Skip to main content
Skip table of contents

View your Dynamic Findings in the Mend AppSec Platform

Overview

This article will guide you through where and how to review the Applications and Projects with their Dynamic (DAST) findings, helping you measure the impact of each finding and take actions such as suppressing a finding.

Getting it done

View the Applications or Projects with Dynamic Findings

  1. Log in to the Mend AppSec Platform.

  2. Navigate to the Applications/Projects view in the top menu bar.

  1. Ensure the Dynamic Scan engine is enabled.

image-20250114-214330.png
  1. Search or Select the Application/Project that you would like to view. You can sort by the number of Dynamic Findings and their criticality. You will be redirected to that application's summary page or project’s summary page.

image-20250114-215805.png

Sorting the Dynamic Findings per project by severity

Application/Project Summary View

The Application/Project Summary view provides a high-level overview and analytics of the Dynamic findings for all Projects associated with the Application.

image-20250114-221721.png

The Findings section comprises three widgets: Total Findings, Total Findings by Scan Engine, and Total Findings by Severity.

  • The Total Findings widget shows the total number of findings from all Projects within the current Application.

  • The Total Findings by Scan Engine widget shows the total number of findings from all Projects within the current Application by each active scan engine within the current application. The different scan engines are assigned a color. The color key is on the bottom of the widget.

  • The Total Findings by Severity widget shows the total number of findings from all Projects within the current Application by severity, Critical, High, Medium, or Low. The different severities are assigned a color. The color key is on the bottom of the widget.

View the Dynamic Findings list of your Project

Note: The Dynamic Findings view is only available at the Project level, not at the Application level.

When navigating to a Project, click Dynamic in the left panel to view the Dynamic findings list. In the view you can find all the findings, including the following information:

image-20250114-175658.png

By default, the list is filtered to show only non-suppressed and confirmed items.

  • Issue Name

  • Severity

  • URL Reference

  • Status

  • Confirmed/Unconfirmed - "Confirmed" refers to a vulnerability that Invicti has verified through additional validation steps, providing concrete evidence of its existence. This confirmation process enhances the reliability of scan results by minimizing false positives.
    When the issue's state is changed to Fixed (Unconfirmed), Invicti Enterprise will automatically scan for the fix within a few minutes. If the issue is fixed, the issue's state will be automatically changed to Confirmed.

  • CWE IDs

DAST and SAST Correlation

Companies often combine DAST and SAST detection technologies, focusing on overlapping findings (which are true-positive by definition) and prioritizing them over other findings.

You can configure the Mend AppSec Platform to correlate the DAST findings with the overlapping Code (SAST) findings for you, so you can easily put a spotlight on those findings detected by both engines.

To correlate the findings, follow these steps:

  1. Configure the mapping between your Invicti (DAST) source and the Mend.io target application and project.

  2. Perform a SAST scan of your application/project.

A few things to note:

  • The correlation is based on CWE and URL.

  • Correlated findings will be indicated by the “Exploitable” risk factor in the Code findings.

  • The number of corresponding DAST findings will be displayed in the Code finding details and allow users to jump from there to the filtered Dynamic findings table.

image-20250615-074606.png

A Dynamic Finding Reference in the Code Finding Details Drawer

Note:

  • Mend.io supports the correlation of C#, Java, JavaScript and Python findings.

  • The correlation is one-sided; the dynamic findings (DAST) presentation will not indicate a correlation with a Code finding (SAST). Navigate to your Code findings for that data.

Suppressing Findings

When a false-positive/acceptable risk is reported, it can be suppressed to prevent it from appearing in future results. This action can be coupled with a suppression reason, for tracking and future reference.

You can suppress a finding using either the Mend AppSec Platform or the Invicti Enterprise Portal. The integration supports both methods, and any changes will be reflected on both platforms:

Suppress a Dynamic finding via the Mend AppSec Platform
  1. To suppress a finding within the findings details pane, click the Suppress button:

image-20250114-223659.png
  1. Next, select a Suppression reason and add descriptive Notes (Optional). Once done, click Suppress:

image-20250114-223914.png
  1. Once suppressed, a proper indication will be added to that specific finding:

image-20250114-224122.png
Suppress a Dynamic finding via the Invicti Enterprise Portal
  1. In the Issues view, select one or more findings you would like to suppress and click Edit:

image-20250114-224714.png
  1. Update the issue status to Accepted Risk or False Positive and click Save.

image-20250114-225146.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.