Skip to content

Finding Details

Mayo ASPM provides two levels of detail for every finding: the magic panel for quick review and the full detail page for deep investigation. This guide covers both views and the information available at each level.

The Magic Panel

The magic panel is a slide-out panel that appears when you click a finding row on the Findings page. It provides a comprehensive summary without navigating away from the table.

Panel Layout

The magic panel is organized into sections from top to bottom:

Header Badges

Three badges at the top of the panel provide immediate context:

Badge Example Description
Severity CRITICAL (red) The finding's severity level
Status Open (gray) The current triage status
Scanner OpenGrep (blue) Which scanner detected the finding

Title

The finding's human-readable title, displayed prominently:

SQL Injection via Unsanitized User Input in Database Query

Description

A detailed explanation of the vulnerability, including:

  • What the vulnerability is
  • Why it matters (potential impact)
  • How it can be exploited
  • General remediation guidance

Description Quality

Description quality varies by scanner and rule. SAST findings (OpenGrep, Semgrep) typically have detailed descriptions. SCA findings (Trivy, Grype) reference the CVE description. Gitleaks findings describe the type of secret detected.

File Path and Line Numbers

The exact location of the finding:

File: src/api/handlers/users.ts
Lines: 87-92

Clicking the file path opens the full detail page with the code snippet view.

Code Snippet

A snippet of the affected source code with the vulnerable lines highlighted:

// Lines 85-94 of src/api/handlers/users.ts
const getUserById = async (req: Request, res: Response) => {
  const userId = req.params.id;
  // ⚠ Finding: SQL Injection
  const query = `SELECT * FROM users WHERE id = '${userId}'`;  // Line 87
  const result = await db.query(query);
  return res.json(result.rows);
};

The highlighted lines are marked with a visual indicator to draw attention to the exact vulnerable code.

Rule ID

The scanner rule that triggered the finding:

Scanner Rule ID Format Example
OpenGrep category-name sql-injection
Semgrep dotted.path.to.rule javascript.express.security.injection.sql-injection
Trivy CVE ID CVE-2024-29041
Grype CVE ID CVE-2024-29041
Gitleaks secret-type aws-access-key-id

CWE and CVE Identifiers

When applicable, the magic panel displays:

Identifier Description Example
CWE Common Weakness Enumeration — the class of vulnerability CWE-89: SQL Injection
CVE Common Vulnerabilities and Exposures — a specific known vulnerability CVE-2024-29041

CWE and CVE identifiers are displayed as clickable links to the relevant MITRE or NVD database entries.

Not All Findings Have CVEs

SAST findings (code patterns) typically have CWE identifiers but not CVEs. SCA findings (dependency vulnerabilities) typically have both CWE and CVE identifiers. Gitleaks findings may have neither.

Triage Controls

At the bottom of the magic panel:

  • Status dropdown — Change the finding's triage status
  • Reason field — Enter a triage justification
  • Update button — Apply the status change

The Full Detail Page

For deeper investigation, click the finding title in the magic panel or the View Full Details link. The full detail page provides everything in the magic panel plus additional context.

Page Sections

Summary Section

Field Description
Title Full finding title
Severity Badge with severity level
Status Current triage status with dropdown to change
Scanner Which scanner detected this
Asset The repository (links to asset detail page)
Project(s) Which project(s) the asset belongs to
First Detected Timestamp of initial detection
Last Seen Timestamp of most recent scan confirming the finding
Scan Count How many scans have detected this finding
Fingerprint The deduplication hash (for reference)

Description and Remediation

An expanded description section with:

  • Vulnerability description — What the issue is and why it matters
  • Impact — What an attacker could accomplish by exploiting this vulnerability
  • Remediation guidance — How to fix the issue, often with code examples

Example remediation for SQL injection:

// VULNERABLE — string concatenation
const query = `SELECT * FROM users WHERE id = '${userId}'`;

// FIXED — parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [userId]);

Code Snippet

An expanded code view showing more context around the finding:

  • More lines before and after the vulnerable code
  • Syntax highlighting appropriate to the language
  • Line numbers matching the actual file
  • Visual highlighting of the affected lines

References

Reference Description
CWE Link Links to the MITRE CWE entry for the vulnerability class
CVE Link Links to the NVD entry for the specific vulnerability (SCA findings)
Rule Documentation Links to the scanner's documentation for the rule that triggered this finding
OWASP Reference Links to the relevant OWASP category (when applicable)

Triage History

A chronological log of all status changes:

2026-04-15 14:30 UTC — jane@company.com
  Status: Open → Confirmed
  Reason: "Verified via manual testing — user input reaches query unsanitized"

2026-04-15 16:45 UTC — john@company.com
  Status: Confirmed → In Progress
  Reason: "Working on parameterized query refactor in PR #456"

A list of other findings in the same file or from the same rule, helping you understand patterns:

  • Other findings in src/api/handlers/users.ts
  • Other SQL injection findings across the organization
  • Findings from the same scan

Asset Detail Page: Findings Tab

The asset detail page (accessed by clicking an asset name) includes a Findings tab that shows all findings for that specific asset.

Asset Findings Table

The asset-scoped findings table includes:

Column Description
Severity Color-coded severity badge
Title Finding summary — click to open magic panel
Scanner Which scanner detected the finding
Status Current triage status
File File path within the repository
First Detected When the finding was first seen

Asset Findings Filters

The same filters available on the main Findings page are available on the asset findings tab:

  • Severity filter
  • Status filter
  • Scanner filter
  • Text search

Asset Findings Summary

Above the table, a summary bar shows:

Total: 47  |  Critical: 3  |  High: 12  |  Medium: 22  |  Low: 10
Open: 31  |  Confirmed: 8  |  In Progress: 5  |  Resolved: 3

Asset-Level Triage

When triaging findings for a specific repository, start from the asset detail page. This scopes your view to one repository and makes it easy to work through findings systematically.

The three finding views are interconnected:

Findings Page (all findings)
    ├── Click row → Magic Panel (quick view)
    │                   │
    │                   └── Click title → Full Detail Page
    └── Click asset name → Asset Detail Page → Findings Tab
                                                    └── Click row → Magic Panel

Each view provides progressively more detail while maintaining navigation context. You can always return to the previous view using breadcrumbs or the browser back button.

Understanding Severity in Context

When reviewing a finding, consider these factors alongside the severity badge:

Factor Why It Matters
File location Is this in production code, test code, or vendored code?
Asset exposure Is this an internet-facing service or an internal tool?
Exploitability Does exploitation require authentication, specific conditions, or physical access?
Data sensitivity Does the affected code handle PII, financial data, or credentials?
Existing controls Are there WAF rules, rate limiting, or other mitigations in place?

The severity badge reflects the inherent severity of the vulnerability type. Your contextual risk assessment may differ based on the factors above. Use the triage status and reason fields to capture this context.

Next Steps