Skip to main content
Findings are the potential vulnerabilities and business logic flaws that the Ghost Exorcist engine has identified in your codebase.
ClassificationRatingsDescription
Severityinfo low medium highThe severity of the finding.
Feasibilityeasy medium hardThe ease of exploiting the finding.
Efforteasy medium hardThe effort to remediate the finding.

Severity

Findings produced by the Ghost Exorcist engine are classified as info, low, medium, or high based on the severity of the finding. You are probably familiar with the severity of a finding from other tools. However, with Ghost, you won’t find many of the low severity findings that you are used to seeing.
The Ghost Exorcist engine is designed to produce more signal and less noise. This means that you will find far fewer low severity findings than you are used to seeing in other tools.

Exploit feasibility

The exploit feasibility of a finding is a measure of how easy it is to exploit the finding. For example, a finding that is readily exploitable with no additional circumstances occurring is considered to be easy. A finding that requires a potential attacker to perform additional actions or gain additional privileges would have a higher feasibility rating.

Remediation effort

The remediation effort of a finding is a measure of how much effort it would take to remediate the finding. For example, a finding that requires a simple one-line change to the code is considered to be easy. A finding that requires a more complex change to the code or a more involved process is considered to have a higher remediation effort rating.

Evidence

Each finding includes an evidence section with the agent’s supporting evidence for every criterion that was evaluated. All criteria for a vector must be confirmed before a finding is surfaced, and the evidence shows how each condition was met in your code. You can use the evidence to understand why a finding was produced and whether it applies to your context. If the evidence doesn’t match your expectations, you can tune the agent criteria or mute the finding.

Taking action

Combining the finding severity, exploit feasibility, and remediation effort ratings can give you a powerful prioritization lense. For example, if you have a finding that is high severity and easy to remediate, you might consider that an Easy Win and prioritize it accordingly. Similarly, if you have a finding that is high severity and easy to exploit, you might consider that an Risky Target and prioritize to be fixed urgently.
Use custom finding filters to narrow in on the findings that are most important to your team.