Overview
Risk Factors in the Mend AppSec Platform help you prioritize security findings across your software supply chain and custom code by highlighting the conditions that make a finding more severe or exploitable.
Risk Factors provide quick, actionable context that enables development and security teams to:
-
Focus first on findings that are more likely to be exploitable or malicious
-
Reduce noise by filtering out lower-risk items
-
Accelerate remediation workflows by surfacing what matters most
Risk Factors are currently available for both:
-
AI — helps you prioritize findings by highlighting models in your inventory that may warrant a more immediate call-to-action compared to other models.
-
SAST — highlights findings that involve risky code patterns, unvalidated input, and known exploit paths.
-
SCA — surfaces issues such as reachable, exploitable, or malicious open-source dependencies.
-
Container — helps you prioritize findings by providing an indication of the Reachability status of the package or finding, while allowing you to filter the results based on the existence of the package or finding in a runtime environment.
The Risk Factors Column
The Risk Factors column in the Applications and Projects views helps you understand which issues need attention first by showing the most important risk signals across your application or project in one place.
Instead of reviewing separate risk-factor columns for dependencies, code, containers, and AI findings, you can use one consolidated column to quickly identify, filter, and open the findings that matter most.
The Risk Factors column is available in the Applications and Projects views.
|
View |
What the column shows |
|---|---|
|
Applications |
Risk factors aggregated across all findings in the application. |
|
Projects |
Risk factors aggregated across all findings in the project. |
Each cell shows risk factor icons grouped by security engine:
-
Dependencies
-
Code
-
Containers
-
AI
Only engines with active risk factors are shown. If there are no active risk factors for the application or project, the cell displays a dash.
To keep the table easy to scan, each engine group shows up to three icons. If more than three risk factors are present for an engine, the cell displays a +N indicator. The full breakdown is always available in the tooltip.
Risk Factor Actions
View Related Findings
-
Open the Applications or Projects view.
-
Find the Risk Factors column.
-
Hover over any risk factor icon.
The tooltip shows risk factors grouped by engine. For each risk factor, you can see the number of findings that match that risk factor in the current application or project.
Click a risk factor to open the related findings view with the relevant filter already applied.
Select the link next to the risk factor you want to investigate.
The relevant findings page opens with the selected risk factor filter already applied and scoped to the current application or project.
|
Engine |
Destination |
|---|---|
|
Dependencies |
Security → Dependencies, filtered by the selected risk factor. |
|
Code |
Security → Code, filtered by the selected risk factor. |
|
Containers |
Security → Containers, filtered by the selected risk factor. |
|
AI |
Security → AI, filtered by the selected risk factor. |
You can also select a risk factor icon directly in the cell to open the same filtered findings view.
Filter by Risk Factor
Use the column filter to focus the Applications or Projects list on items that contain specific risk factors.
-
Open the Applications or Projects view.
-
Open the filter menu for the Risk Factors column.
-
Expand the engine section you want to filter by.
-
Select one or more risk factors.
-
Apply the filter.
Risk factor selections are engine-specific. For example, selecting Dependencies › Exploitable does not automatically select Code › Exploitable.
When you select risk factors from multiple engines, the list shows applications or projects that match at least one selected risk factor.
Available Risk Factors
|
Engine |
Risk factors |
|---|---|
|
Dependencies |
Exploitable, Reachable, Malicious |
|
Code |
Exploitable, High Probability, Non High Probability, Low Probability, Endpoint Access, Non Endpoint Access, Non Exploitable |
|
Containers |
Exploitable, Reachable, Malicious |
|
AI |
Confirmed Unsafe, Unconfirmed Unsafe, False Positive, Conversational System Prompts |
Notes
-
The Risk Factors column is visible by default in the Applications and Projects views.
-
Risk factors with no matching findings are not shown in the cell or tooltip.
-
The Containers Malicious risk factor appears when malicious container findings are available