Triage Prioritization{% if _records %}{{ _records }} records{% endif %}
summary depth.
Component-level structured verdicts ran and have been applied to VEX
recommendations where applicable. Finding-level deep analysis did not
run, so portfolio narrative below may flag individual findings as likely
false positives without a corresponding VEX update. Rerun with
--ai-depth full or run False Positive Analysis --ai
to produce per-finding applicability verdicts.
Distribution of findings across risk priority bands.
{% if render_mode == 'fragment' and not fragment_scripts_enabled %}One bar per priority band, normalized to the average factor contribution per finding in the band — so cross-band comparisons aren't biased by band size. Segments to the right of zero are positive drivers (reach, exploit, KEV, attack vector, EPSS, CVSS, gate bonus); segments to the left of zero are demoters (unreachable penalty, VEX demotion). Read it as: what's pushing the typical finding into this tier — and what's pulling it down? A CRITICAL bar dominated by reach + exploit means reachability and exploit maturity are the heavy levers; a LOW bar with a long left-of-zero unreachable segment means reachability demotion is the dominant force.
{% if render_mode == 'fragment' and not fragment_scripts_enabled %}Each row is a CVSS tier. Segments inside each bar show how those findings break down across priority bands. Segments whose band doesn't match the row's CVSS tier are where CVSS alone would miscategorize risk.
{% if render_mode == 'fragment' and not fragment_scripts_enabled %}Per-project breakdown showing band counts.
{% if render_mode == 'fragment' and not fragment_scripts_enabled %}This report uses a tiered-gates scoring model that prioritizes findings based on real-world exploitability rather than theoretical CVSS scores alone.
{% if scoring_config and scoring_config.gates %} {% for gate in scoring_config.gates %}{{ gate.name | replace('_', ' ') | title }} — {{ gate.band }} (score={{ gate.score }})
- {{ gate.description | replace(' AND ', ' AND ') | replace(' OR ', ' OR ') | safe }}
Additive scoring (remaining findings)
- Reachability: +{{ scoring_config.weights.reachable }} (reachable), {{ scoring_config.weights.unknown }} (inconclusive), {{ scoring_config.weights.unreachable }} (unreachable)
- Exploit/KEV: +{{ scoring_config.weights.exploit }} (exploit), +{{ scoring_config.weights.kev_only }} (KEV only)
- Attack vector: +{{ scoring_config.weights.vector_network }} (NETWORK), +{{ scoring_config.weights.vector_adjacent }} (ADJACENT), +{{ scoring_config.weights.vector_local }} (LOCAL), {{ scoring_config.weights.vector_physical }} (PHYSICAL)
- EPSS: 0–{{ scoring_config.weights.epss_max }} points (scaled by percentile)
- CVSS: 0–{{ scoring_config.weights.cvss_max }} points (scaled by score/10)
Bands: HIGH ≥ {{ scoring_config.weights.band_high_threshold }}, MEDIUM ≥ {{ scoring_config.weights.band_medium_threshold }}, LOW ≥ {{ scoring_config.weights.band_low_threshold }}, INFO < {{ scoring_config.weights.band_low_threshold }}
{% if scoring_config.weights.vex_resolved %}VEX status penalty
- Findings with status NOT_AFFECTED, RESOLVED, or RESOLVED_WITH_PEDIGREE: {{ scoring_config.weights.vex_resolved }} points
- Applies to both gated and additive-scored findings
- Allows triaged findings to drop out of critical gates without being removed from the report
Reachability interpretation
- REACHABLE (score > 0): Code path is reachable — vulnerability can be triggered
- INCONCLUSIVE (score = 0): Reachability analysis ran but was inconclusive
- UNKNOWN (no data): Reachability analysis was never run
- UNREACHABLE (score < 0): Code path cannot be triggered
Copy and paste into any LLM for remediation guidance. No API key required. Project, component, and finding prompts are in the tables below.
