `@container_image.image_layer_digests`Digests of the image layers, in the order they were applied. Each digest is the SHA256 of the compressed layer blob. | | `name` | string | **Path:** `@container_image.name`Full name of the container image. | | `oses` | array (object) | **Path:** `@container_image.oses`Operating systems associated with the container image. | | `registries` | array (string) | **Path:** `@container_image.registries`Container registry where the image is stored or was pulled from. | | `repo_digests` | array (string) | **Path:** `@container_image.repo_digests`Repository digests of the container image where the finding was detected. | | `repository` | string | **Path:** `@container_image.repository`Repository of the container image. | | `tags` | array (string) | **Path:** `@container_image.tags`Tag part of the container image name (for example, `latest` or `1.2.3`). | | `versions` | array (string) | **Path:** `@container_image.versions`Versions of the container image where the finding was detected. | ### Operating Systems{% #operating-systems %} Operating systems associated with the container image. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------ | | `name` | string | **Path:** `@container_image.oses.name`Operating system name. | | `version` | string | **Path:** `@container_image.oses.version`Operating system version. | {% /collapsible-section %} {% collapsible-section #detection-tool %} ### Detection Tool Information about the tool or engine responsible for detecting the finding. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------ | | `name` | string | **Path:** `@detection_tool.name`Name of the detection tool or engine that generated the finding. | | `version` | string | **Path:** `@detection_tool.version`Version of the detection tool or engine that generated the finding. | {% /collapsible-section %} {% collapsible-section #git %} ### Git Git metadata linking a finding to source code context. Includes information about the repository, branch, commit, author, and committer. | Attribute name | Type | Description | | ----------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `author` | object | **Path:** `@git.author`Details about the author of the commit. | | `branch` | string | **Path:** `@git.branch`Name of the Git branch related to the finding. | | `codeowners` | array (string) | **Path:** `@git.codeowners`Code owner teams extracted from the SCM (Source Control Management) provider's CODEOWNERS file on platforms like GitHub. | | `committer` | object | **Path:** `@git.committer`Details about the committer. | | `default_branch` | string | **Path:** `@git.default_branch`Default branch defined for the Git repository. | | `is_default_branch` | boolean | **Path:** `@git.is_default_branch``true` if the current branch is the default branch for the repository; `false` otherwise. | | `repository_id` | string | **Path:** `@git.repository_id`Normalized identifier of the Git repository. | | `repository_url` | string | **Path:** `@git.repository_url`Git repository URL related to the finding. | | `repository_visibility` | string | **Path:** `@git.repository_visibility`Visibility of the repository. Valid values: `public`, `private`, `not_detected`. | | `sha` | string | **Path:** `@git.sha`Git commit identifier (SHA). | ### Author{% #author %} Details about the author of the commit. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------- | | `authored_at` | integer | **Path:** `@git.author.authored_at`Timestamp in milliseconds (UTC) when the original changes were made. | | `email` | string | **Path:** `@git.author.email`Email address of the commit author. | | `name` | string | **Path:** `@git.author.name`Name of the commit author. | ### Committer{% #committer %} Details about the committer. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `committed_at` | integer | **Path:** `@git.committer.committed_at`Timestamp in milliseconds (UTC) when the changes were last significantly modified (for example, during a rebase or amend operation). | | `email` | string | **Path:** `@git.committer.email`Email address of the committer. | | `name` | string | **Path:** `@git.committer.name`Name of the committer. | {% /collapsible-section %} {% collapsible-section #host %} ### Host Information about the host machine where the finding was detected. | Attribute name | Type | Description | | ---------------- | -------------- | ----------------------------------------------------------------------------------------------- | | `architectures` | array (string) | **Path:** `@host.architectures`Architectures associated with the host. | | `cloud_provider` | string | **Path:** `@host.cloud_provider`Cloud provider the host belongs to. | | `image` | string | **Path:** `@host.image`Name of the host image used to build the host (for example, `ami-1234`). | | `key` | string | **Path:** `@host.key`Canonical Cloud Resource Identifier (CCRID). | | `name` | string | **Path:** `@host.name`Host name. | | `os` | object | **Path:** `@host.os`Attributes of the operating system running on the host. | ### Operating System{% #operating-system %} Attributes of the operating system running on the host. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------- | | `name` | string | **Path:** `@host.os.name`Operating system name. | | `version` | string | **Path:** `@host.os.version`Operating system version. | {% /collapsible-section %} {% collapsible-section #iac-resource %} ### IaC Resource Attributes identifying the Infrastructure as Code (IaC) resource related to the finding. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `platform` | string | **Path:** `@iac_resource.platform`IaC (Infrastructure as Code) platform the vulnerability was found on (for example, `terraform`, `kubernetes`). | | `provider` | string | **Path:** `@iac_resource.provider`IaC (Infrastructure as Code) provider where the resource is defined (for example, `aws`, `gcp`, `azure`). | {% /collapsible-section %} {% collapsible-section #k8s %} ### Kubernetes Kubernetes information for findings generated against Kubernetes resources. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------- | | `cluster_id` | string | **Path:** `@k8s.cluster_id`Kubernetes cluster identifier. | {% /collapsible-section %} {% collapsible-section #metadata %} ### Metadata Additional metadata about the finding, such as schema version or source context. | Attribute name | Type | Description | | ---------------- | ------ | ----------------------------------------------------------------------------------------------- | | `schema_version` | string | **Path:** `@metadata.schema_version`Indicates the findings schema version used for the finding. | {% /collapsible-section %} {% collapsible-section #package %} ### Package Package manager information. A package manager automates the installation, upgrading, configuration, and removal of software packages. | Attribute name | Type | Description | | -------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `additional_names` | array (string) | **Path:** `@package.additional_names`Additional affected package names, if the cloud vulnerability impacted multiple packages derived from the same source package. | | `declaration` | object | **Path:** `@package.declaration`Code locations of the package definition. | | `dependency_location_text` | string | **Path:** `@package.dependency_location_text`Text representation of the dependency location, such as the file path where the vulnerable package is declared. | | `dependency_type` | string | **Path:** `@package.dependency_type`Whether the package is a direct dependency, transitive dependency, or not supported if the information cannot be retrieved. | | `has_suid` | boolean | **Path:** `@package.has_suid``true` if the package has the SUID bit set; `false` otherwise. | | `is_running` | boolean | **Path:** `@package.is_running``true` if the package is currently running; `false` otherwise. | | `is_running_as_root` | boolean | **Path:** `@package.is_running_as_root``true` if the package is currently running as root; `false` otherwise. | | `loading_type` | string | **Path:** `@package.loading_type`Whether the component is always loaded and running (`hot`), running infrequently (`cold`), or loaded on demand (`lazy`). | | `manager` | string | **Path:** `@package.manager`Package management ecosystem or source registry the vulnerable component originates from. | | `name` | string | **Path:** `@package.name`Name of the package or library where the vulnerability was identified. | | `normalized_name` | string | **Path:** `@package.normalized_name`Normalized name according to the ecosystem of the package or library where the vulnerability was identified. | | `root_parents` | array (object) | **Path:** `@package.root_parents`List of dependencies for which the package is a transitive dependency. | | `scope` | string | **Path:** `@package.scope`Intended usage scope of the package (`production` or `development`). | | `version` | string | **Path:** `@package.version`Version of the package or library where the vulnerability was identified. | ### Declaration{% #declaration %} Code locations of the package definition. | Attribute name | Type | Description | | -------------- | ------ | ---------------------------------------------------------------------------------------------------------- | | `block` | object | **Path:** `@package.declaration.block`Location of the code that declares the whole dependency declaration. | | `name` | object | **Path:** `@package.declaration.name`Location of the code that declares the dependency name. | | `version` | object | **Path:** `@package.declaration.version`Version declared for the root parent. | ### Block{% #block %} Location of the code that declares the whole dependency declaration. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@package.declaration.block.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.declaration.block.column_start`Starting column position. | | `filename` | string | **Path:** `@package.declaration.block.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.declaration.block.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.declaration.block.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.declaration.block.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.declaration.block.