Risk Factors in Mend SAST

Overview

Risk Factors in Mend SAST help you prioritize security findings by highlighting key indicators that make a vulnerability more critical or urgent to fix. Each finding may include one or more risk factors based on confidence level, data flow characteristics, and known exploitation patterns.

By default, Mend SAST focuses on high-confidence findings to reduce noise and ensure developers receive actionable issues without the need for prior triage. If needed, you can adjust the scan configuration to broaden detection and include lower-confidence findings, which may result in a more comprehensive but noisier report.

Note: Risk Factors are only available for C#, Java, JavaScript, Python, and TypeScript.
For all other languages, the corresponding findings will not have risk factors assigned.

Getting it done

Enabling Low Probability Findings

By default, Mend SAST only includes high-probability (high-confidence) findings to minimize false positives and reduce noise. These findings will show up as “High Probability” in the Risk Factors column.
To expand coverage and include low-probability findings—which may still carry security risk but require more scrutiny—you can update your scan configuration.

This can be done at the global or project level, and configured per language (only supported for SAST Gen 2 languages). Once enabled, future scans will include these findings, and the Risk Factors column will reflect them accordingly.

The Risk Factors column

The Risk Factors column is displayed in the Code Findings section of your project and is available in various tables, such as the project-level report and inside individual finding details.

Each Code finding of the supported languages will display a risk factor, helping you identify which issues may pose a greater security risk. Clicking the filter icon in the Risk Factors column will allow you to filter the results based on the finding's Probability status.

Legend

• High Probability

  

• Low Probability