77 lines
2.2 KiB
Markdown
77 lines
2.2 KiB
Markdown
# Security Summary
|
||
|
||
Total findings: 712 | 🔴 1 CRITICAL | 🔴 21 HIGH | 🟡 59 MEDIUM | ⚪ 9 LOW
|
||
|
||
## Top Risks by File
|
||
|
||
| File | Findings | Severity | Top Issue |
|
||
|------|----------|----------|-----------|
|
||
| package-lock.json | 43 | 🔴 CRITICAL | CVE-2026-3449 |
|
||
| Dockerfile.dev | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||
| Dockerfile.production | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||
| Dockerfile.test | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||
| /scan/node_modules/zod/...emplate-literal.test.ts | 6 | 🟡 MEDIUM | MongoDB (6×) |
|
||
| /scan/node_modules/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) |
|
||
| /scan/node_modules/fire...es/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) |
|
||
| /scan/.env.docker.production.example | 1 | 🟡 MEDIUM | Postgres |
|
||
| /scan/.env.local | 1 | 🟡 MEDIUM | Postgres |
|
||
| /scan/.env.docker.dev | 1 | 🟡 MEDIUM | Postgres |
|
||
|
||
## By Severity
|
||
|
||
- 🔴 CRITICAL: 1
|
||
- 🔴 HIGH: 21
|
||
- 🟡 MEDIUM: 59
|
||
- ⚪ LOW: 9
|
||
- 🔵 INFO: 622
|
||
|
||
## Priority Analysis (EPSS/KEV)
|
||
|
||
Real-world exploit intelligence to focus on actual threats:
|
||
|
||
### 📊 High Exploit Probability: 2 CVEs
|
||
|
||
CVEs with >50% probability of being exploited in the next 30 days:
|
||
|
||
- 🔴 **CVE-2025-29927** (EPSS: 92.1%, 100th percentile)
|
||
- File: `package-lock.json`
|
||
- 🔴 **CVE-2024-51479** (EPSS: 78.5%, 99th percentile)
|
||
- File: `package-lock.json`
|
||
|
||
### Priority Distribution
|
||
|
||
- 🔴 Critical Priority (≥80): 2
|
||
- 🟠 High Priority (60-79): 1
|
||
- 🟡 Medium Priority (40-59): 0
|
||
- ⚪ Low Priority (<40): 709
|
||
|
||
## By Tool
|
||
|
||
- **syft**: 622 findings (🔵 622 INFO)
|
||
- **trivy**: 49 findings (🔴 1 CRITICAL, 🔴 21 HIGH, 🟡 18 MEDIUM, ⚪ 9 LOW)
|
||
- **trufflehog**: 41 findings (🟡 41 MEDIUM)
|
||
|
||
## Remediation Priorities
|
||
|
||
1. **Fix Image user should not be 'root'** (3 findings) → Review container security best practices
|
||
2. **Update vulnerable dependencies** (19 CRITICAL/HIGH CVEs) → Run package updates
|
||
|
||
## By Category
|
||
|
||
- 📦 Other: 622 findings (87% of total)
|
||
- 🛡️ Vulnerabilities: 49 findings (7% of total)
|
||
- 🔑 Secrets: 41 findings (6% of total)
|
||
|
||
## Top Rules
|
||
|
||
- SBOM.PACKAGE: 622
|
||
- Postgres: 13
|
||
- URI: 13
|
||
- MongoDB: 8
|
||
- GitHubOauth2: 5
|
||
- Image user should not be 'root': 3
|
||
- No HEALTHCHECK defined: 3
|
||
- GCP: 1
|
||
- Circle: 1
|
||
- CVE-2026-3449: 1
|