Triage Vulnerabilities
After a scan completes, you’ll have a list of findings that need attention. This guide shows you how to systematically review, prioritize, and resolve them without getting overwhelmed.
The Triage Workflow
Understanding Severity vs Exploitability
Two scores help you prioritize:
| Score | What It Measures | Range | Key Insight |
|---|---|---|---|
| CVSS | Technical severity of the vulnerability | 0 - 10 | How bad it could be if exploited |
| EPSS | Probability of exploitation in the wild | 0 - 1.0 | How likely it will be exploited |
A vulnerability with CVSS 9.0 but EPSS 0.001 is severe but rarely exploited. A vulnerability with CVSS 5.0 but EPSS 0.8 is moderate but actively targeted. EPSS helps you focus on real threats, not theoretical ones.
Action Types
For each finding, choose one of these actions:
Using AI-Powered Fixes
CodeStax provides AI-generated fix suggestions for most findings:
- Click on a finding to open its detail view
- Review the AI Explanation — it describes what the vulnerability is and why it matters
- Click Fix with AI to generate a code fix
- Review the suggested code change before applying
- The fix includes the corrected code snippet and an explanation of what changed
Prioritization Matrix
Use this matrix to decide what to fix first:
| CVSS | EPSS > 0.1 | EPSS < 0.1 |
|---|---|---|
| Critical (9.0-10) | Fix immediately | Fix this sprint |
| High (7.0-8.9) | Fix this sprint | Plan for next sprint |
| Medium (4.0-6.9) | Plan for next sprint | Backlog |
| Low (0-3.9) | Backlog | Accept risk or backlog |
Filtering and Searching
The scan results page provides several ways to narrow down findings:
- Filter by severity — Show only Critical, High, Medium, or Low
- Filter by scanner — Show only SAST, SCA, Secrets, IaC, or Quality findings
- Search by file — Find issues in a specific file or directory
- Sort options — By severity, CVSS score, EPSS score, or file path
Bulk Operations
For large scans with many findings:
- Use filters to select a category of findings
- Select multiple findings using checkboxes
- Apply bulk actions: mark as false positive, assign to team member, or export
After Triage
Once you’ve triaged your findings:
- Set up quality gates to prevent new issues — see Set Up Quality Gates
- Enable PR reviews to catch issues before merge — see Set Up PR Reviews
- Configure notifications to get alerted on new Critical findings — see Email Notifications
- Track trends on the Code Health dashboard — see Monitor Code Health