Fortinet black logo

Viewing the Scan Result

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application. A Sample application is generated on the GUI and first time Intercom product users are guided by an interactive product tour, to discover the product and its configurations.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization. The Supply Chain Threats includes the list of all supply chain threats detected. The Outbreak Alerts includes the list of all the FortiGuard outbreak alerts identified after performing the application scan.

Viewing Supply Chain Threats

Supply chain threats refer to security risks that arise from vulnerabilities present in the components, software libraries, or dependencies used in the development of an application. These threats can be exploited by attackers to compromise the overall security of the application and potentially gain unauthorized access to sensitive data or systems.

Click Supply Chain Threats in the summary panel, to view the all the supply chain threat alerts. Each alert in the Supply Chain Threats pane includes:

  • Name of the alert

  • Severity level

  • Description of the vulnerability

  • List of applications affected by the vulnerability

Note: FortiDevSec SCA currently detects Supply Chain threats only from Python OSS ecosystems.

Viewing Outbreak Alerts

Click Outbreak Alerts in the summary panel, to view the all the FortiGuard outbreak alerts. Each alert in the Outbreak Alerts pane includes:

  • Name of the alert

  • Severity level

  • Last revised date

  • Description of the vulnerability

  • List of applications affected by the vulnerability

Note: Outbreak alerts is currently supported ony for SCA and Container scanners.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.


You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 763 vulnerabilities are found by SAST, 17 vulnerabilities are found by DAST, and 63 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.

  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.
  • The presence of ansupply chain threat alert icon indicates that the application has a supply chain vulnerability that requires attention.
  • The presence of an outbreak alert icon indicates that the application has vulnerability that requires immediate attention.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 907 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilities detected.Click Supply Chain Threats to view application specific supply chain threats. Click Outbreak Alerts to view the application specific FortiGuard outbreak alerts.


  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Plugins - You can enable and configure JIRA and FortiDAST scan target with FortiDevSec, click Plugins. See Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Hover over to view CI/CD and build related information.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings, but you are allowed to view them. You can delete an application (that is not being scanned) from the dashboard only after deactivating it.
Viewing Software Bill of Materials(SBOM)

A Software Bill of Materials (SBOM) is a detailed inventory that includes all the third-party and open-source software components used in the product. FortiDevSec SBOM references page presents a complete list of all the software components used in your product and helps you easily track these components, their versions, and any security vulnerabilities they may have.

To view SBOM, perform the following steps:

  1. In the FortiDevSec Dashboard > Applications, click the desired application name or the number of vulnerabilities to view scan details.

  2. Click SBOM in the SCA scanner widget.

  3. SBOM references window is displayed. The components are grouped based on their ecosystem and the following fields are displayed for each component:

    Field Description
    Dependency The name of the 3rd party library being used.
    Version The version of the library being utilized.
    License Indicates whether the library requires a license. If yes, specifies the type of license used.
    Vulnerable A boolean flag that notifies whether the library is vulnerable or not (true/false).
    Source Path The file path where the library name and version are mentioned and utilized.

  4. Click Export to CSV to export the list of all components in Micorsoft Excel file.


Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name, the line number (SAST)/URL (DAST), and the assigned severity.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 339 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.
  • You can download vulnerabilities in .csv format, click Export.
  • Use sort to display the vulnerabilities based on recent activity, severity level, outbreak alerts and supply chain threats.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE and CVE (if any). Click on the CWE/CVE link to view details.
  • The Remediation provides information (if available) on how to fix/avoid the vulnerability.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurrences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearance.
  • The CI/CD and Build details.
  • The Outbreak Alert lists the alerts found in the application. Click outbreak alert link to navigate to the FortiGuard Outbreak Alert page for in-depth analysis.
  • The Supply Chain provides information on the supply chain threat detected.

Note: For the SECRET scanner, the Code field contains the following information:

  • Hash - Git commit hash.

  • By - Details of the user who has committed the change.

  • The last line in code field contains the commit message added by the user. If the GIT commit message is more than 200 characters it is truncated.

Applying Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the vulnerabilities page.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.
  • OWASP Top 10 - Filters based on the specific OWASP vulnerability.
  • SANS top 25 - Filters based on the specific SANS vulnerability.
  • Images - Filters based on the image files.

Note: To export a specific type of vulnerablity, select the desired filters and click Export.

