Skip to main content
A violation is a security finding detected during a scan. Understanding how violations work helps you manage and fix security issues effectively.

What is a Violation?

A violation represents a specific security issue in your code:

Location

Specific file, line number, and code snippet

Severity

CRITICAL, HIGH, MEDIUM, LOW, or INFO

Type

SAST, AGENTIC_SAST, SCA, SECRET, or IAC

Status

OPEN, FIXED, FALSE_POSITIVE, ACCEPTED_RISK

Violation Information

Every violation includes:

Identification

  • ID: Unique identifier (e.g., VIO-2024-001234)
  • Hash: Fingerprint for deduplication
  • Rule ID: Detection rule that found it

Location

  • File path: Where the issue exists
  • Line number: Exact location in code
  • Code snippet: Context around the issue
  • Repository: Which repo contains it
  • Branch: Which branch it was found on

Classification

  • Type: SAST, AGENTIC_SAST, SCA, SECRET, or IAC
  • Category: Injection, XSS, Crypto, etc.
  • CWE: Common Weakness Enumeration (e.g., CWE-89)
  • CVE: For dependency vulnerabilities

Severity Assessment

  • Severity level: CRITICAL, HIGH, MEDIUM, LOW, INFO
  • CVSS score: Technical severity (0-10)
  • EPSS score: Exploitation probability (0-100%)

Status and Lifecycle

  • Status: OPEN, FIXED, FALSE_POSITIVE, ACCEPTED_RISK
  • First detected: When first found
  • Last seen: Most recent scan showing it
  • Reviewed by AI: Whether AI analyzed it

Violation Types

SAST Violations

Code-level vulnerabilities in your source code. Example: SQL injection in user controller Characteristics:
  • Location: Specific code line
  • Fix: Change code implementation
  • Persistent: Remains until code is fixed

SCA Violations

Vulnerabilities in dependencies and third-party libraries. Example: CVE-2024-1234 in lodash package Characteristics:
  • Location: Package manifest
  • Fix: Update dependency version
  • May affect multiple locations

Secret Violations

Exposed credentials and sensitive data. Example: Hardcoded API key in config file Characteristics:
  • Location: Any file containing secret
  • Fix: Remove secret, use environment variable, rotate credential
  • Critical: Even after removal, secret may be in Git history

IaC Violations

Misconfigurations in infrastructure-as-code. Example: Public S3 bucket configuration Characteristics:
  • Location: Infrastructure definition files
  • Fix: Update IaC configuration
  • Preventive: Catches issues before deployment

Violation Lifecycle

Violations move through states:
  1. OPEN: New violation detected
  2. FIXED: Vulnerability has been fixed
  3. FALSE_POSITIVE: Not a real security issue
  4. ACCEPTED_RISK: Real vulnerability, risk accepted

Next Steps

Managing Violations

Triage and fix violations

False Positives

Identify and manage false positives