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.declaration.block.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Name{% #name %} Location of the code that declares the dependency name. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------ | | `column_end` | integer | **Path:** `@package.declaration.name.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.declaration.name.column_start`Starting column position. | | `filename` | string | **Path:** `@package.declaration.name.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.declaration.name.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.declaration.name.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.declaration.name.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.declaration.name.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.declaration.name.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Version{% #version %} Version declared for the root parent. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@package.declaration.version.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.declaration.version.column_start`Starting column position. | | `filename` | string | **Path:** `@package.declaration.version.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.declaration.version.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.declaration.version.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.declaration.version.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.declaration.version.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.declaration.version.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Root Parents{% #root-parents %} List of dependencies for which the package is a transitive dependency. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------------------------------------------------------------- | | `declaration` | object | **Path:** `@package.root_parents.declaration`Location of the code that declares the version of a root parent. | | `language` | string | **Path:** `@package.root_parents.language`Dependency language for which the package is a transitive dependency. | | `name` | string | **Path:** `@package.root_parents.name`Dependency name for which the package is a transitive dependency. | | `version` | string | **Path:** `@package.root_parents.version`Dependency version for which the package is a transitive dependency. | ### Declaration{% #declaration-1 %} Location of the code that declares the version of a root parent. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------- | | `block` | object | **Path:** `@package.root_parents.declaration.block`Location of the code that declares the whole dependency declaration. | | `name` | object | **Path:** `@package.root_parents.declaration.name`Location of the code that declares the dependency name. | | `version` | object | **Path:** `@package.root_parents.declaration.version`Version declared for the root parent. | ### Block{% #block-1 %} Location of the code that declares the whole dependency declaration. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@package.root_parents.declaration.block.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.root_parents.declaration.block.column_start`Starting column position. | | `filename` | string | **Path:** `@package.root_parents.declaration.block.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.root_parents.declaration.block.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.root_parents.declaration.block.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.root_parents.declaration.block.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.root_parents.declaration.block.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.root_parents.declaration.block.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Name{% #name-1 %} Location of the code that declares the dependency name. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@package.root_parents.declaration.name.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.root_parents.declaration.name.column_start`Starting column position. | | `filename` | string | **Path:** `@package.root_parents.declaration.name.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.root_parents.declaration.name.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.root_parents.declaration.name.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.root_parents.declaration.name.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.root_parents.declaration.name.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.root_parents.declaration.name.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Version{% #version-1 %} Version declared for the root parent. | Attribute name | Type | Description | | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@package.root_parents.declaration.version.column_end`Ending column position. | | `column_start` | integer | **Path:** `@package.root_parents.declaration.version.column_start`Starting column position. | | `filename` | string | **Path:** `@package.root_parents.declaration.version.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@package.root_parents.declaration.version.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@package.root_parents.declaration.version.line_end`Ending line number. | | `line_start` | integer | **Path:** `@package.root_parents.declaration.version.line_start`Starting line number. | | `symbol` | string | **Path:** `@package.root_parents.declaration.version.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@package.root_parents.declaration.version.url`URL to view the file online (for example, in GitHub), highlighting the code location. | {% /collapsible-section %} {% collapsible-section #remediation %} ### Remediation Information about the finding's remediation. | Attribute name | Type | Description | | ------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------- | | `code_update` | object | **Path:** `@remediation.code_update`Code changes to apply to remediate the finding. | | `codegen` | object | **Path:** `@remediation.codegen`Finding status for the code generation platform. | | `container_image` | object | **Path:** `@remediation.container_image`Newer container image version that may remediate the vulnerability. | | `description` | string | **Path:** `@remediation.description`Description of the remediation. | | `host_image` | object | **Path:** `@remediation.host_image`Latest host image version that may remediate the vulnerability. | | `is_available` | boolean | **Path:** `@remediation.is_available``true` if a remediation is currently available for the finding; `false` otherwise. | | `microsoft_kb` | object | **Path:** `@remediation.microsoft_kb`Remediation strategy using a Microsoft Knowledge Base (KB) article. | | `package` | object | **Path:** `@remediation.package`Remediation package information. | | `recommended` | object | **Path:** `@remediation.recommended`Recommended remediation details. | | `recommended_type` | string | **Path:** `@remediation.recommended_type`Recommended remediation type for the finding. | | `root_package` | object | **Path:** `@remediation.root_package`Remediation root package information. | ### Code Update{% #code-update %} Code changes to apply to remediate the finding. | Attribute name | Type | Description | | -------------- | -------------- | ----------------------------------------------------------------------------------------- | | `edits` | array (object) | **Path:** `@remediation.code_update.edits`Code changes required to remediate the finding. | ### Edits{% #edits %} Code changes required to remediate the finding. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@remediation.code_update.edits.column_end`Ending column position of the code change. | | `column_start` | integer | **Path:** `@remediation.code_update.edits.column_start`Starting column position of the code change. | | `content` | string | **Path:** `@remediation.code_update.edits.content`Contents of the code change. | | `line_end` | integer | **Path:** `@remediation.code_update.edits.line_end`Ending line number of the code change. | | `line_start` | integer | **Path:** `@remediation.code_update.edits.line_start`Starting line number of the code change. | | `type` | string | **Path:** `@remediation.code_update.edits.type`Nature of the code change. | ### Codegen{% #codegen %} Finding status for the code generation platform. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `id` | string | **Path:** `@remediation.codegen.id`Identifier used to track the remediation in the code generation backend. | | `status` | string | **Path:** `@remediation.codegen.status`Status of the automated fix generation. Valid values: `generated`, `not_available_non_default_branch`, `not_available_unsupported_tool`, `not_available_unsupported_rule`, `not_available_disabled`, `not_available_git_provider_not_supported`, `not_available_confidence_too_low`, `error`, `not_available_has_deterministic_fixes`, `not_available_unknown_reason`, `not_available_org_not_onboarded`, `not_available_repository_disabled`, `not_available_unsupported_resource_type`, `not_available_unsupported_ecosystem`, `not_available_severity_too_low`, `not_available_transitive_library`, `not_available_no_remediation`, `not_available_unsupported_vulnerability_type`. | ### Container Image{% #container-image %} Newer container image version that may remediate the vulnerability. | Attribute name | Type | Description | | ---------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------- | | `closest_no_vulnerabilities` | object | **Path:** `@remediation.container_image.closest_no_vulnerabilities`Closest container image version with no vulnerabilities. | ### Closest No Vulnerabilities{% #closest-no-vulnerabilities %} Closest container image version with no vulnerabilities. | Attribute name | Type | Description | | --------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `image_url` | string | **Path:** `@remediation.container_image.closest_no_vulnerabilities.image_url`URL of the container image that may remediate the vulnerability. | | `layer_digests` | array (string) | **Path:** `@remediation.container_image.closest_no_vulnerabilities.layer_digests`Layer digests of the currently vulnerable container image that needs to be upgraded. | | `name` | string | **Path:** `@remediation.container_image.closest_no_vulnerabilities.name`Name of the container image that may remediate the vulnerability. | | `tag` | string | **Path:** `@remediation.container_image.closest_no_vulnerabilities.tag`Tag of the container image that may remediate the vulnerability. | ### Host Image{% #host-image %} Latest host image version that may remediate the vulnerability. