> ## Documentation Index
> Fetch the complete documentation index at: https://docs.secally.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Findings

> How to triage and fix vulnerabilities SecAlly reports in GitHub.

Every scan produces findings with evidence, severity, and remediation guidance. SecAlly posts findings directly to GitHub (as PR review comments for PR scans, and issue comments for full scans).

## Severity levels

SecAlly follows [CVSS scoring](https://nvd.nist.gov/vuln-metrics/cvss).

* **Critical:** Immediate risk to sensitive data or authentication.
* **High:** Serious weakness that can be exploited with moderate effort.
* **Medium:** Security gaps that should be addressed in the next sprint.
* **Low:** Best-practice improvements and hardening.

## What a finding includes

Findings include (when available):

* A short title and detailed description
* CVSS severity and vectors
* Evidence snippets with file paths and line ranges
* OWASP Mobile Top 10 and CWE mappings with links to more details

## Triage workflow

1. **Validate** the finding (confirm the code path and impact in your context).
2. **Prioritize** using severity and impact.
3. **Track work** using your existing GitHub workflow (labels, assignees, linked issues, or tickets).
4. **Fix and verify** with a follow-up PR scan (and optionally a full scan before release).

## Evidence and fixes

Each finding includes the affected file(s), code location(s), and remediation guidance aimed at developers. If you believe a finding is a false positive, document your reasoning in GitHub and review it with your team before dismissing it.
