Secrets

The Secrets tab of the application details section lets you see a complete list of secrets (or sensitive data) exposed by your application.

For each finding in the list, you'll see its:

  • ID
  • Severity level (e.g., critical)
  • Brief description, including vulnerability type and where it is found
  • Tags (e.g., OWASP a1-injection or CVSS 9)
  • Status (e.g., Fixed)
  • Assigned to information (i.e., the team member tasked with further work on this issue)

Filtering findings

You can filter the findings displayed by:

  • Its severity level
  • Its status
  • The person the finding is assigned to

There are also a variety of Advanced Filters that you can use (e.g., category, CVSS score).

The ShiftLeft dashboard's Secrets tab

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

  • Description: the description tab shows you the specific secret detected and where ShiftLeft CORE detected it in your code. This section includes a write-up of the issue and why it's a problem, as well as mitigation suggestions for securing your app

  • Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, ShiftLeft displays them in reverse chronological order.

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by ShiftLeft when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

  • Set the finding status to reflect work that's been done (e.g., set the finding status to Fixed if you've mitigated the issue):

    • Open: The default status value for a finding

    • Fixed: Mark the finding as fixed if you've applied remediation of some type (note that setting this status does not fix the finding) so that ShiftLeft doesn't include the finding in the scan results

    • Ignored: Mark the finding as ignored so it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

    • 3rd Party: Mark the finding as 3rd Party to indicate that the finding is in a third-party library; you can't fix the finding at the moment, but you should return to it at a later date

      To hide/show findings in the dashboard based on their statuses, use the Status filter (e.g., to display open and fixed findings while excluding those that are ignored or 3rd party, select the status filter's Open and Fixed values). To show all values, ensure no status filter values are selected.

      Note that you can change the status at a later date if needed.

  • Assign to a team member the vulnerability for further research and work

  • Get a link to issue that's specific to this finding that you can share with others

To return to the summary view, click Minimize in the top-left.