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------- | | `latest_major` | object | **Path:** `@remediation.host_image.latest_major`Information about the latest Amazon Machine Image (AMI) that may remediate the vulnerability. | ### Latest Major{% #latest-major %} Information about the latest Amazon Machine Image (AMI) that may remediate the vulnerability. | Attribute name | Type | Description | | -------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `name` | string | **Path:** `@remediation.host_image.latest_major.name`Name of the latest Amazon Machine Image (for example, `ami-12345678`) that may remediate the vulnerability. | ### Microsoft KB{% #microsoft-kb %} Remediation strategy using a Microsoft Knowledge Base (KB) article. | Attribute name | Type | Description | | ---------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------- | | `closest_fix_advisory` | object | **Path:** `@remediation.microsoft_kb.closest_fix_advisory`The closest patch available to address the current advisory. | ### Closest Fix Advisory{% #closest-fix-advisory %} The closest patch available to address the current advisory. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------------------------- | | `article` | string | **Path:** `@remediation.microsoft_kb.closest_fix_advisory.article`Article name for the closest patch. | ### Package{% #package %} Remediation package information. | Attribute name | Type | Description | | ---------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `base` | array (object) | **Path:** `@remediation.package.base`Current package version that the finding was detected on, before any remediation is applied. | | `closest_no_critical` | array (object) | **Path:** `@remediation.package.closest_no_critical`Closest package version with no critical vulnerabilities (based on base score). | | `closest_no_vulnerabilities` | array (object) | **Path:** `@remediation.package.closest_no_vulnerabilities`Closest package version with no vulnerabilities. | | `latest_no_critical` | array (object) | **Path:** `@remediation.package.latest_no_critical`The latest remediation package version with no critical vulnerabilities (based on base score). | | `latest_no_vulnerabilities` | array (object) | **Path:** `@remediation.package.latest_no_vulnerabilities`Latest package version with no vulnerabilities. | ### Base{% #base %} Current package version that the finding was detected on, before any remediation is applied. | Attribute name | Type | Description | | ---------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.package.base.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.package.base.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.package.base.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.package.base.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.package.base.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.package.base.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.package.base.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.package.base.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.base.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.base.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------ | | `base_severity` | string | **Path:** `@remediation.package.base.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.base.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------ | | `base_severity` | string | **Path:** `@remediation.package.base.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.base.remaining_advisories.id`Identifier of the advisory. | ### Closest No Critical{% #closest-no-critical %} Closest package version with no critical vulnerabilities (based on base score). | Attribute name | Type | Description | | ---------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.package.closest_no_critical.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.package.closest_no_critical.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.package.closest_no_critical.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.package.closest_no_critical.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.package.closest_no_critical.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.package.closest_no_critical.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.package.closest_no_critical.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.package.closest_no_critical.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-1 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.closest_no_critical.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_critical.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-1 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.closest_no_critical.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_critical.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-1 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.closest_no_critical.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_critical.remaining_advisories.id`Identifier of the advisory. | ### Closest No Vulnerabilities{% #closest-no-vulnerabilities-1 %} Closest package version with no vulnerabilities. | Attribute name | Type | Description | | ---------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.package.closest_no_vulnerabilities.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.package.closest_no_vulnerabilities.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.package.closest_no_vulnerabilities.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.package.closest_no_vulnerabilities.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.package.closest_no_vulnerabilities.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-2 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------------------------ | | `base_severity` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-2 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ---------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-2 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.closest_no_vulnerabilities.remaining_advisories.id`Identifier of the advisory. | ### Latest No Critical{% #latest-no-critical %} The latest remediation package version with no critical vulnerabilities (based on base score). | Attribute name | Type | Description | | ---------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.package.latest_no_critical.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.package.latest_no_critical.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.package.latest_no_critical.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.package.latest_no_critical.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.package.latest_no_critical.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.package.latest_no_critical.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.package.latest_no_critical.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.package.latest_no_critical.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-3 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ---------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_critical.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_critical.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-3 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_critical.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_critical.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-3 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_critical.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_critical.remaining_advisories.id`Identifier of the advisory. | ### Latest No Vulnerabilities{% #latest-no-vulnerabilities %} Latest package version with no vulnerabilities. | Attribute name | Type | Description | | ---------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.package.latest_no_vulnerabilities.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.package.latest_no_vulnerabilities.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.package.latest_no_vulnerabilities.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.package.latest_no_vulnerabilities.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.package.latest_no_vulnerabilities.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-4 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-4 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-4 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.package.latest_no_vulnerabilities.remaining_advisories.id`Identifier of the advisory. | ### Root Package{% #root-package %} Remediation root package information. | Attribute name | Type | Description | | ---------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | `base` | array (object) | **Path:** `@remediation.root_package.base`Current package version that the finding was detected on, before any remediation is applied. | | `closest_no_critical` | array (object) | **Path:** `@remediation.root_package.closest_no_critical`Closest package version with no critical vulnerabilities (based on base score). | | `closest_no_vulnerabilities` | array (object) | **Path:** `@remediation.root_package.closest_no_vulnerabilities`Closest package version with no vulnerabilities. | | `latest_no_critical` | array (object) | **Path:** `@remediation.root_package.latest_no_critical`The latest remediation package version with no critical vulnerabilities (based on base score). | | `latest_no_vulnerabilities` | array (object) | **Path:** `@remediation.root_package.latest_no_vulnerabilities`Latest package version with no vulnerabilities. | ### Base{% #base-1 %} Current package version that the finding was detected on, before any remediation is applied. | Attribute name | Type | Description | | ---------------------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.root_package.base.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.root_package.base.