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application. A Sample application is generated on the GUI and first time Intercom product users are guided by an interactive product tour, to discover the product and its configurations.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization. The Supply Chain Threats includes the list of all supply chain threats detected. The Outbreak Alerts includes the list of all the FortiGuard outbreak alerts identified after performing the application scan.

Viewing Supply Chain Threats

Supply chain threats refer to security risks that arise from vulnerabilities present in the components, software libraries, or dependencies used in the development of an application. These threats can be exploited by attackers to compromise the overall security of the application and potentially gain unauthorized access to sensitive data or systems.

Click Supply Chain Threats in the summary panel, to view the all the supply chain threat alerts. Each alert in the Supply Chain Threats pane includes:

  • Name of the alert

  • Severity level

  • Description of the vulnerability

  • List of applications affected by the vulnerability

Note: FortiDevSec SCA currently detects Supply Chain threats only from Python OSS ecosystems.

Viewing Outbreak Alerts

Click Outbreak Alerts in the summary panel, to view the all the FortiGuard outbreak alerts. Each alert in the Outbreak Alerts pane includes:

  • Name of the alert

  • Severity level

  • Last revised date

  • Description of the vulnerability

  • List of applications affected by the vulnerability

Note: Outbreak alerts is currently supported ony for SCA and Container scanners.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.


You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 763 vulnerabilities are found by SAST, 17 vulnerabilities are found by DAST, and 63 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.

  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.
  • The presence of ansupply chain threat alert icon indicates that the application has a supply chain vulnerability that requires attention.
  • The presence of an outbreak alert icon indicates that the application has vulnerability that requires immediate attention.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 907 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilities detected.Click Supply Chain Threats to view application specific supply chain threats. Click Outbreak Alerts to view the application specific FortiGuard outbreak alerts.


  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Plugins - You can enable and configure JIRA and FortiDAST scan target with FortiDevSec, click Plugins. See Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Hover over to view CI/CD and build related information.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings, but you are allowed to view them. You can delete an application (that is not being scanned) from the dashboard only after deactivating it.
Viewing Software Bill of Materials(SBOM)

A Software Bill of Materials (SBOM) is a detailed inventory that includes all the third-party and open-source software components used in the product. FortiDevSec SBOM references page presents a complete list of all the software components used in your product and helps you easily track these components, their versions, and any security vulnerabilities they may have.

To view SBOM, perform the following steps:

  1. In the FortiDevSec Dashboard > Applications, click the desired application name or the number of vulnerabilities to view scan details.

  2. Click SBOM in the SCA scanner widget.

  3. SBOM references window is displayed. The components are grouped based on their ecosystem and the following fields are displayed for each component:

    Field Description
    Dependency The name of the 3rd party library being used.
    Version The version of the library being utilized.
    License Indicates whether the library requires a license. If yes, specifies the type of license used.
    Vulnerable A boolean flag that notifies whether the library is vulnerable or not (true/false).
    Source Path The file path where the library name and version are mentioned and utilized.

  4. Click Export to CSV to export the list of all components in Micorsoft Excel file.


Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name, the line number (SAST)/URL (DAST), and the assigned severity.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 339 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.
  • You can download vulnerabilities in .csv format, click Export.
  • Use sort to display the vulnerabilities based on recent activity, severity level, outbreak alerts and supply chain threats.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE and CVE (if any). Click on the CWE/CVE link to view details.
  • The Remediation provides information (if available) on how to fix/avoid the vulnerability.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurrences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearance.
  • The CI/CD and Build details.
  • The Outbreak Alert lists the alerts found in the application. Click outbreak alert link to navigate to the FortiGuard Outbreak Alert page for in-depth analysis.
  • The Supply Chain provides information on the supply chain threat detected.

Note: For the SECRET scanner, the Code field contains the following information:

  • Hash - Git commit hash.

  • By - Details of the user who has committed the change.

  • The last line in code field contains the commit message added by the user. If the GIT commit message is more than 200 characters it is truncated.

Applying Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the vulnerabilities page.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.
  • OWASP Top 10 - Filters based on the specific OWASP vulnerability.
  • SANS top 25 - Filters based on the specific SANS vulnerability.
  • Images - Filters based on the image files.

Note: To export a specific type of vulnerablity, select the desired filters and click Export.