During a scan, the scanner finds vulnerabilities within the Target’s URLs. When the scanner finds a vulnerability, a finding is created. These findings are registered at Snyk API & Web, and there are some actions you can do over them, namely:

A finding’s state can change either automatically (by the scanner, as a result of a target scan or re-test) or manually (by means of the user’s actions).

Using the Snyk API & Web interface, you can define a finding as “Accepted” if you acknowledge and accept its risk, or as “Invalid” if you consider it to be a false positive. These actions will be reflected in the State field shown below:

To learn more about the findings’ states and how they can change, make sure to read this article.

Depending on the type of vulnerability found, its exploitability, impact, and scope, a CVSS score and severity classification are attributed to the finding, helping you prioritize the vulnerabilities fixes:

While the CVSS score cannot be manually changed, you can still change the finding’s severity. This can be done directly from the finding’s details page: click on the 3 vertical dots to open the dropdown menu, click on Change severity and then choose the intended value:

Once you change a finding’s severity, Snyk API & Web will not change it back, so please make sure you really intend to make the change. You can read more about this in severity levels in findings.

After a target scan or a re-test, you may want to assign a vulnerability to be taken care of by a certain team member. This can be done either through the finding’s details page, by clicking on the respective dropdown, through the Target's page, or through the Scan Results page.

To learn more about how to change a finding’s assignee, make sure to read this article.

To help you filter scan results, you may want to use labels. Once you add finding labels, you can set them through the finding’s details page or through the findings list.

After fixing vulnerabilities previously reported by Snyk API & Web, you can re-test them to make sure they can no longer be exploited and are indeed resolved.

To start a re-test, visit the finding’s details and click on the Re-test button, or access any list in which it is displayed (target's page, scan results page, or findings list), select it, and click on the Re-test button. If, during a re-test, the scanner isn’t able to replicate the vulnerability, the finding is marked as Fixed; otherwise, it remains listed as Not Fixed until it can no longer be replicated by the scanner.

When viewing a vulnerability’s details, you can add comments or notes for your teammates: just scroll down to the bottom of the page, write the intended note, and press the Add note button. Please bear in mind that these notes are not a way to contact Snyk API & Web and should only be used to leave contextualized information available for your teammates.