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.root_package.base.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.root_package.base.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.root_package.base.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.root_package.base.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.root_package.base.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.root_package.base.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-5 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.base.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.base.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-5 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.base.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.base.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-5 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.base.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.base.remaining_advisories.id`Identifier of the advisory. | ### Closest No Critical{% #closest-no-critical-1 %} Closest package version with no critical vulnerabilities (based on base score). | Attribute name | Type | Description | | ---------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_critical.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.root_package.closest_no_critical.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.root_package.closest_no_critical.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.root_package.closest_no_critical.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_critical.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.root_package.closest_no_critical.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_critical.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.root_package.closest_no_critical.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-6 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ---------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_critical.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_critical.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-6 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_critical.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_critical.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-6 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_critical.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_critical.remaining_advisories.id`Identifier of the advisory. | ### Closest No Vulnerabilities{% #closest-no-vulnerabilities-2 %} Closest package version with no vulnerabilities. | Attribute name | Type | Description | | ---------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_vulnerabilities.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.root_package.closest_no_vulnerabilities.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.root_package.closest_no_vulnerabilities.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_vulnerabilities.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.root_package.closest_no_vulnerabilities.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-7 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-7 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-7 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.closest_no_vulnerabilities.remaining_advisories.id`Identifier of the advisory. | ### Latest No Critical{% #latest-no-critical-1 %} The latest remediation package version with no critical vulnerabilities (based on base score). | Attribute name | Type | Description | | ---------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `fixed_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_critical.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.root_package.latest_no_critical.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.root_package.latest_no_critical.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.root_package.latest_no_critical.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_critical.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.root_package.latest_no_critical.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_critical.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.root_package.latest_no_critical.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-8 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | --------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_critical.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_critical.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-8 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_critical.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_critical.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-8 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | ------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_critical.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_critical.remaining_advisories.id`Identifier of the advisory. | ### Latest No Vulnerabilities{% #latest-no-vulnerabilities-1 %} Latest package version with no vulnerabilities. | Attribute name | Type | Description | | ---------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `fixed_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_vulnerabilities.fixed_advisories`Advisories that the remediation will fix. | | `has_incomplete_data` | boolean | **Path:** `@remediation.root_package.latest_no_vulnerabilities.has_incomplete_data`Flag to indicate whether the remediation may have incomplete dependency data and therefore may not be 100% accurate. | | `is_auto_solvable` | boolean | **Path:** `@remediation.root_package.latest_no_vulnerabilities.is_auto_solvable`Flag to indicate whether the remediation is autosolvable (only recompiling is needed) | | `name` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.name`Recommended package name that fixes the finding. | | `new_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_vulnerabilities.new_advisories`Advisories that will appear if the remediation is applied. | | `original_name` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.original_name`Original name of the recommended package that fixes the finding. | | `remaining_advisories` | array (object) | **Path:** `@remediation.root_package.latest_no_vulnerabilities.remaining_advisories`Advisories that will remain unfixed if the remediation is applied. | | `version` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.version`Recommended package version that fixes the finding. | ### Fixed Advisories{% #fixed-advisories-9 %} Advisories that the remediation will fix. | Attribute name | Type | Description | | --------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.fixed_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.fixed_advisories.id`Identifier of the advisory. | ### New Advisories{% #new-advisories-9 %} Advisories that will appear if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.new_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.new_advisories.id`Identifier of the advisory. | ### Remaining Advisories{% #remaining-advisories-9 %} Advisories that will remain unfixed if the remediation is applied. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------- | | `base_severity` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.remaining_advisories.base_severity`Base severity of the advisory. | | `id` | string | **Path:** `@remediation.root_package.latest_no_vulnerabilities.remaining_advisories.id`Identifier of the advisory. | {% /collapsible-section %} {% collapsible-section #risk %} ### Risk Risk-related attributes for the finding. Each key must have a matching key in the `risk_details` namespace. | Attribute name | Type | Description | | -------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `has_exploit_available` | boolean | **Path:** `@risk.has_exploit_available``true` if known exploits exist for the finding; `false` otherwise. | | `has_high_exploitability_chance` | boolean | **Path:** `@risk.has_high_exploitability_chance``true` if the EPSS (Exploit Prediction Scoring System) score is above 1%; `false` otherwise. | | `has_privileged_access` | boolean | **Path:** `@risk.has_privileged_access``true` if the finding's resource is running with elevated privileges or has the ability to assume a privileged role; `false` otherwise. | | `has_sensitive_data` | boolean | **Path:** `@risk.has_sensitive_data``true` if the finding has access to a resource that contains sensitive data; `false` otherwise. | | `is_authenticated` | boolean | **Path:** `@risk.is_authenticated``true` if the API endpoint requires authentication to access; `false` if the endpoint does not require authentication. Omitted if authentication status is unknown. | | `is_crown_jewel` | boolean | **Path:** `@risk.is_crown_jewel``true` if the affected resource is critical to your business; `false` otherwise. | | `is_emerging` | boolean | **Path:** `@risk.is_emerging``true` if the vulnerability is linked to an advisory classified as an emerging vulnerability; `false` otherwise. | | `is_exposed_to_attacks` | boolean | **Path:** `@risk.is_exposed_to_attacks``true` if attacks have already been detected on the resource; `false` otherwise. | | `is_function_reachable` | boolean | **Path:** `@risk.is_function_reachable``true` if the vulnerable function can be executed; `false` otherwise. | | `is_image_running` | boolean | **Path:** `@risk.is_image_running``true` if the image of the finding's resource has running containers or hosts; `false` otherwise. | | `is_kernel_running` | boolean | **Path:** `@risk.is_kernel_running``true` if the vulnerability affects the kernel currently running on the host; `false` otherwise. | | `is_package_running` | boolean | **Path:** `@risk.is_package_running``true` if the package of the finding's resource is running; `false` otherwise. | | `is_production` | boolean | **Path:** `@risk.is_production``true` if the finding's resource is running in production; `false` otherwise. | | `is_publicly_accessible` | boolean | **Path:** `@risk.is_publicly_accessible``true` if the finding's resource is publicly accessible; `false` otherwise. | | `is_tainted_from_database` | boolean | **Path:** `@risk.is_tainted_from_database``true` if the string is tainted due to originating from an untrusted database