# Security Summary Total findings: 712 | 🔴 1 CRITICAL | 🔴 21 HIGH | 🟡 59 MEDIUM | ⚪ 9 LOW ## Top Risks by File | File | Findings | Severity | Top Issue | |------|----------|----------|-----------| | package-lock.json | 43 | 🔴 CRITICAL | CVE-2026-3449 | | Dockerfile.dev | 2 | 🔴 HIGH | Image user should not be 'root' | | Dockerfile.production | 2 | 🔴 HIGH | Image user should not be 'root' | | Dockerfile.test | 2 | 🔴 HIGH | Image user should not be 'root' | | /scan/node_modules/zod/...emplate-literal.test.ts | 6 | 🟡 MEDIUM | MongoDB (6×) | | /scan/node_modules/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) | | /scan/node_modules/fire...es/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) | | /scan/.env.docker.production.example | 1 | 🟡 MEDIUM | Postgres | | /scan/.env.local | 1 | 🟡 MEDIUM | Postgres | | /scan/.env.docker.dev | 1 | 🟡 MEDIUM | Postgres | ## By Severity - 🔴 CRITICAL: 1 - 🔴 HIGH: 21 - 🟡 MEDIUM: 59 - ⚪ LOW: 9 - 🔵 INFO: 622 ## Priority Analysis (EPSS/KEV) Real-world exploit intelligence to focus on actual threats: ### 📊 High Exploit Probability: 2 CVEs CVEs with >50% probability of being exploited in the next 30 days: - 🔴 **CVE-2025-29927** (EPSS: 92.1%, 100th percentile) - File: `package-lock.json` - 🔴 **CVE-2024-51479** (EPSS: 78.5%, 99th percentile) - File: `package-lock.json` ### Priority Distribution - 🔴 Critical Priority (≥80): 2 - 🟠 High Priority (60-79): 1 - 🟡 Medium Priority (40-59): 0 - ⚪ Low Priority (<40): 709 ## By Tool - **syft**: 622 findings (🔵 622 INFO) - **trivy**: 49 findings (🔴 1 CRITICAL, 🔴 21 HIGH, 🟡 18 MEDIUM, ⚪ 9 LOW) - **trufflehog**: 41 findings (🟡 41 MEDIUM) ## Remediation Priorities 1. **Fix Image user should not be 'root'** (3 findings) → Review container security best practices 2. **Update vulnerable dependencies** (19 CRITICAL/HIGH CVEs) → Run package updates ## By Category - 📦 Other: 622 findings (87% of total) - 🛡️ Vulnerabilities: 49 findings (7% of total) - 🔑 Secrets: 41 findings (6% of total) ## Top Rules - SBOM.PACKAGE: 622 - Postgres: 13 - URI: 13 - MongoDB: 8 - GitHubOauth2: 5 - Image user should not be 'root': 3 - No HEALTHCHECK defined: 3 - GCP: 1 - Circle: 1 - CVE-2026-3449: 1