Portfolio remediation prompt
{{ ai_portfolio_prompt }}
{{ project_name }}
{% endfor %}AI component remediation guidance
| Component | Fix Version | Rationale | Guidance | Workaround | Code Search | Confidence |
|---|---|---|---|---|---|---|
| {{ comp_key }} | {{ guidance.fix_version|default('—') }} | {{ guidance.rationale|default('—') }} |
{{ guidance.guidance|default('—') }} |
{{ guidance.workaround|default('—') }} |
{{ guidance.code_search_hints|default('—') }} | {{ guidance.confidence|default('—') }} |
AI finding triage guidance
| Finding | Priority | Action | Rationale | Fix Version | Workaround | Code Search | Confidence |
|---|---|---|---|---|---|---|---|
| {{ finding_id }} | {{ guidance.priority|default('—') }} | {{ guidance.action|default('—') }} |
{{ guidance.rationale|default('—') }} |
{{ guidance.fix_version|default('—') }} | {{ guidance.workaround|default('—') }} |
{{ guidance.code_search_hints|default('—') }} | {{ guidance.confidence|default('—') }} |
Project risk summary
| Folder | {% endif %}Project | CRIT | HIGH | MED | LOW | INFO | Total | Avg Score | {% if ai_project_prompts %}AI Prompt | {% endif %}||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| {{ row.folder_name if row.folder_name is defined else '' }} | {% endif %}{% if domain and row.project_id %} {{ row.project_name }} {% else %}{{ row.project_name }}{% endif %} | {% if row.CRITICAL|default(0) > 0 %}{{ row.CRITICAL }}{% else %}0{% endif %} | {% if row.HIGH|default(0) > 0 %}{{ row.HIGH }}{% else %}0{% endif %} | {% if row.MEDIUM|default(0) > 0 %}{{ row.MEDIUM }}{% else %}0{% endif %} | {{ row.LOW|default(0) }} | {{ row.INFO|default(0) }} | {{ row.total_findings|default(0) }} | {{ row.avg_score|default(0) }} | {% if ai_project_prompts %}
{% if row.project_name in ai_project_prompts %}
View{{ ai_project_prompts[row.project_name] }}
|
{% endif %}
||||||||||
Top riskiest components
| Component | Version | CRIT | HIGH | MED | LOW | Total | Avg | Max | {% if ai_component_prompts %}AI Prompt | {% endif %}Actions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| {{ row.component_name }} | {{ row.component_version }} | {% if row.CRITICAL|default(0) > 0 %}{{ row.CRITICAL }}{% else %}0{% endif %} | {% if row.HIGH|default(0) > 0 %}{{ row.HIGH }}{% else %}0{% endif %} | {% if row.MEDIUM|default(0) > 0 %}{{ row.MEDIUM }}{% else %}0{% endif %} | {{ row.LOW|default(0) }} | {{ row.total_findings|default(0) }} | {{ row.avg_score }} | {{ row.max_score }} | {% if ai_component_prompts %}
{% set comp_key = row.component_name ~ ':' ~ row.component_version %}
{% if comp_key in ai_component_prompts %}
View{{ ai_component_prompts[comp_key] }}
|
{% endif %}
{% set c_key = row.component_name ~ ':' ~ row.component_version %} {% set c_guidance = ai_component_guidance.get(c_key, {}) if ai_component_guidance is defined and ai_component_guidance else {} %} {% set c_summary_parts = [] %} {% if c_guidance.get('fix_version') %}{% if c_summary_parts.append('Fix: ' + c_guidance.fix_version) %}{% endif %}{% endif %} {% if c_guidance.get('guidance') %}{% if c_summary_parts.append(c_guidance.guidance) %}{% endif %}{% endif %} {% if c_guidance.get('workaround') %}{% if c_summary_parts.append('Workaround: ' + c_guidance.workaround) %}{% endif %}{% endif %} {% set c_summary = c_summary_parts | join('\n\n') if c_summary_parts else (row.total_findings | string ~ ' findings (' ~ row.CRITICAL | string ~ ' CRITICAL, ' ~ row.HIGH | string ~ ' HIGH) in ' ~ row.component_name ~ ' ' ~ row.component_version) %} {% set c_band = 'CRITICAL' if (row.CRITICAL|default(0)) > 0 else ('HIGH' if (row.HIGH|default(0)) > 0 else ('MEDIUM' if (row.MEDIUM|default(0)) > 0 else 'LOW')) %} | |||||||||