source; `false` otherwise. | | `is_tainted_from_query_string` | boolean | **Path:** `@risk.is_tainted_from_query_string``true` if the string is tainted with elements derived from an HTTP query string; `false` otherwise. | | `is_tainted_from_request_url` | boolean | **Path:** `@risk.is_tainted_from_request_url``true` if the final URL contains tainted parts originating from the request URL; `false` otherwise. | | `is_using_sha1` | boolean | **Path:** `@risk.is_using_sha1``true` if SHA1 is used in a weak hash; `false` otherwise. | {% /collapsible-section %} {% collapsible-section #risk-details %} ### Risk Details Contextual risk factors that help assess the potential impact of a finding. These fields describe characteristics like exposure, sensitivity, and signs of active exploitation. | Attribute name | Type | Description | | -------------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `has_exploit_available` | object | **Path:** `@risk_details.has_exploit_available`Information about whether a known exploit exists for the finding advisory. | | `has_high_exploitability_chance` | object | **Path:** `@risk_details.has_high_exploitability_chance`Evidence and indicators about whether the vulnerability is likely to be exploited based on EPSS (Exploit Prediction Scoring System). | | `has_privileged_access` | object | **Path:** `@risk_details.has_privileged_access`Evidence and indicators about whether the resource has privileged access. | | `has_sensitive_data` | object | **Path:** `@risk_details.has_sensitive_data`Evidence and indicators about whether the affected resource has sensitive data. | | `is_authenticated` | object | **Path:** `@risk_details.is_authenticated`Evidence and indicators about whether the API endpoint requires authentication. | | `is_crown_jewel` | object | **Path:** `@risk_details.is_crown_jewel`Evidence and indicators about whether the affected resource is critical. | | `is_emerging` | object | **Path:** `@risk_details.is_emerging`Evidence and indicators about whether the vulnerability is classified as an emerging vulnerability. | | `is_exposed_to_attacks` | object | **Path:** `@risk_details.is_exposed_to_attacks`Evidence and indicators about whether the service where the finding was detected is exposed to attacks. | | `is_function_reachable` | object | **Path:** `@risk_details.is_function_reachable`Evidence and indicators about whether the vulnerable function or module is used in the code. | | `is_image_running` | object | **Path:** `@risk_details.is_image_running`Evidence and indicators about whether the affected image has running containers or hosts. | | `is_kernel_running` | object | **Path:** `@risk_details.is_kernel_running`Evidence and indicators about whether the vulnerability affects the kernel currently running on the host. | | `is_package_running` | object | **Path:** `@risk_details.is_package_running`Evidence and indicators about whether the affected package is running. | | `is_production` | object | **Path:** `@risk_details.is_production`Evidence and indicators about whether the resource associated with the finding is running in a production environment. | | `is_publicly_accessible` | object | **Path:** `@risk_details.is_publicly_accessible`Information about whether the affected resource is accessible from the public internet. | | `is_tainted_from_database` | object | **Path:** `@risk_details.is_tainted_from_database`Information about whether tainted parts originate from a database. | | `is_tainted_from_query_string` | object | **Path:** `@risk_details.is_tainted_from_query_string`Information about whether the tainted parts originated from a query string. | | `is_tainted_from_request_url` | object | **Path:** `@risk_details.is_tainted_from_request_url`Information about whether the tainted parts originate from the request URL. | | `is_using_sha1` | object | **Path:** `@risk_details.is_using_sha1`Information about whether SHA1 is used in a weak hash. | ### Has Exploit Available{% #has-exploit-available %} Information about whether a known exploit exists for the finding advisory. | Attribute name | Type | Description | | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.has_exploit_available.evidence`Evidence of exploit availability. | | `impact_cvss` | string | **Path:** `@risk_details.has_exploit_available.impact_cvss`How the availability of known exploits changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.has_exploit_available.value``true` if known exploits exist for the finding; `false` otherwise. | ### Evidence{% #evidence %} Evidence of exploit availability. | Attribute name | Type | Description | | ----------------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `exploit_sources` | array (string) | **Path:** `@risk_details.has_exploit_available.evidence.exploit_sources`Exploit sources associated with the finding (for example, `NIST`, `CISA`, `Exploit-DB`). | | `exploit_urls` | array (string) | **Path:** `@risk_details.has_exploit_available.evidence.exploit_urls`Exploit URLs associated with the finding. | | `type` | string | **Path:** `@risk_details.has_exploit_available.evidence.type`Type of exploit availability evidence. Valid values: `production_ready`, `poc`, `unavailable`. | ### Has High Exploitability Chance{% #has-high-exploitability-chance %} Evidence and indicators about whether the vulnerability is likely to be exploited based on EPSS (Exploit Prediction Scoring System). | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `evidence` | object | **Path:** `@risk_details.has_high_exploitability_chance.evidence`Evidence for the EPSS score. | | `impact_cvss` | string | **Path:** `@risk_details.has_high_exploitability_chance.impact_cvss`How high exploitability chance affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.has_high_exploitability_chance.value``true` if the EPSS score is above 1%; `false` otherwise. | ### Evidence{% #evidence-1 %} Evidence for the EPSS score. | Attribute name | Type | Description | | --------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `epss_score` | number | **Path:** `@risk_details.has_high_exploitability_chance.evidence.epss_score`EPSS score as a percentage representing the chance of exploitation. | | `epss_severity` | string | **Path:** `@risk_details.has_high_exploitability_chance.evidence.epss_severity`EPSS score severity level. Valid values: `Critical`, `High`, `Medium`, `Low`. | | `threshold` | number | **Path:** `@risk_details.has_high_exploitability_chance.evidence.threshold`Minimum EPSS score required for a vulnerability to be considered as having a high exploitability chance. | ### Has Privileged Access{% #has-privileged-access %} Evidence and indicators about whether the resource has privileged access. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `evidence` | object | **Path:** `@risk_details.has_privileged_access.evidence`Evidence showing proof of privileged access. | | `impact_cvss` | string | **Path:** `@risk_details.has_privileged_access.impact_cvss`How privileged access changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.has_privileged_access.value``true` if the resource associated with the finding has privileged access; `false` otherwise. | ### Evidence{% #evidence-2 %} Evidence showing proof of privileged access. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | `resource_key` | string | **Path:** `@risk_details.has_privileged_access.evidence.resource_key`Canonical Cloud Resource Identifier with proof of privileged access. | ### Has Sensitive Data{% #has-sensitive-data %} Evidence and indicators about whether the affected resource has sensitive data. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.has_sensitive_data.evidence`Evidence supporting the presence of sensitive data. | | `impact_cvss` | string | **Path:** `@risk_details.has_sensitive_data.impact_cvss`How sensitive data presence changes the CVSS score. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.has_sensitive_data.value`Same as `risk.has_sensitive_data`. | ### Evidence{% #evidence-3 %} Evidence supporting the presence of sensitive data. | Attribute name | Type | Description | | -------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | | `sds_id` | string | **Path:** `@risk_details.has_sensitive_data.evidence.sds_id`Identifier of a sensitive data entry that Datadog Sensitive Data Scanner detected. | ### Is Authenticated{% #is-authenticated %} Evidence and indicators about whether the API endpoint requires authentication. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------- | | `value` | boolean | **Path:** `@risk_details.is_authenticated.value`Same as `risk.is_authenticated`. | ### Is Crown Jewel{% #is-crown-jewel %} Evidence and indicators about whether the affected resource is critical. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `evidence` | object | **Path:** `@risk_details.is_crown_jewel.evidence`Evidence used to identify the resource as being critical. | | `impact_cvss` | string | **Path:** `@risk_details.is_crown_jewel.impact_cvss`How resource criticality changes the CVSS score. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_crown_jewel.value``true` if the resource is critical to your business; `false` otherwise. | ### Evidence{% #evidence-4 %} Evidence used to identify the resource as being critical. | Attribute name | Type | Description | | ----------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `explanation` | string | **Path:** `@risk_details.is_crown_jewel.evidence.explanation`Markdown-formatted explanation detailing why the resource or related resource is identified as critical. | | `related_resource_name` | string | **Path:** `@risk_details.is_crown_jewel.evidence.related_resource_name`Name of a long-lived critical asset, such as a critical service, that justifies why the affected resource is considered critical. | ### Is Emerging{% #is-emerging %} Evidence and indicators about whether the vulnerability is classified as an emerging vulnerability. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_emerging.impact_cvss`How emerging vulnerability status affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_emerging.value`Same as `risk.is_emerging`. | ### Is Exposed To Attacks{% #is-exposed-to-attacks %} Evidence and indicators about whether the service where the finding was detected is exposed to attacks. