Skip to content
docs

Findings Overview

The Findings view is the central triage surface in Vygl. Every issue from every scan is here, deduplicated so the same problem detected on multiple branches or across multiple scans appears as a single row.

What you see

Section titled “What you see”

Each row is a unique finding with:

  • Severity — critical / high / medium / low / info
  • Type — SAST, SCA, Secrets, IaC, or Container
  • Title — human-readable summary from the rule
  • File locationpath/to/file.py:42
  • Status — open / acknowledged / fixed / false_positive / ignored / auto_fixed
  • AI verdict — true positive / false positive / uncertain (when AI verification has run)
  • First seen / last seen — when the issue first appeared and most recently re-detected

Filters

Section titled “Filters”

Combine filters to narrow the list:

  • Severity — multi-select
  • Status — open by default; flip to include suppressed/fixed for historical views
  • Scan type — focus on secrets, dependencies, etc.
  • Project — single project or org-wide
  • Rule — drill into one specific rule
  • AI verdict — show only AI-confirmed true positives, or only contradictions
  • Branch — per-project view of a single branch’s findings

Filters persist in the URL — bookmark or share a triage view directly.

Deduplication

Section titled “Deduplication”

Findings with the same fingerprint (rule + file + line + normalized snippet) collapse into one row. This means:

  • Triage state survives rescans — fix it, mark it false-positive, suppress it, the action stays applied.
  • The same issue on multiple branches is one row, with branch breakdown in the detail.
  • Reformatting code or unrelated edits don’t break the dedup — fingerprints are stable.

See findings/suppression for the fingerprint format and how to use it for ignore lists.

Bulk actions

Section titled “Bulk actions”

Select multiple rows to perform:

  • Mark false-positive — with optional reason
  • Mark ignored — with optional expiry (7/30/90 days or permanent)
  • Mark fixed — usually automatic on rescan, but available for manual override
  • Run AI verification — queues per-finding LLM jobs
  • Add comment — append a triage note to all selected

Bulk actions are capped at 500 findings per request.

Exports

Section titled “Exports”

Two export formats from the Findings view:

  • CSV — RFC 4180, downloads the currently visible rows.
  • SARIF 2.1.0 — server-side, applies all current filters, capped at 25,000 findings. Compatible with GitHub Code Scanning, Azure DevOps, JFrog Xray.

See Exports for the full schema.