Core Concepts

Understand scans, findings, severity, risk score, and fix PRs.

This page defines the key concepts you'll encounter when using PrismSec. Understanding these terms will help you interpret findings, assess risk, and take the right actions to secure your code.

Scan

A scan is a security analysis of code changes in a pull request. PrismSec scans run automatically whenever a PR is opened or updated. Scans analyze:

  • Changed files (additions, modifications, deletions)
  • Commit history for exposed secrets
  • Dependencies declared in package manifests
  • Infrastructure-as-code configurations

Scans complete in seconds and produce a set of findings.

Finding

A finding is a detected security issue. Each finding represents a specific vulnerability, exposed secret, risky dependency, or misconfiguration. Findings include:

  • Location — File, line number, and code snippet
  • Category — SAST, Secret, Dependency, or IaC
  • Severity — Critical, High, Medium, or Low
  • Risk Score — A numerical score (0–100) indicating exploitability and impact
  • Description — What the issue is and why it matters
  • Recommendation — How to remediate the issue

Findings appear as inline comments on the pull request.

Severity

Severity is a qualitative assessment of how dangerous a finding is. PrismSec uses four levels:

| Severity | Description | Examples | | ---------- | --------------------------------------------------------------------------- | --------------------------------------------- | | Critical | Immediate exploitability; high impact. Fix before merging. | SQL injection, hardcoded admin password | | High | Likely exploitable; significant impact. Should be fixed soon. | XSS, exposed AWS credentials | | Medium | May be exploitable in certain conditions; moderate impact. | Weak cryptography, dependency with known CVE | | Low | Low exploitability or impact; fix when convenient. | Outdated library, overly permissive IAM role |

Never merge a PR with unresolved Critical findings. High findings should be triaged and fixed before release.

Risk Score

The risk score is a numerical value (0–100) that combines severity, exploitability, and context. Unlike severity (which is categorical), the risk score allows fine-grained prioritization.

Factors that influence risk score:

  • Public exposure — Is the vulnerable endpoint accessible externally?
  • Data sensitivity — Does the code handle PII, credentials, or financial data?
  • Attack surface — How many entry points could trigger the vulnerability?
  • Exploit availability — Is there a known exploit or PoC?

Higher scores indicate higher urgency. Use risk score to prioritize fixes when you have many findings.

Fix PR

A fix PR (also called an auto-fix PR) is a pull request automatically created by PrismSec to remediate a finding. Fix PRs include:

  • Secure code changes that resolve the issue
  • A commit message explaining the fix
  • A link back to the original finding

Fix PRs are opened against the same branch as the original PR. Once you merge the fix, PrismSec re-scans and marks the finding as resolved.

Not all findings are auto-fixable. Complex issues (e.g., architectural flaws, business logic bugs) require manual remediation. PrismSec provides detailed recommendations to guide you.

Integration

An integration connects PrismSec to your development tools and workflows. Supported integrations include:

  • Git Providers — GitHub, GitLab, Bitbucket
  • CI/CD — GitHub Actions, GitLab CI, CircleCI, Jenkins
  • Notifications — Slack, Microsoft Teams, email
  • Ticketing — Jira, Linear

Integrations enable PrismSec to:

  • Automatically scan PRs
  • Post findings as comments
  • Send alerts to Slack
  • Create Jira tickets for critical findings

See Integrations to set up your first integration.

Next Steps

Now that you understand the core concepts, explore how PrismSec scans work in detail:

Or dive into specific capabilities: