View scan results - Vulnerabilities tab
After your pipeline completes a security scan, you can view the scan results in the Vulnerabilities tab. You can access the Vulnerabilities tab from two locations:
- Execution History: Select a specific pipeline execution from your pipeline's Execution History.
- Executions Section: Navigate to the Executions section from the left navigation in the STO module and select a pipeline execution.
The Vulnerabilities tab was previously called the Security Tests tab. We have renamed the tab to Vulnerabilities.
Navigate to Security Test results
Follow these steps to view the scan results:
- Navigate to either the Execution History of your pipeline or the Executions section from the left navigation in the STO module.
- Select the specific execution that performed the security scan.
- Click the Vulnerabilities tab.
The Vulnerabilities tab provides a detailed view of all issues identified during a scan. From this tab, you can also export the scan results in CSV format. For more information, see Export security test results.
 
The Active Issues count shows the number of vulnerabilities that still require action. It excludes any issues marked as Exempted or Remediated. This count also reflects how well STO’s deduplication logic is working by showing the percentage reduction in issues compared to the raw scan results.
Understanding issue categories
Issues identified in the scan are categorized as follows:
- Only in <target>:<variant>: Issues detected only in the scanned variant.
- Common to <target>:<baseline>: Issues present both in the scanned variant and the baseline.
- Common to previous scan:
- Issues found in the previous scan (if no baseline is set), OR
- Issues found in the previous baseline scan (if the current variant is the baseline).
 
 
- For optimal results, define a baseline for each target in STO. See Targets, Baselines, and Variants in STO.
- Issue categorization (Only in <target>:<variant> and Remediated) relies on the baseline used during the scan execution, which may differ from the current baseline if dynamic baselines based on regular expressions are used. See Dynamic Baselines.
Filtering issues
You can filter issues using multiple criteria in the Vulnerabilities tab:
- Targets: Filter issues by target name.
- Target Type: Filter by target type (e.g., repository, container, etc.).
- Stage: Filter by pipeline stages.
- Step: Filter by pipeline steps.
- Scanner: Filter issues by specific scanners.
- Issue Type: Filter by issue types (e.g., SAST, DAST, SCA, IaC, Secret etc.).
Severity-based filtering
Issues are summarized by severity levels (Critical, High, Medium, Low, Info) as clickable tiles, serving as additional filters. You can select multiple tiles.
 
The Exempted tile displays the number of exempted issues. Clicking it shows all exempted issues.
Issue list details
Below the filters and severity tiles, you'll find detailed information:
- Severity: Issue criticality.
- Issue: Description or name of the issue.
- Occurrences: Number of times the issue was detected.
- Status: Issue status (e.g., Remediated, Exempted).
View issue details
Click an issue to open the Issue Details pane. This pane contains two tabs: Overview and Occurrence.
 
If an exemption applies or was requested for an issue, the Exemption Status button appears at the top of the pane. Here, you can click the button to view exemption details or take actions (Approve, Reject, Re-open) based on your permissions. Learn more in Issue Exemption Workflow.
 
From the Issue Details pane, you can create Jira tickets using the Create Ticket button (see Create Jira tickets) or request issue exemptions using the Request Exemption button (see Issue Exemption Workflow).
Overview tab
The Overview tab includes:
- 
Details: Issue-related information varying by issue type (SAST, SCA, DAST, IaC, Secret). 
- 
Remediation: Remediation steps from Harness AI and Scanner. If scanning a repository, you can raise PRs or get code suggestions from Harness AI (see Fix security issues using Harness AI).   
- 
Code Snippet: Code snippet provided by the scanner. Enable Allow Vulnerable Content Extraction in Default Settings if the snippet isn't provided. 
- 
Issue Raw Details: Raw scanner details. 
Occurrence tab
The Occurrence tab lists all issue occurrences with fields varying by issue type. For example, SAST issues include Severity, File Name, and Line Number.
 
Clicking an occurrence opens the Occurrence Details pane, including:
- Details: Information based on issue type.
- Remediation: Steps from Harness AI and Scanner (see Fix security issues using Harness AI).
- Code Snippet: Provided by scanner or fetched by enabling Allow Vulnerable Content Extraction.
- Occurrence Raw Details: Raw scanner details.
 
Use carousel navigation (Next ( > ) and Previous ( < )) to navigate occurrences.