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `evidence` | object | **Path:** `@risk_details.is_exposed_to_attacks.evidence`Evidence for the presence of attacks. | | `impact_cvss` | string | **Path:** `@risk_details.is_exposed_to_attacks.impact_cvss`How the resource's exposure affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_exposed_to_attacks.value`Same as `risk.is_exposed_to_attacks`. | ### Evidence{% #evidence-5 %} Evidence for the presence of attacks. | Attribute name | Type | Description | | ----------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------- | | `attacks_details` | object | **Path:** `@risk_details.is_exposed_to_attacks.evidence.attacks_details`Details about one of the detected attacks. | | `trace_example` | object | **Path:** `@risk_details.is_exposed_to_attacks.evidence.trace_example`Example of a trace with attacks detected on the finding's resource. | | `trace_query` | string | **Path:** `@risk_details.is_exposed_to_attacks.evidence.trace_query`Query used to find traces with attacks related to the finding's resource. | ### Is Function Reachable{% #is-function-reachable %} Evidence and indicators about whether the vulnerable function or module is used in the code. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `evidence` | object | **Path:** `@risk_details.is_function_reachable.evidence`Evidence used to determine whether the function is reachable. | | `impact_cvss` | string | **Path:** `@risk_details.is_function_reachable.impact_cvss`How function reachability changes the CVSS risk assessment. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_function_reachable.value``true` if the function is reachable; `false` otherwise. | ### Evidence{% #evidence-6 %} Evidence used to determine whether the function is reachable. | Attribute name | Type | Description | | ---------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `locations` | array (object) | **Path:** `@risk_details.is_function_reachable.evidence.locations`Array of code locations where the function is called. | | `not_supported_reason` | string | **Path:** `@risk_details.is_function_reachable.evidence.not_supported_reason`Reason why reachability analysis is not supported for this finding. Valid values: `language_not_supported`, `vulnerable_symbol_not_available`. | ### Locations{% #locations %} Array of code locations where the function is called. | Attribute name | Type | Description | | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | `column_end` | integer | **Path:** `@risk_details.is_function_reachable.evidence.locations.column_end`Ending column position. | | `column_start` | integer | **Path:** `@risk_details.is_function_reachable.evidence.locations.column_start`Starting column position. | | `filename` | string | **Path:** `@risk_details.is_function_reachable.evidence.locations.filename`Relative path to the file. | | `is_test_file` | boolean | **Path:** `@risk_details.is_function_reachable.evidence.locations.is_test_file``true` if the code file is a test file; `false` otherwise. | | `line_end` | integer | **Path:** `@risk_details.is_function_reachable.evidence.locations.line_end`Ending line number. | | `line_start` | integer | **Path:** `@risk_details.is_function_reachable.evidence.locations.line_start`Starting line number. | | `symbol` | string | **Path:** `@risk_details.is_function_reachable.evidence.locations.symbol`Symbol name at the code location. | | `url` | string | **Path:** `@risk_details.is_function_reachable.evidence.locations.url`URL to view the file online (for example, in GitHub), highlighting the code location. | ### Is Image Running{% #is-image-running %} Evidence and indicators about whether the affected image has running containers or hosts. | Attribute name | Type | Description | | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.is_image_running.evidence`Evidence showing proof of running containers or hosts. | | `impact_cvss` | string | **Path:** `@risk_details.is_image_running.impact_cvss`How running containers or hosts affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_image_running.value``true` if the image of the finding's resource has running containers or hosts; `false` otherwise. | ### Evidence{% #evidence-7 %} Evidence showing proof of running containers or hosts. | Attribute name | Type | Description | | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------- | | `detected_at` | integer | **Path:** `@risk_details.is_image_running.evidence.detected_at`Timestamp when the running containers or hosts were detected. | ### Is Kernel Running{% #is-kernel-running %} Evidence and indicators about whether the vulnerability affects the kernel currently running on the host. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.is_kernel_running.evidence`Evidence showing proof that the vulnerability affects the running kernel. | | `value` | boolean | **Path:** `@risk_details.is_kernel_running.value``true` if the vulnerability affects the kernel currently running on the host; `false` otherwise. | ### Evidence{% #evidence-8 %} Evidence showing proof that the vulnerability affects the running kernel. | Attribute name | Type | Description | | ---------------- | ------ | ----------------------------------------------------------------------------------------------------------------------- | | `kernel_version` | string | **Path:** `@risk_details.is_kernel_running.evidence.kernel_version`Version of the kernel currently running on the host. | ### Is Package Running{% #is-package-running %} Evidence and indicators about whether the affected package is running. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_package_running.impact_cvss`How a running package affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_package_running.value``true` if the package of the finding's resource is running; `false` otherwise. | ### Is Production{% #is-production %} Evidence and indicators about whether the resource associated with the finding is running in a production environment. | Attribute name | Type | Description | | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.is_production.evidence`The `env` tag value that determines whether the resource is in production. | | `impact_cvss` | string | **Path:** `@risk_details.is_production.impact_cvss`How production environment status affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_production.value`Same as `risk.is_production`. | ### Is Publicly Accessible{% #is-publicly-accessible %} Information about whether the affected resource is accessible from the public internet. | Attribute name | Type | Description | | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `evidence` | object | **Path:** `@risk_details.is_publicly_accessible.evidence`Evidence showing proof of access from the internet. | | `impact_cvss` | string | **Path:** `@risk_details.is_publicly_accessible.impact_cvss`How public accessibility affects the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_publicly_accessible.value`Same as `risk.is_publicly_accessible`. | ### Evidence{% #evidence-9 %} Evidence showing proof of access from the internet. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | `resource_key` | string | **Path:** `@risk_details.is_publicly_accessible.evidence.resource_key`Canonical Cloud Resource Identifier of the resource accessible from the internet. | ### Is Tainted From Database{% #is-tainted-from-database %} Information about whether tainted parts originate from a database. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_tainted_from_database.impact_cvss`How database tainting changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_tainted_from_database.value``true` if the string is tainted due to originating from an untrusted database source; `false` otherwise. | ### Is Tainted From Query String{% #is-tainted-from-query-string %} Information about whether the tainted parts originated from a query string. | Attribute name | Type | Description | | -------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_tainted_from_query_string.impact_cvss`How query string tainting changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_tainted_from_query_string.value``true` if the string contains elements derived from an HTTP query string; `false` otherwise. | ### Is Tainted From Request Url{% #is-tainted-from-request-url %} Information about whether the tainted parts originate from the request URL. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_tainted_from_request_url.impact_cvss`How request URL tainting changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_tainted_from_request_url.value``true` if the final URL contains tainted parts originating from the request URL; `false` otherwise. | ### Is Using SHA1{% #is-using-sha1 %} Information about whether SHA1 is used in a weak hash. | Attribute name | Type | Description | | -------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `impact_cvss` | string | **Path:** `@risk_details.is_using_sha1.impact_cvss`How SHA1 usage changes the CVSS scoring. Valid values: `riskier`, `neutral`, `safer`, `unknown`. | | `value` | boolean | **Path:** `@risk_details.is_using_sha1.value``true` if SHA1 is used in a weak hash; `false` otherwise. | {% /collapsible-section %} {% collapsible-section #rule %} ### Rule How to discover a vulnerability. Vulnerability findings with rules indicate the vulnerability was detected in source code or running code. Rules are also used for non-vulnerability findings such as misconfigurations or API security. | Attribute name | Type | Description | | ----------------- | ------- | -------------------------------------------------------------------------------------------------- | | `default_rule_id` | string | **Path:** `@rule.default_rule_id`Default rule identifier of the rule. Empty if it's a custom rule. | | `id` | string | **Path:** `@rule.id`Identifier of the rule that generated the finding. | | `name` | string | **Path:** `@rule.name`Name of the rule that generated the finding. | | `type` | string | **Path:** `@rule.type`Type of the rule that generated the finding. | | `version` | integer | **Path:** `@rule.version`Version of the rule that generated the finding. | {% /collapsible-section %} {% collapsible-section #runtime-context %} ### Runtime Context