Findings · top {{ _findings_limit }} by priority
| CVE | Band | Score | Gate | Component | Project | Version | Reach | {% if not _is_bundle %}Reach Score | Vuln Functions | {% endif %}Exploit | KEV | Vector | EPSS | CVSS | {% if ai_finding_prompts and not _is_bundle %}AI Prompt | {% endif %}VEX | Actions | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| {% if domain and row.project_id and row.project_version_id and row.internal_id %} {{ row.finding_id }} {% else %}{{ row.finding_id }}{% endif %} | {{ row.priority_band }} | {% set _additive = (row._pts_reachability|default(0) + row._pts_exploit|default(0) + row._pts_vector|default(0) + row._pts_epss|default(0) + row._pts_cvss|default(0))|round(1) %} {% set _gate_bonus = (row.triage_score - _additive)|round(1) if row.gate_assignment != 'NONE' else 0 %}{{ row.triage_score }} | {{ row.gate_assignment if row.gate_assignment != 'NONE' else '—' }} | {% if domain and row.project_id and row.project_version_id and row.component_id %} {{ row.component_name }}{% if row.component_version %} {{ row.component_version }}{% endif %} {% else %}{{ row.component_name }}{% if row.component_version %} {{ row.component_version }}{% endif %}{% endif %} | {% if domain and row.project_id %}{{ row.project_name }}{% else %}{{ row.project_name }}{% endif %} | {% if domain and row.project_id and row.project_version_id %}{{ row.version_name if row.version_name else '—' }}{% else %}{{ row.version_name if row.version_name else '—' }}{% endif %} | {% set rlabel = row.reachability_label if row.reachability_label is string else 'UNKNOWN' %} {{ rlabel }} | {% if not _is_bundle %}{{ row.reachability_score|int if row.reachability_score else '—' }} | {{ row.vuln_functions if row.vuln_functions else '—' }} | {% endif %}{% if row.has_exploit %}exploit{% else %}—{% endif %} | {% if row.in_kev %}kev{% else %}—{% endif %} | {{ row.attack_vector }} | {{ "%.1f"|format(row.epss_percentile|default(0) * 100) if row.epss_percentile else '—' }}% | {{ row.risk }} | {% if ai_finding_prompts and not _is_bundle %}
{% if row.finding_id in ai_finding_prompts %}
View{{ ai_finding_prompts[row.finding_id] }}
|
{% endif %}
{% if row.status is defined and row.status and row.status not in ('', 'nan', 'None') %} {{ row.status }} {% elif vex_rec_lookup is defined and vex_rec_lookup and row.finding_id in vex_rec_lookup %} {% set vrec = vex_rec_lookup[row.finding_id] %} {{ vrec.recommended_vex_status }} (rec) {% else %}—{% endif %} | {% set f_guidance = ai_finding_guidance.get(row.finding_id, {}) if ai_finding_guidance is defined and ai_finding_guidance else {} %} {% set f_summary_parts = [] %} {% if f_guidance.get('fix_version') %}{% if f_summary_parts.append('Fix: ' + f_guidance.fix_version) %}{% endif %}{% endif %} {% if f_guidance.get('guidance') %}{% if f_summary_parts.append(f_guidance.guidance) %}{% endif %}{% endif %} {% if f_guidance.get('workaround') %}{% if f_summary_parts.append('Workaround: ' + f_guidance.workaround) %}{% endif %}{% endif %} {% set f_reach = row.reachability_label if row.reachability_label is string else 'UNKNOWN' %} {% set f_summary = f_summary_parts | join('\n\n') if f_summary_parts else (row.severity ~ ' vulnerability in ' ~ row.component_name ~ ' ' ~ row.component_version ~ '. Reachability: ' ~ f_reach ~ '.') %} {% if row.internal_id and row.project_version_id %} {% set vex_reason = vex_reason_lookup.get(row.finding_id, '') if vex_reason_lookup is defined and vex_reason_lookup else '' %} {% set rec_data = vex_rec_lookup.get(row.finding_id) if vex_rec_lookup is defined and vex_rec_lookup else None %} {% endif %} | ||