This reference provides a comprehensive taxonomy of security finding categories, severity classifications, and finding types detected by security scanning tools in CloudBees Unify. Use this taxonomy to understand finding classification, correlate results across different security tools, and establish consistent remediation prioritization across your application portfolio.
Finding categories
Security findings are classified into primary categories based on the type of security risk they represent. Understanding category distinctions helps prioritize remediation efforts and select appropriate remediation strategies.
Vulnerability
Software vulnerabilities represent exploitable weaknesses in application code, dependencies, or configurations that could allow unauthorized access, data disclosure, or system compromise.
Code vulnerabilities emerge from insecure coding practices, such as input validation failures, authentication bypasses, or cryptographic implementation errors. These findings typically require code modifications to address the underlying security weakness.
Dependency vulnerabilities affect third-party libraries, frameworks, and packages included in applications. Remediation typically involves updating to patched dependency versions or implementing compensating controls when updates are not available.
Configuration vulnerabilities result from insecure system or application configurations that create exploitable attack surfaces. These findings often require infrastructure or deployment configuration changes rather than code modifications.
Operational risk
Operational risk findings identify conditions that increase security risk through operational practices, monitoring gaps, or administrative weaknesses rather than direct technical vulnerabilities.
Monitoring gaps highlight missing security logging, alerting, or audit capabilities that reduce detection of security incidents or compliance violations.
Administrative weaknesses identify excessive privileges, shared accounts, or other administrative practices that increase the potential impact of security incidents.
Process violations detect deviations from established security procedures, such as incomplete security reviews or missing approval workflows.
Policy violation
Policy violations represent deviations from organizational security standards, compliance requirements, or regulatory mandates.
Security policy violations include use of prohibited cryptographic algorithms, violation of data handling requirements, or deviation from established security architecture patterns.
Compliance violations identify non-conformance with regulatory requirements such as PCI DSS, HIPAA, or GDPR data protection standards.
Organizational standard violations detect deviations from internal coding standards, security guidelines, or approved technology usage policies.
License violation
License violations identify usage of third-party components with licenses that conflict with organizational legal requirements or intellectual property policies.
Copyleft license conflicts highlight components with licenses that may require source code disclosure incompatible with proprietary application development.
Commercial license violations identify usage of components requiring commercial licensing that may not be properly licensed for organizational usage.
License compatibility issues detect combinations of component licenses that may create legal conflicts or compliance challenges.
Secret violation
Secret violations identify exposed credentials, API keys, certificates, or other sensitive information that could enable unauthorized access to systems or data.
Hardcoded credentials include passwords, API keys, or connection strings embedded directly in source code or configuration files.
Exposed certificates identify SSL/TLS certificates, signing certificates, or other cryptographic materials inappropriately stored or transmitted.
Authentication token exposure detects OAuth tokens, session identifiers, or other authentication credentials stored in insecure locations.
Configuration
Configuration findings identify insecure system configurations, infrastructure settings, or deployment parameters that create security risks.
Infrastructure misconfigurations include overly permissive network security groups, unencrypted data storage, or missing security controls in cloud deployments.
Application configuration issues identify insecure application settings such as debug modes enabled in production or insufficient input validation configurations.
Container security misconfigurations detect insecure container images, excessive container privileges, or missing container security controls.
Penetration testing outcome
Penetration testing findings result from security assessments that attempt to exploit identified vulnerabilities to demonstrate real-world attack scenarios.
Successful exploitation demonstrates that identified vulnerabilities can be leveraged to achieve unauthorized access, privilege escalation, or data extraction.
Attack path validation confirms that combinations of lower-severity findings can be chained together to create significant security risks.
Defense evasion identifies techniques that could be used to bypass existing security controls or detection mechanisms.
Threat modeling outcome
Threat modeling findings identify potential attack vectors, trust boundary violations, or architectural security weaknesses discovered through systematic threat analysis.
Trust boundary violations highlight data flows or access patterns that cross security boundaries without appropriate validation or protection.
Attack surface expansion identifies system changes that increase exposure to potential attacks or create new attack vectors.
Threat scenario validation confirms that identified threats are exploitable given current system architecture and security controls.
Severity classifications
Security findings are assigned severity levels based on the potential impact and exploitability of the identified security issue. Severity classifications guide remediation prioritization and SLA assignment.
Critical severity
Critical severity findings represent the most serious security issues, with high likelihood of exploitation and significant potential impact.
Characteristics: - Remotely exploitable without authentication - Direct access to sensitive data or system control - Widespread impact across multiple systems or users - Active exploitation techniques publicly available
Typical finding types: - Remote code execution vulnerabilities - SQL injection in critical applications - Authentication bypass in customer-facing systems - Exposed administrative credentials
Default SLA: 15 days
High severity
High severity findings represent serious security issues requiring prompt remediation but with some mitigating factors that reduce immediate risk.
