Vulnerability Findings

Vulnerability Findings view provides a detailed, sortable list of all discovered vulnerabilities across your infrastructure. This table is designed for analysts and engineers to drill into specific findings, understand context, and take remediation action.

Technical Preview: This feature is currently in rapid development and may change frequently.

Understand Vulnerability Findings

The Vulnerability Findings view provides a detailed, sortable list of all discovered vulnerabilities across your infrastructure. This table is designed for analysts and engineers to drill into specific findings, understand context, and take remediation action.

Each row in the table represents a unique vulnerability finding, identified by:

TitleDescription
CVE IDCommon Vulnerabilities and Exposures identifier assigned to the vulnerability. Clicking the CVE navigates to the Vulnerability Findings page for full context.
Affected ResourceThe asset where the vulnerability was detected, such as a container, host, or Kubernetes workload. See Supported Resources for more details.
Affected Package and VersionThe software package and specific version containing the vulnerability.
SeverityThe CVE Severity sourced from the detected context. Where possible, severity is sourced from the vendor. If unavailable, we fall back to NVD, and then VulnDB. For more information, see Vulnerability Feeds.
ContextSecurity attributes including: Has Fix – Fix available, In Use – Package is active at runtime, Exploitable – Public exploit exists, Risk Accepted – Finding has been reviewed and accepted.
CISA KevIndicates the vulnerability is part of the CISA KEV Catalog, meaning it’s confirmed to be exploited in the wild and should be prioritized.
EPSS ScoreEPSS (Exploit Prediction Scoring System) indicates the likelihood (%) that a vulnerability will be exploited in the next 30 days. Higher scores signal higher real-world risk.
ZonesIndicates the number of Sysdig Zones the affected resource is part of. More zones may suggest broader infrastructure impact and remediation urgency.
First SeenShows the first time the finding or affected resource was discovered by Sysdig components. Useful for identifying aging risks or recent introductions.

Calculation varies by grouping:
- None – Time the finding was first seen on the associated resource.
- CVE – First time the CVE was seen in the environment.
- Image – First time the affected image was seen.
- Runtime Resource – First time the specific resource (e.g., container or host) was seen.
Number of FindingsCount of vulnerability instances for the given resource or grouping. Available when using Groupings.
StatusMarks findings first detected in the last 24 hours. Useful for identifying recently disovered or published vulnerabilities..

Use this view to:

  • Review your findings by scanning severity, exploitability, and runtime context
  • Prioritize what’s real, fixable, and likely to be exploited

Grouping Findings

There are four groupings available within the Vulnerability Findings to select from, they are:

  • None – Every finding is displayed as a single entity (CVE × Package × Resource).
  • CVE – All findings grouped by CVE ID.
  • Image – All findings grouped by the underlying container image from runtime resources.
  • Runtime Resource – All findings grouped by the resource (e.g., pod, container, host, workload) they were detected on.

Grouping allows you to pivot your view based on how you prefer to triage and understand the spread of vulnerabilities across your infrastructure.

The Vulnerability Findings Pages currently shows Findings only from Runtime Resources. The current Runtime Resources supported are as follows:

  • Kubernetes Workloads
  • Container Workloads
  • Hosts

Prioritizing with Filters

Use filters to focus on the vulnerabilities that matter most, such as those that are in use, exploitable, and have a fix available.

You can also refine results using metadata from your runtime resources, such as clusters, namespaces, images, or applications.

This helps you cut through the noise and surface only the findings that are real, actionable, and impacting your most critical assets.

Supported Filters

Filter KeyExampleDescription
Zone nameProductionName of the logical grouping or environment. For example, staging and production.
CrittrueFilters for critical severity vulnerabilities.
HightrueFilters for high severity vulnerabilities.
MedtrueFilters for medium severity vulnerabilities.
LowtrueFilters for low severity vulnerabilities.
NegtrueFilters for negligible severity vulnerabilities.
Vulnerability hasExploittrueIndicates whether a known exploit exists.
Vulnerability inUsetrueIndicates whether the vulnerable package is in use.
Vulnerability hasFixtrueIndicates whether a fix is available for the vulnerability.
Vulnerability AcceptedRisktrueIndicates if the vulnerability is marked as accepted risk.
RuntimeMetadata architecturex86_64System architecture of the runtime resource.
RuntimeMetadata categorycontainerCategory of the runtime. For example, container and VM.
RuntimeMetadata containerNamenginxName of the container.
RuntimeMetadata imageIdsha256:abc123...Unique ID of the container image.
RuntimeMetadata imageReferenceregistry.io/nginx:latestFull container image reference.
RuntimeMetadata imageRegistryregistry.ioRegistry where the image is hosted.
RuntimeMetadata imageRepositorynginxRepository name of the container image.
RuntimeMetadata imageTag1.0Tag of the container image.
RuntimeMetadata manifestDigestsha256:...Digest of the image manifest.
RuntimeMetadata operatingSystemredhat 9.5Operating system used by the container image.
RuntimeMetadata platformGCPCloud platform where the runtime is deployed.
RuntimeMetadata typeCloud Run JobType of runtime metadata source.
RuntimeResource accountId123456789012Cloud account ID where the resource resides.
RuntimeResource clusterNameprod-clusterName of the Kubernetes cluster.
RuntimeResource containerIdabcdef123456Container instance identifier.
RuntimeResource hostnamenode-1Hostname of the runtime node.
RuntimeResource isExposedtrueIndicates if the resource is externally accessible.
RuntimeResource locationus-west1Cloud region or location.
RuntimeResource namenginx-deploymentResource name within the environment.
RuntimeResource namespacedefaultNamespace for the Kubernetes resource.
RuntimeResource organizationengineeringOrganizational unit responsible for the resource.
RuntimeResource platformeksPlatform where the runtime resource is hosted.
RuntimeResource projectIdmy-projectIdentifier for the cloud project.
RuntimeResource statusrunningCurrent status of the runtime resource.
RuntimeResource subscriptionIdsub-001Subscription ID for cloud billing/accounting.
RuntimeResource taskDefinitionFamilyweb-taskTask definition family for ECS resources.
RuntimeResource taskDefinitionArnarn:aws:ecs:...Full ARN of the ECS task definition.
Vulnerability cvssScore9.8CVSS base score of the vulnerability.
Vulnerability epssPercentile0.95Percentile rank of the EPSS score.
Vulnerability epssScore0.82Likelihood of exploitation based on EPSS.
Vulnerability knownRansomwareCampaignUsetrueFlags if the CVE has been used in ransomware campaigns.
Vulnerability nameCVE-2024-12345CVE identifier of the vulnerability.
Vulnerability packageNamelibssl1.1Name of the vulnerable package.
Vulnerability packageTypeJavaPackage type. For example, Java, Golang, and OS.

Reviewing Findings in Detail

Each row in the table is clickable. Clicking a finding opens Finding360, where you’ll see in-depth context including affected packages, runtime usage, exposure indicators, and remediation actions.

Use this to investigate:

  • What exactly is affected
  • Whether it’s active in runtime
  • If it has an exploit or known fix
  • Which environments or Zones it spans

This flow helps teams move from detection to action with full visibility and confidence.