Overview
Vulnerabilities are security issues detected by Cysmiq. Each vulnerability has a type, severity, status, and supporting context. Scans produce vulnerability candidates that move through triage, confirmation, and remediation.Types
- Secrets: Leaked credentials, API keys, and tokens
- Code: Vulnerabilities in source code
- Dependencies: Vulnerable packages flagged by advisory databases such as CVE and GHSA
Triage and confirmation
Scans surface vulnerability candidates. Cysmiq provides type-specific signals to confirm and prioritize them, including indicators of validity or reachability when available.- Secrets: For supported providers, Cysmiq can verify whether a secret is still active. Other detections can be validated with LLM-based checks to reduce false positives
- Code: Call chain analysis can provide additional context about how vulnerable code paths are reached
- Dependencies: Reachability analysis is in development to show whether a vulnerable package is exercised
Severity
Vulnerabilities are assigned a severity level based on potential impact:- Critical: Severe risk requiring immediate action
- High: Significant risk, prioritize remediation
- Medium: Moderate risk, address in normal workflow
- Low: Minor risk, fix when convenient
Status and lifecycle
Vulnerabilities move through statuses as they are triaged and remediated:- Active statuses: Open, Confirmed, Needs Review, In Progress, In Review
- Final statuses: Resolved, Closed
Impacts
Each vulnerability is tagged with an impact that describes its real-world consequence. Impacts help prioritize by business risk rather than just technical severity. Common impacts include:- Execute Commands: remote code execution
- Takeover Accounts: session hijacking, auth bypass
- Access Data: SQL injection, data disclosure
- Obtain Secrets: hardcoded credentials