Findings are the potential vulnerabilities and business logic flaws that the Ghost Exorcist engine has identified in your codebase.
ClassificationRatingsDescription
Severityinfo low medium highThe severity of the finding.
Feasibilityeasy medium hardThe ease of exploiting the finding.
Efforteasy medium hardThe effort to remediate the finding.

Severity

Findings produced by the Ghost Exorcist engine are classified as info, low, medium, or high based on the severity of the finding. You are probably familiar with the severity of a finding from other tools. However, with Ghost, you won’t find many of the low severity findings that you are used to seeing.
The Ghost Exorcist engine is designed to produce more signal and less noise. This means that you will find far fewer low severity findings than you are used to seeing in other tools.

Exploit feasibility

The exploit feasibility of a finding is a measure of how easy it is to exploit the finding. For example, a finding that is readily exploitable with no additional circumstances occurring is considered to be easy. A finding that requires a potential attacker to perform additional actions or gain additional privileges would have a higher feasibility rating.

Remediation effort

The remediation effort of a finding is a measure of how much effort it would take to remediate the finding. For example, a finding that requires a simple one-line change to the code is considered to be easy. A finding that requires a more complex change to the code or a more involved process is considered to have a higher remediation effort rating.

Taking action

Combining the finding severity, exploit feasibility, and remediation effort ratings can give you a powerful prioritization lense. For example, if you have a finding that is high severity and easy to remediate, you might consider that an Easy Win and prioritize it accordingly. Similarly, if you have a finding that is high severity and easy to exploit, you might consider that an Risky Target and prioritize to be fixed urgently.
Use custom finding filters to narrow in on the findings that are most important to your team.