Groups attributes related to runtime context. | Attribute name | Type | Description | | --------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `database_monitoring` | object | **Path:** `@runtime_context.database_monitoring`Contains database monitoring context associated with the finding. | | `span_id` | string | **Path:** `@runtime_context.span_id`Span identifier where the finding was detected. Available only for IAST (Interactive Application Security Testing). | | `stacktrace_id` | string | **Path:** `@runtime_context.stacktrace_id`Stack trace identifier where the finding was detected. Available only for IAST (Interactive Application Security Testing). | | `trace_id` | string | **Path:** `@runtime_context.trace_id`Trace identifier where the finding was detected. Available only for IAST (Interactive Application Security Testing). | | `vulnerable_services` | array (object) | **Path:** `@runtime_context.vulnerable_services`Lists running service versions affected by the finding, each identified by deployment environment, version, and Git commit SHA. | ### Database Monitoring{% #database-monitoring %} Contains database monitoring context associated with the finding. | Attribute name | Type | Description | | -------------------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | `database_instances` | array (string) | **Path:** `@runtime_context.database_monitoring.database_instances`Identifiers for the database instances affected by the finding. | | `query_signature` | string | **Path:** `@runtime_context.database_monitoring.query_signature`Hash of the normalized SQL query associated with the finding. | ### Vulnerable Services{% #vulnerable-services %} Lists running service versions affected by the finding, each identified by deployment environment, version, and Git commit SHA. | Attribute name | Type | Description | | -------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | `commit_sha` | string | **Path:** `@runtime_context.vulnerable_services.commit_sha`Contains the Git commit SHA of the vulnerable service. | | `env` | string | **Path:** `@runtime_context.vulnerable_services.env`Indicates the deployment environment of the vulnerable service (for example, `prod`, `staging`). | | `service_name` | string | **Path:** `@runtime_context.vulnerable_services.service_name`Contains the name of the vulnerable service. | | `version` | string | **Path:** `@runtime_context.vulnerable_services.version`Contains the version identifier of the vulnerable service. | {% /collapsible-section %} {% collapsible-section #secret %} ### Secret Information specific to secret findings, such as the secret's validation status. | Attribute name | Type | Description | | ------------------- | ------ | ---------------------------------------------------------------------------------------------- | | `validation_status` | string | **Path:** `@secret.validation_status`Result of attempting to validate if the secret is active. | {% /collapsible-section %} {% collapsible-section #service %} ### Service Information about the service where the finding was detected, including its name and source code metadata. | Attribute name | Type | Description | | -------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `git_commit_sha` | string | **Path:** `@service.git_commit_sha`Git commit SHA of the latest commit where the finding was detected for the service. Available only when Source Code Integration is configured. | | `git_repository_url` | string | **Path:** `@service.git_repository_url`URL of the Git repository for the service associated with the finding. Available only when Source Code Integration is configured. | | `name` | string | **Path:** `@service.name`Name of the service where the finding was detected. | {% /collapsible-section %} {% collapsible-section #severity-details %} ### Severity Details Detailed severity information for the finding, including base and adjusted severity. | Attribute name | Type | Description | | --------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | `adjusted` | object | **Path:** `@severity_details.adjusted`Adjusted severity of the finding after accounting for contextual or environmental factors. | | `base` | object | **Path:** `@severity_details.base`Base severity of the finding as defined by the original rule, advisory, or scanner, before any contextual adjustments. | | `user_adjusted` | object | **Path:** `@severity_details.user_adjusted`Severity of the finding after application of user-defined severity modifications. | ### Adjusted{% #adjusted %} Adjusted severity of the finding after accounting for contextual or environmental factors. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `score` | number | **Path:** `@severity_details.adjusted.score`Numeric severity score (CVSS scale). | | `value` | string | **Path:** `@severity_details.adjusted.value`Severity level. Valid values: `critical`, `high`, `medium`, `low`, `info`, `none`, `unknown`. | | `value_id` | integer | **Path:** `@severity_details.adjusted.value_id`Numeric representation of the severity. Values: `critical` = `10`, `high` = `9`, `medium` = `7`, `low` = `4`, `none` = `0`. | | `vector` | string | **Path:** `@severity_details.adjusted.vector`CVSS vector string. | ### Base{% #base-2 %} Base severity of the finding as defined by the original rule, advisory, or scanner, before any contextual adjustments. | Attribute name | Type | Description | | -------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `score` | number | **Path:** `@severity_details.base.score`Numeric severity score (CVSS scale). | | `value` | string | **Path:** `@severity_details.base.value`Severity level. Valid values: `critical`, `high`, `medium`, `low`, `info`, `none`, `unknown`. | | `value_id` | integer | **Path:** `@severity_details.base.value_id`Numeric representation of the severity. Values: `critical` = `10`, `high` = `9`, `medium` = `7`, `low` = `4`, `none` = `0`. | | `vector` | string | **Path:** `@severity_details.base.vector`CVSS vector string. | ### User Adjusted{% #user-adjusted %} Severity of the finding after application of user-defined severity modifications. | Attribute name | Type | Description | | -------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `score` | number | **Path:** `@severity_details.user_adjusted.score`Numeric severity score (CVSS scale). | | `value` | string | **Path:** `@severity_details.user_adjusted.value`Severity level. Valid values: `critical`, `high`, `medium`, `low`, `info`, `none`, `unknown`. | | `value_id` | integer | **Path:** `@severity_details.user_adjusted.value_id`Numeric representation of the severity. Values: `critical` = `10`, `high` = `9`, `medium` = `7`, `low` = `4`, `none` = `0`. | {% /collapsible-section %} {% collapsible-section #vulnerability %} ### Vulnerability Information specific to vulnerabilities. | Attribute name | Type | Description | | ------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `confidence` | string | **Path:** `@vulnerability.confidence`The assessed likelihood of the vulnerability being a true positive. | | `confidence_reason` | string | **Path:** `@vulnerability.confidence_reason`The rationale behind the assigned confidence level. | | `cwes` | array (string) | **Path:** `@vulnerability.cwes`CWE (Common Weakness Enumeration) identifier associated with the vulnerability. Each entry must use the `CWE-` format (for example, `CWE-416`). | | `first_commit` | string | **Path:** `@vulnerability.first_commit`The commit in which the vulnerability was first introduced. | | `hash` | string | **Path:** `@vulnerability.hash`Vulnerability hash used to correlate the same vulnerability across SCA (Software Composition Analysis) runtime and static analysis. | | `is_emerging` | boolean | **Path:** `@vulnerability.is_emerging``true` if the vulnerability is classified as an emerging threat; `false` otherwise. | | `last_commit` | string | **Path:** `@vulnerability.last_commit`The commit in which the vulnerability was fixed. | | `owasp_top10_years` | array (integer) | **Path:** `@vulnerability.owasp_top10_years`The years the vulnerability appeared in the OWASP Top 10 list of critical vulnerabilities. | | `stack` | object | **Path:** `@vulnerability.stack`The technological stack where the vulnerability was found. | ### Stack{% #stack %} The technological stack where the vulnerability was found. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------- | | `ecosystem` | string | **Path:** `@vulnerability.stack.ecosystem`The package management ecosystem or source registry the vulnerable component originated from. | | `language` | string | **Path:** `@vulnerability.stack.language`The language where the vulnerability was found. | {% /collapsible-section %} {% collapsible-section #workflow %} ### Workflow All mutable information related to the management of a finding after it was detected. Includes fields that can be updated manually through the UI or automatically through pipelines. | Attribute name | Type | Description | | ------------------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | `auto_closed_at` | integer | **Path:** `@workflow.auto_closed_at`Timestamp in milliseconds (UTC) when the finding was automatically closed by the system. | | `automations` | array (object) | **Path:** `@workflow.automations`Information about any automation rules that apply to the finding. | | `due_date` | object | **Path:** `@workflow.due_date`Due date rule applied to the finding. | | `integrations` | object | **Path:** `@workflow.integrations`Integrations like Jira, Case Management, or ServiceNow used to triage and remediate the finding. | | `mute` | object | **Path:** `@workflow.mute`Muting information and metadata. | | `severity_override` | object | **Path:** `@workflow.severity_override`Metadata about user-defined severity modifications applied to the finding. | | `triage` | object | **Path:** `@workflow.triage`Assignment and status information. Assignment may be synchronized with case or Jira information. | ### Automations{% #automations %} Information about any automation rules that apply to the finding. