Skip to main content
Skip table of contents

Risk Factors in Mend SAST

Overview

Risk Factors in Mend SAST help you prioritize security findings by highlighting key indicators that make a vulnerability more critical or urgent to fix. Each finding may include one or more risk factors based on confidence level, data flow characteristics, and known exploitation patterns.

By default, Mend SAST focuses on high-confidence findings to reduce noise and ensure developers receive actionable issues without the need for prior triage. If needed, you can adjust the scan configuration to broaden detection and include lower-confidence findings, which may result in a more comprehensive but noisier report.

Note: Risk Factors are only available for C#, Java, JavaScript, Python, and TypeScript.
For all other languages, the corresponding findings will not have risk factors assigned.

Getting it done

View the Code Risk Factors in Global Applications/Projects view

The Code Risk Factors column is displayed in the global Applications/Projects view within your organization and is available in various tables, such as the project-level report and inside individual finding details.

image-20250614-231135.png

View the Code Risk Factors in the Project view

The Risk Factors column is displayed in the Code Findings section of your project(s) and is available in various tables, such as the project-level report and inside individual finding details.

image-20250407-005127.png

Code Risk Factors Appendix

Each Code finding of the supported languages will display a risk factor, helping you identify which issues may pose a greater security risk. Clicking the filter icon in the Risk Factors column will allow you to filter the results based on applicable risk factors:

  • High Probability

    image-20250407-004855.png

  • Low Probability

    image-20250407-004908.png

  • Endpoint Access - Indicates that the finding is accessible through an API endpoint. The API endpoints through which a finding is accessible are listed in its Security Overview section.

    image-20250607-064638.png

  • Exploitable - Indicates that the finding was detected by both SAST and DAST.

    image-20250620-142142.png

Enabling Low Probability Findings

By default, Mend SAST only includes high-probability (high-confidence) findings to minimize false positives and reduce noise. These findings will show up as “High Probability” in the Risk Factors column.
To expand coverage and include low-probability findings—which may still carry security risk but require more scrutiny—you can update your scan configuration.

This can be done at the global or project level, and configured per language (only supported for C#, Java, JavaScript, Python, and TypeScript). Once enabled, future scans will include these findings, and the Risk Factors column will reflect them accordingly.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close