Risk Factors

Overview

Risk Factors in the Mend AppSec Platform help you prioritize security findings across your software supply chain and custom code by highlighting the conditions that make a finding more severe or exploitable.

Risk Factors provide quick, actionable context that enables development and security teams to:

  • Focus first on findings that are more likely to be exploitable or malicious

  • Reduce noise by filtering out lower-risk items

  • Accelerate remediation workflows by surfacing what matters most

Risk Factors are currently available for both:

  • AI — helps you prioritize findings by highlighting models in your inventory that may warrant a more immediate call-to-action compared to other models.

  • SAST  highlights findings that involve risky code patterns, unvalidated input, and known exploit paths.

  • SCA  surfaces issues such as reachable, exploitable, or malicious open-source dependencies.

  • Container helps you prioritize findings by providing an indication of the Reachability status of the package or finding, while allowing you to filter the results based on the existence of the package or finding in a runtime environment.

The Risk Factors Column

The Risk Factors column in the Applications and Projects views helps you understand which issues need attention first by showing the most important risk signals across your application or project in one place.

Instead of reviewing separate risk-factor columns for dependencies, code, containers, and AI findings, you can use one consolidated column to quickly identify, filter, and open the findings that matter most.

The Risk Factors column is available in the Applications and Projects views.

View

What the column shows

Applications

Risk factors aggregated across all findings in the application.

Projects

Risk factors aggregated across all findings in the project.

Each cell shows risk factor icons grouped by security engine:

  • Dependencies

  • Code

  • Containers

  • AI

Only engines with active risk factors are shown. If there are no active risk factors for the application or project, the cell displays a dash.

To keep the table easy to scan, each engine group shows up to three icons. If more than three risk factors are present for an engine, the cell displays a +N indicator. The full breakdown is always available in the tooltip.

Risk Factor Actions

  1. Open the Applications or Projects view.

  2. Find the Risk Factors column.

  3. Hover over any risk factor icon.

The tooltip shows risk factors grouped by engine. For each risk factor, you can see the number of findings that match that risk factor in the current application or project.

Click a risk factor to open the related findings view with the relevant filter already applied.

Select the link next to the risk factor you want to investigate.

The relevant findings page opens with the selected risk factor filter already applied and scoped to the current application or project.

Engine

Destination

Dependencies

Security → Dependencies, filtered by the selected risk factor.

Code

Security → Code, filtered by the selected risk factor.

Containers

Security → Containers, filtered by the selected risk factor.

AI

Security → AI, filtered by the selected risk factor.

You can also select a risk factor icon directly in the cell to open the same filtered findings view.

Filter by Risk Factor

Use the column filter to focus the Applications or Projects list on items that contain specific risk factors.

  1. Open the Applications or Projects view.

  2. Open the filter menu for the Risk Factors column.

  3. Expand the engine section you want to filter by.

  4. Select one or more risk factors.

  5. Apply the filter.

Risk factor selections are engine-specific. For example, selecting Dependencies › Exploitable does not automatically select Code › Exploitable.

When you select risk factors from multiple engines, the list shows applications or projects that match at least one selected risk factor.

Available Risk Factors

Engine

Risk factors

Dependencies

Exploitable, Reachable, Malicious

Code

Exploitable, High Probability, Non High Probability, Low Probability, Endpoint Access, Non Endpoint Access, Non Exploitable

Containers

Exploitable, Reachable, Malicious

AI

Confirmed Unsafe, Unconfirmed Unsafe, False Positive, Conversational System Prompts

Notes

  • The Risk Factors column is visible by default in the Applications and Projects views.

  • Risk factors with no matching findings are not shown in the cell or tooltip.

  • The Containers Malicious risk factor appears when malicious container findings are available