Security Findings
Shoehorn tracks security findings for entities in your catalog, aggregating vulnerability data and security posture information.
What’s Tracked
Section titled “What’s Tracked”| Finding Type | Source | Description |
|---|---|---|
| Dependabot alerts | GitHub | Vulnerable dependency versions |
| CodeQL findings | GitHub | Static analysis security issues |
| Secret scanning | GitHub | Exposed secrets in code |
| Custom findings | API | Manually reported vulnerabilities |
Viewing Findings
Section titled “Viewing Findings”Per Entity
Section titled “Per Entity”Navigate to an entity detail page to see its security posture:
- Active vulnerability count by severity
- Whether security tools are enabled
- Recent finding history
Scorecard Integration
Section titled “Scorecard Integration”The security scorecard category evaluates:
| Rule | Points | What’s Checked |
|---|---|---|
dependabot-enabled | 5 | Dependabot is active on the repository |
codeql-enabled | 5 | CodeQL scanning is configured |
secret-scanning | 5 | Secret scanning is enabled |
no-critical-vulns | 5 | No unresolved critical/high vulnerabilities |
Governance Integration
Section titled “Governance Integration”Security findings can automatically create governance actions:
- Critical vulnerabilities create
criticalpriority actions - High vulnerabilities create
highpriority actions - Actions are assigned to the entity’s owning team
- SLA timers track remediation progress
Security Best Practices
Section titled “Security Best Practices”For optimal security posture in your organization:
- Enable Dependabot on all repositories
- Configure CodeQL for supported languages
- Enable secret scanning with push protection
- Review findings regularly via the governance dashboard
- Set SLA targets for vulnerability remediation