Characteristics: - Exploitable with authenticated access or local access - Significant data disclosure or system compromise potential - Moderate effort required for exploitation - Limited compensating controls available
Typical finding types: - Privilege escalation vulnerabilities - Cross-site scripting in authenticated applications - Insecure cryptographic implementations - Sensitive data exposure
Default SLA: 35 days
Medium severity
Medium severity findings represent moderate security risks that should be addressed systematically but do not require urgent remediation.
Characteristics: - Limited exploitability or impact - Requires specific conditions for exploitation - Compensating controls may reduce risk - Affects non-critical systems or data
Typical finding types: - Information disclosure vulnerabilities - Insecure direct object references - Missing security headers - Outdated dependencies with low-risk vulnerabilities
Default SLA: 180 days
Low severity
Low severity findings represent minor security improvements that enhance overall security posture but do not pose significant immediate risk.
Characteristics: - Minimal exploitability or impact - Primarily improves security defense depth - Easily addressed through configuration changes - Affects development or internal systems only
Typical finding types: - Missing security best practices - Weak cipher suite configurations - Informational security headers - Development tool vulnerabilities
Default SLA: 360 days
Finding status classifications
Security findings progress through various status classifications as they move through triage, remediation, and resolution workflows.
Unreviewed
Initial status assigned to newly discovered security findings before human assessment and triage decisions.
Characteristics: - Awaiting security team or developer review - SLA countdown active based on severity level - Available for batch triage operations - No remediation decisions made
Fix Required
Status assigned to findings that require active remediation after triage review confirms the security issue validity and business impact.
Characteristics: - Approved for developer remediation effort - SLA timeline continues from triage date - Integrated with development workflow tracking - May include remediation guidance and priority
In progress
Status indicating active remediation work is underway for the security finding.
Characteristics: - Developer or operations team actively working on fix - May include progress updates and expected completion - SLA timeline continues pending completion - Can revert to Fix Required if work is delayed
Resolved
Status assigned when security findings are successfully remediated and verification confirms the issue no longer exists.
Characteristics: - Automated detection confirms issue resolution - SLA compliance recorded for performance tracking - Historical record maintained for audit trails - May trigger re-scanning to confirm resolution
False positive
Status assigned to findings determined to be incorrect security tool detections after human review.
Characteristics: - Security issue does not actually exist - Tool detection rule may need adjustment - Requires approval workflow in many organizations - Removed from active remediation tracking
Risk accepted
Status assigned to valid security findings that organizations choose not to remediate based on business risk tolerance.
Characteristics: - Security issue acknowledged but accepted - Business justification documented - Time-limited acceptance with expiry date - Requires management approval workflow
Closed
Final status for findings that have been permanently resolved through remediation, risk acceptance, or false positive determination.
Characteristics: - No further action required - Audit trail preserved for compliance - Excluded from active security metrics - May be reopened if conditions change
Scanner-specific finding types
Different security scanning tools detect specialized finding types based on their analysis capabilities and focus areas.
Static Application Security Testing (SAST)
SAST tools analyze source code to identify coding patterns that create security vulnerabilities.
Common SAST finding types: - Input validation failures (CWE-20) - SQL injection vulnerabilities (CWE-89) - Cross-site scripting (CWE-79) - Path traversal vulnerabilities (CWE-22) - Cryptographic implementation errors (CWE-327) - Authentication bypass (CWE-287) - Authorization failures (CWE-285) - Race condition vulnerabilities (CWE-362)
Dynamic Application Security Testing (DAST)
DAST tools test running applications to identify vulnerabilities that emerge from runtime behavior and configuration.
Common DAST finding types: - Authentication vulnerabilities - Session management weaknesses - Input validation bypasses - SSL/TLS configuration issues - HTTP security header misconfigurations - Directory traversal attempts - Server-side request forgery (SSRF) - Cross-site request forgery (CSRF)
Software Composition Analysis (SCA)
SCA tools identify known vulnerabilities in third-party dependencies and open-source components.
Common SCA finding types: - Known CVE vulnerabilities in dependencies - Outdated dependency versions - License compliance violations - Dependency confusion vulnerabilities - Transitive dependency risks - End-of-life component usage - Security advisory violations - Supply chain risk indicators
Container Security Scanning
Container scanners analyze container images, configurations, and runtime environments for security issues.
Common container finding types: - Base image vulnerabilities - Insecure container configurations - Excessive container privileges - Secrets embedded in images - Insecure network configurations - Missing security controls - Runtime security violations - Image compliance failures
Secret Scanning
Secret scanners detect exposed credentials, API keys, and sensitive information in code repositories and artifacts.
Common secret finding types: - API key exposure - Database connection strings - Cloud service credentials - SSL certificate private keys - OAuth tokens and refresh tokens - Webhook URLs with secrets - Password strings in code - SSH private keys
Infrastructure as Code (IaC) Scanning
IaC scanners analyze infrastructure configuration files for security misconfigurations and policy violations.
Common IaC finding types: - Insecure network configurations - Overly permissive access policies - Missing encryption configurations - Insecure storage configurations - Inadequate logging and monitoring - Missing security group restrictions - Unencrypted data transmission - Weak access control policies