Security Intake

Findings from all sources · agent triaged each one · pick what becomes sprint work

Scan

→

Triage

→

You pick

→

Sprint

→

Fixing

→

Verified

Triage Agent analysis · sprint 8 candidates 4m ago

Of 21 new findings from last night's ingest, I can fix 14 alone, 3 need your review, and 4 are too complex for a security-only fix. Recommend 14 issues for Sprint 8 (~42h agent work) — fits your historical capacity. The 4 too-complex items should become engineering tickets.

21New findings

14Can fix

3Needs review

4Too complex

Source health

Last full sync: 4 minutes ago

Fortify SSC

fortify.company.com

Healthy

New findings

Critical

Open total

11/14

Has playbook

synced 8h ago

Sonatype (SCA)

nexus.company.com

Healthy

New CVEs

Critical

Open total

100%

Source mapped

synced 1h ago

Jira

company.atlassian.net

Issues

New tickets

Reopened

Open total

98%

Owner mapped

synced 4m ago

GitLab

gitlab.company.com

Healthy

New findings

Critical

Open total

100%

Owner mapped

synced 12m ago

1 readiness blocker · Jira ticket SEC-1753 is missing CWE classification — agent will skip until classified.

Findings awaiting selection

Filter:

SQL injection in OrderRepository.findByCustomer

Fortify FOR-5201 · order-service · CWE-89

Critical Easy · 2h Can fix

~2h

Hardcoded secret in NotificationConfig.smtpPassword

GitLab GL-SEC-2841 · notification-service · CWE-798

High Easy · 1h Can fix

~1h

Critical CVE in spring-core 5.3.18 — upgrade to 5.3.27

Sonatype CVE-2023-20861 · order-service · CVSS 7.5

Critical Easy · 1h Can fix

~1h

Weak MD5 hash in legacy auth token generator

Fortify FOR-5198 · auth-service · CWE-327

High Med · 4h Can fix

~4h

Missing CSRF token on /api/admin/* endpoints

Fortify FOR-5194 · admin-portal · CWE-352

Med Easy · 2h Can fix

~2h

Insecure deserialization in SOAP message handler

Fortify FOR-5196 · integration-service · CWE-502

Critical Hard · 8h Needs review

~8h

XSS in legacy JSP report viewer (14 input fields, 6 JSPs)

Fortify FOR-5193 · admin-portal · CWE-79

High Too complex Can't fix

Triage says: JSPs are being phased out company-wide. Same XSS pattern exists in 6 JSPs across admin-portal. Output-encoding all 14 fields is symptom-only and recurs on every edit. Recommend converting to engineering epic: migrate to Thymeleaf.

→ Engineering epic

Session fixation across 4 controllers (UserAuth, AdminAuth, ApiKey, Sso)

Fortify FOR-5187 · user-service · CWE-384

Critical Too complex Can't fix

Triage says: Touches session-management architecture across 4 entry points. Each has different identity sources. Fix requires design review with the platform team — patching each in isolation risks breaking SSO.

→ Design review

Path traversal — 8 file-upload handlers in reporting-service

Fortify FOR-5184 · reporting-service · CWE-22

High Too complex Can't fix

Triage says: Same vulnerability pattern in 8+ handlers — endemic in this service. Per your policy (max 5 same-pattern files), this becomes a refactor epic: introduce a shared SafeFileResolver utility instead of patching each handler.

→ Refactor epic

XML external entity in legacy SOAP endpoint

Fortify FOR-5183 · integration-service · CWE-611

Med Med · 4h No playbook yet

Defer · draft playbook