ScanWarden
Platform Guide

Findings & Triage

Managing the vulnerability lifecycle

Raw results from tools are normalized into Findings. ScanWarden tracks the lifecycle of a finding across scans, so you don't have to deal with duplicates.

The Fingerprint Concept

Every finding is assigned a unique, deterministic fingerprint. This is calculated based on:

  1. Rule ID (e.g., python.lang.security.injection)
  2. File Path (normalized)
  3. Structural Hash of the code snippet (ignoring whitespace changes)

This allows ScanWarden to track:

  • First Seen: When the issue was introduced.
  • Fixed: When the issue disappeared from the codebase.
  • Reopened: If a regression occurs.

Finding Clusters

Often, a single vulnerability manifests as multiple alerts (e.g., the same hardcoded secret was detected by different tools).

ScanWarden groups these into Clusters.

Screenshot: Finding Cluster Card

Triage Workflow

When you review a finding, you can assign a triage state. This state persists across future scans for the same fingerprint.

StateDescription
UntriagedThe default state. Needs review.
ConfirmedA valid vulnerability that needs fixing.
False PositiveThe tool is wrong or the code is safe.
Accepted RiskA valid issue, but the business decides not to fix it.
SuppressedHidden by a suppression rule (policy).

Screenshot: Finding Details Page

Scanning Pipeline

Supported engines and execution modes

AI Validation

Reducing false positives with Large Language Models

On this page

The Fingerprint Concept
Finding Clusters
Triage Workflow