After you set up Sken into the CI/CD and into the Yaml file, check the scan findings in your Sken portal.

In this article, you can learn how to:

  • See the list of app scan findings and basic detail of each finding
  • See scan findings' details
  • See risk rating indicators on the list of scan findings
  • See the entire scan history of each finding
  • Options to modify the risk rating settings

By default, all the app's scans are listed for the default organization in your account, as below.

The apps are organized for whether these are actively being scanned or not. All the apps that are undergoing scans are listed in the Active group.

For each app, you can see basic details such as the app name and its language, the total number of findings so far, and the risk rating as given by Sken for this app.

See App Scan Findings

Click on the app name, or the number of findings to see the scan findings of this app.

You can see the following details for this app's scan.

Basic Scan Details

  • The number of findings that are active and closed. In the example screenshot, you can Findings: 46 Active, 16 Closed
  • An option to mark all findings as reviewed (please see See and update status for scan findings for more details)
  • The type of each scan listed in a grid view with the corresponding number of scan findings in each scan type
  • An option to select multiple scan findings
  • An option to search scan findings by their status

See Scan Findings

The list of findings shows the risk ratings and related details including:

  • Type of finding: Examples, Include mismatch, Cross site Scripting
  • The path of the file and line number of the corresponding finding
  • Scan type: Example, PHP Code Sniffer - SAST
  • The calculated risk rating that Sken assigns for this finding

Each scan finding has a link to show its details, immediately next to its ID. For example, next to #1279466. Click on this URL icon to see the details of this finding.

See Scan Finding Details

The scan finding details show as below.

See the risk rating at the top, with the description, the exact location of the issue, and the line number. In Instances, you can also see the number of times when the issue is found in scans.

Modify Risk Rating: If required, you can change the risk rating for any scan finding. For example in the above case, the risk rating is high. Click on the Modify link to see the options to change the risk rating, as below.

In Modify Risk Rating, change the risk rating, as required. You can also click on Modify Finding Risk Factors to change the risk rating settings for this app. (Please see Add new app for more details on app settings.)

Note: If you change the risk rating settings, it impacts all the future scan findings from now when you save the new settings.

See Instance Details

Click on each instance to expand it and see more details about the finding.

Change Finding Status

You can see an option to change the finding status, as below. (Please see See and update status for scan findings for more details.)

The right sidebar shows a few basic details of the scanned app:

  • Scan: The type and name of the scan for this finding
  • Application: The app name for this scan finding
  • Discovered: The day when the scan was run to show this finding
  • ID: The unique ID for this finding.

See the App Scan Detailed Report

In the list of findings, you can see a detailed report view of each finding. Click on the app name or on the Risk Rating, to open the detailed report, The report opens as below.

In Risk Rating, you see the rating based on the risk factor settings for this app. (Please see Add new app and check out app settings for details on how you can set up risk factor settings.)

In Findings, you can click on View All to see all the findings as explained earlier in this article.

In Scans, see the total number of scan categories that this app has gone through. For example in the above screenshot, you see:

  • JavaScript SAST shows 3234 findings, and risk rating in green color means that this is safe enough.
  • NodeJSScan shows 27 findings, and the risk rating in yellow color means that the security issues should be noticed but are not critical enough.
Did this answer your question?