Skip to main content
Every scan produces findings with evidence, severity, and remediation guidance. SecAlly posts findings directly to GitHub (as PR review comments for PR scans, and issue comments for full scans).

Severity levels

SecAlly follows CVSS scoring.
  • Critical: Immediate risk to sensitive data or authentication.
  • High: Serious weakness that can be exploited with moderate effort.
  • Medium: Security gaps that should be addressed in the next sprint.
  • Low: Best-practice improvements and hardening.

What a finding includes

Findings include (when available):
  • A short title and detailed description
  • CVSS severity and vectors
  • Evidence snippets with file paths and line ranges
  • OWASP Mobile Top 10 and CWE mappings with links to more details

Triage workflow

  1. Validate the finding (confirm the code path and impact in your context).
  2. Prioritize using severity and impact.
  3. Track work using your existing GitHub workflow (labels, assignees, linked issues, or tickets).
  4. Fix and verify with a follow-up PR scan (and optionally a full scan before release).

Evidence and fixes

Each finding includes the affected file(s), code location(s), and remediation guidance aimed at developers. If you believe a finding is a false positive, document your reasoning in GitHub and review it with your team before dismissing it.