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `rule_id` | string | **Path:** `@workflow.automations.rule_id`Unique identifier for the automation rule. | | `rule_name` | string | **Path:** `@workflow.automations.rule_name`Human-readable name of the automation rule applying to the finding. | | `rule_type` | string | **Path:** `@workflow.automations.rule_type`Type of the automation rule applying to the finding. Valid values: `due_date`, `mute`, `security_inbox`, `severity_modifier`, `ticket_creation`. | ### Due Date{% #due-date %} Due date rule applied to the finding. | Attribute name | Type | Description | | -------------- | ------- | ----------------------------------------------------------------------------------------------------- | | `due_at` | integer | **Path:** `@workflow.due_date.due_at`Timestamp in milliseconds (UTC) for the finding's due date. | | `is_overdue` | boolean | **Path:** `@workflow.due_date.is_overdue``true` if the due date has been reached; `false` otherwise. | | `rule_id` | string | **Path:** `@workflow.due_date.rule_id`Unique identifier for the due date rule applied to the finding. | ### Integrations{% #integrations %} Integrations like Jira, Case Management, or ServiceNow used to triage and remediate the finding. | Attribute name | Type | Description | | -------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | `cases` | array (object) | **Path:** `@workflow.integrations.cases`Array of cases attached to the finding. | | `jira` | array (string) | **Path:** `@workflow.integrations.jira`Jira issue keys attached to the finding in the format `-` (for example, `PROJ-123`). | ### Cases{% #cases %} Array of cases attached to the finding. | Attribute name | Type | Description | | ------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | `assignee` | object | **Path:** `@workflow.integrations.cases.assignee`User assigned to the case. | | `created_at` | integer | **Path:** `@workflow.integrations.cases.created_at`Timestamp in milliseconds (UTC) when the case was created. | | `created_by` | object | **Path:** `@workflow.integrations.cases.created_by`User who created the case. | | `id` | string | **Path:** `@workflow.integrations.cases.id`Unique identifier of the case in UUID format. | | `jira_issue` | object | **Path:** `@workflow.integrations.cases.jira_issue`Jira issue attached to the case. | | `key` | string | **Path:** `@workflow.integrations.cases.key`Human-readable identifier for the case in the format `PROJECT-NUMBER` (for example, `CSMINV-66`). | | `linear_issue` | object | **Path:** `@workflow.integrations.cases.linear_issue`Linear issue attached to the case. | | `servicenow_ticket` | object | **Path:** `@workflow.integrations.cases.servicenow_ticket`ServiceNow ticket attached to the case. | | `status` | string | **Path:** `@workflow.integrations.cases.status`Status of the case. | | `title` | string | **Path:** `@workflow.integrations.cases.title`Title of the case. | | `updated_at` | integer | **Path:** `@workflow.integrations.cases.updated_at`Timestamp in milliseconds (UTC) when the case was last updated. | | `updated_by` | object | **Path:** `@workflow.integrations.cases.updated_by`User who last updated the case. | ### Assignee{% #assignee %} User assigned to the case. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------- | | `id` | string | **Path:** `@workflow.integrations.cases.assignee.id`Unique identifier of the user in UUID format. | | `name` | string | **Path:** `@workflow.integrations.cases.assignee.name`Display name of the user. | ### Created By{% #created-by %} User who created the case. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------------------------------------------------- | | `id` | string | **Path:** `@workflow.integrations.cases.created_by.id`Unique identifier of the user in UUID format. | | `name` | string | **Path:** `@workflow.integrations.cases.created_by.name`Display name of the user. | ### Jira Issue{% #jira-issue %} Jira issue attached to the case. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- | | `key` | string | **Path:** `@workflow.integrations.cases.jira_issue.key`Jira issue identifier in the format `PROJECT-NUMBER` (for example, `CSMSEC-103991`). | | `status` | string | **Path:** `@workflow.integrations.cases.jira_issue.status`Current status of the Jira issue. | | `url` | string | **Path:** `@workflow.integrations.cases.jira_issue.url`Full URL to the Jira issue. | ### Linear Issue{% #linear-issue %} Linear issue attached to the case. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | | `key` | string | **Path:** `@workflow.integrations.cases.linear_issue.key`Linear issue identifier in the format `TEAM-NUMBER` (for example, `SEC-42`). | | `status` | string | **Path:** `@workflow.integrations.cases.linear_issue.status`Current status of the Linear issue. | | `team_id` | string | **Path:** `@workflow.integrations.cases.linear_issue.team_id`UUID of the Linear team that owns the issue. | | `url` | string | **Path:** `@workflow.integrations.cases.linear_issue.url`Full URL to the Linear issue. | ### Servicenow Ticket{% #servicenow-ticket %} ServiceNow ticket attached to the case. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `state` | string | **Path:** `@workflow.integrations.cases.servicenow_ticket.state`Current state of the ServiceNow ticket. | | `sys_id` | string | **Path:** `@workflow.integrations.cases.servicenow_ticket.sys_id`ServiceNow 32-character hexadecimal ticket identifier (for example, 9f8c7e2d3b4a5c6d7e8f9a0b1c2d3e4f). | | `table_name` | string | **Path:** `@workflow.integrations.cases.servicenow_ticket.table_name`The name of the table where the ticket is stored. Valid values: `incident`, `em_event`. | | `url` | string | **Path:** `@workflow.integrations.cases.servicenow_ticket.url`Direct URL to the ServiceNow ticket. | ### Updated By{% #updated-by %} User who last updated the case. | Attribute name | Type | Description | | -------------- | ------ | --------------------------------------------------------------------------------------------------- | | `id` | string | **Path:** `@workflow.integrations.cases.updated_by.id`Unique identifier of the user in UUID format. | | `name` | string | **Path:** `@workflow.integrations.cases.updated_by.name`Display name of the user. | ### Mute{% #mute %} Muting information and metadata. | Attribute name | Type | Description | | ------------------ | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `description` | string | **Path:** `@workflow.mute.description`Free-text explanation for why the finding was muted. | | `expire_at` | integer | **Path:** `@workflow.mute.expire_at`Timestamp in milliseconds (UTC) when the mute expires. If not set, the mute is permanent. | | `is_muted` | boolean | **Path:** `@workflow.mute.is_muted``true` if the finding is muted; `false` if it is active. | | `is_muted_by_rule` | boolean | **Path:** `@workflow.mute.is_muted_by_rule``true` if the finding is muted by an automation rule; `false` otherwise. If `true`, the relevant automation rule is referenced in the workflow.automations section. | | `muted_at` | integer | **Path:** `@workflow.mute.muted_at`Timestamp in milliseconds (UTC) when the finding was muted. | | `muted_by` | object | **Path:** `@workflow.mute.muted_by`User who muted the finding. | | `reason` | string | **Path:** `@workflow.mute.reason`Reason provided for muting the finding. Valid values: `none`, `no_pending_fix`, `human_error`, `no_longer_accepted_risk`, `other`, `pending_fix`, `false_positive`, `accepted_risk`, `no_fix`, `duplicate`, `risk_accepted`, `muted_in_code`. | | `rule_id` | string | **Path:** `@workflow.mute.rule_id`Unique identifier for the automation rule that muted the finding. Only set when `is_muted_by_rule` is `true`. | | `rule_name` | string | **Path:** `@workflow.mute.rule_name`Human-readable name of the automation rule that muted the finding. Only set when `is_muted_by_rule` is `true`. | ### Muted By{% #muted-by %} User who muted the finding. | Attribute name | Type | Description | | -------------- | ------ | ----------------------------------------------------------------------------------- | | `id` | string | **Path:** `@workflow.mute.muted_by.id`Unique identifier of the user in UUID format. | | `name` | string | **Path:** `@workflow.mute.muted_by.name`Display name of the user. | ### Severity Override{% #severity-override %} Metadata about user-defined severity modifications applied to the finding. | Attribute name | Type | Description | | -------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------- | | `description` | string | **Path:** `@workflow.severity_override.description`Description of the user-defined severity modification applied to the finding. | ### Triage{% #triage %} Assignment and status information. Assignment may be synchronized with case or Jira information. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------ | | `assignee` | object | **Path:** `@workflow.triage.assignee`User assigned to the finding. | ### Assignee{% #assignee-1 %} User assigned to the finding. | Attribute name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------------- | | `id` | string | **Path:** `@workflow.triage.assignee.id`Unique identifier in UUID format for the assignee. | | `name` | string | **Path:** `@workflow.triage.assignee.name`Display name of the assignee. | | `updated_at` | integer | **Path:** `@workflow.triage.assignee.updated_at`Timestamp in milliseconds (UTC) when the assignee was last modified. | | `updated_by` | object | **Path:** `@workflow.triage.assignee.updated_by`User who last modified the assignee. | ### Updated By{% #updated-by-1 %} User who last modified the assignee. | Attribute name | Type | Description | | -------------- | ------ | ------------------------------------------------------------------------------------------------ | | `id` | string | **Path:** `@workflow.triage.assignee.updated_by.id`Unique identifier of the user in UUID format. | | `name` | string | **Path:** `@workflow.triage.assignee.updated_by.name`Display name of the user. | {% /collapsible-section %} ## Tags{% #tags %} Key-value metadata in the format `name:value`. Enables flexible filtering and grouping of findings. Must include at least `source` and `origin`. ## Further reading{% #further-reading %} - [Cloud Security](https://docs.datadoghq.com/security/cloud_security_management.md) - [Code Security](https://docs.datadoghq.com/security/code_security.md) - [Application Security](https://docs.datadoghq.com/security/application_security.md)