Understanding Findings
Findings are security issues, misconfigurations, or policy violations detected by Cloudgeni. This guide explains the different types of findings, how they’re classified, and how to manage them effectively.Finding Types
- Static Analysis - Issues found in IaC code before deployment - Cloud Compliance - Violations detected in running cloud resources - Configuration Drift - Differences between IaC and actual state
Finding Types
Static Analysis Findings
Detected by scanning Infrastructure as Code files:| Source | Description |
|---|---|
| Terraform | .tf and .tfvars files |
| Bicep | .bicep files |
| Terragrunt | terragrunt.hcl files |
| HCL | Generic HashiCorp Configuration Language |
Cloud Compliance Findings
Detected by scanning your actual cloud infrastructure:| Provider | Source |
|---|---|
| AWS | Security Hub, Prowler scans |
| Azure | Defender for Cloud |
| GCP | Security Command Center |
| OCI | Cloud Guard |
Drift Findings
Detected when cloud resources don’t match IaC definitions:| Type | Description |
|---|---|
| Added | Resource exists in cloud but not in IaC |
| Modified | Resource configuration differs from IaC |
| Deleted | Resource in IaC but missing from cloud |
Severity Levels
Critical
Immediate security risk requiring urgent action. Examples:- Publicly accessible databases
- Unencrypted sensitive data stores
- Admin credentials exposed
- No authentication on APIs
High
Significant vulnerability that could be exploited. Examples:- Missing encryption at rest
- Overly permissive IAM policies
- Security groups allowing broad access
- Missing MFA requirements
Medium
Moderate risk that should be addressed. Examples:- Logging not enabled
- Non-compliant naming conventions
- Missing resource tags
- Suboptimal configurations
Low
Minor issues or best practice recommendations. Examples:- Deprecated resource versions
- Non-standard configurations
- Documentation gaps
- Minor optimization opportunities
Info
Informational notices, no immediate risk. Examples:- New features available
- Upcoming deprecations
- Configuration suggestions
- Compliance notes
Finding Status
Status Values
| Status | Description |
|---|---|
| Open | Finding detected, not yet addressed |
| In Progress | Remediation work underway |
| Resolved | Finding fixed and verified |
| Suppressed | Accepted risk with documentation |
| False Positive | Finding was incorrect |
Status Workflow
Transitioning Status
Open → In Progress:- When remediation starts
- When PR is created
- When assigned to team member
- After fix is deployed
- Verified by new scan
- PR merged to main branch
- Risk accepted by organization
- Requires documented justification
- Needs approval (configurable)
Finding Properties
Core Properties
| Property | Description |
|---|---|
| ID | Unique identifier |
| Check ID | Policy rule identifier (e.g., CKV_AWS_19) |
| Title | Brief description of the issue |
| Description | Detailed explanation |
| Severity | Risk level (Critical to Info) |
| Status | Current workflow status |
Location Information
| Property | Description |
|---|---|
| File | Source file path |
| Line | Line number in file |
| Resource | Resource name or ARN |
| Region | Cloud region (for compliance findings) |
Metadata
| Property | Description |
|---|---|
| First Seen | When finding was first detected |
| Last Seen | Most recent scan that detected it |
| Framework | Compliance framework (SOC2, ISO27001, etc.) |
| Tags | User-defined labels |
Prioritization
Priority Matrix
Use severity and context to prioritize:| Factor | Higher Priority | Lower Priority |
|---|---|---|
| Severity | Critical, High | Low, Info |
| Environment | Production | Development |
| Data Sensitivity | Contains PII/secrets | No sensitive data |
| External Exposure | Internet-facing | Internal only |
| Compliance | Regulated workload | Non-regulated |
Prioritization Strategy
- Critical in Production - Immediate action
- High in Production - This sprint
- Critical in Dev/Staging - Before promotion
- Medium/Low - Scheduled maintenance
- Info - Backlog review
Managing Findings
Filtering
Filter findings by:- Severity level
- Status
- Resource type
- File/repository
- Framework
- Date range
Grouping
Group findings by:- Check ID (same type of issue)
- Resource (all issues for one resource)
- File (all issues in one file)
- Severity
Bulk Actions
Perform actions on multiple findings:- Update status
- Assign to team member
- Bulk remediate
- Export to CSV
Suppression
When to Suppress
Suppress findings when:- Risk is accepted by organization
- Finding is a false positive
- Compensating controls exist
- Technical limitation prevents fix
Suppression Requirements
| Requirement | Description |
|---|---|
| Reason | Clear justification |
| Approver | Who approved the suppression |
| Expiration | Optional end date |
| Compensating Control | Alternative mitigation |
Suppression Example
Integration with Workflows
Ticketing Integration
Export findings to:- Jira
- ServiceNow
- GitHub Issues
- Azure DevOps Work Items
Notifications
Configure alerts for:- New critical findings
- Finding status changes
- Compliance score drops
- Suppression requests
Reporting
Generate reports showing:- Finding trends over time
- Remediation metrics
- Team performance
- Compliance status
Best Practices
Regular Review
- Review new findings daily
- Triage weekly with team
- Audit suppressed findings quarterly
- Track remediation metrics
Documentation
- Document suppression reasons clearly
- Link findings to related tickets
- Note manual remediation steps
- Record lessons learned
Continuous Improvement
- Identify recurring issues
- Create preventive policies
- Automate common fixes
- Share knowledge across teams