AST Issues Overview

Prev Next

The Issues page serves as your central command center for monitoring API risks that Traceable has identified using the security testing scans. If you are responsible for the organization’s API security and want to view issues identified via AST scans, you log into Traceable and head over to the Testing → Issues page. This page serves as a hub where all potential vulnerabilities and risky patterns are identified through scans.

Issues

Issues

What will you Learn in this Topic?

By the end of this topic, you will understand:

  • What Issues are, and how Traceable detects and displays them.

  • The key components such as:

    • Visual charts for severity and status trends

    • Issue listings with column-level information

    • Grouping and Filtering options to organize and prioritize issues effectively

If you already have an understanding of these components and want to learn how you can drill down and manage an issue, see Issue Management.


What are Issues and how does Traceable Identify Them?

Issues are security gaps in your API definition that threat actors may exploit to attack your API infrastructure. Traceable identifies assets or API endpoints and services in your environment through the discovery process in Catalog. Once identified, you can set up AST scans, and based on the policy you select, Traceable detects issues and shows them on the Issues page. For information on setting up a scan and policy, see Creating a Scan and Policies, respectively.

Note

Traceable does not scan APIs for issues while they are in the learning phase.


How is the Issues Page Helpful?

The Issues page provides a streamlined and intuitive experience to help you view issues, understand them in depth, conduct a risk assessment, and resolve them quickly. Even when you resolve an issue, Traceable continuously monitors the API endpoints as part of the scan. For more information, see Journey of an Issue.

Whether you are a security engineer, developer, or DevOps lead, Traceable gives you the visibility and control to secure your APIs effectively.


Understanding Issues

The Issues page is a centralized hub for visualizing all vulnerabilities detected in External and Internal APIs tested as part of the AST scans. It provides a comprehensive overview of open issues, including their severity and key details such as the last time they were seen. This dashboard provides a clear snapshot of the system’s security risks identified during API Security Testing, helping you investigate and prioritize their resolution efficiently. To view the Issues page, navigate to Testing → Issues.

For information on how to drill down into an issue, manage its status, remediate it, and the rules around resolution and deletion, see Issue Management.

Issue Severity

Traceable categorizes detected issues based on their criticality and impact on your application ecosystem. The following are the categories in descending order of severity:

  • Critical

  • High

  • Medium

  • Low

Key Components

The page contains key components that help you quickly assess and understand issues. Below are the main elements of the page and their significance:

Issues Key Components

Issues Key Components

Visual Insights

At the top of the page, Traceable shows the following charts:

Chart

Description

Issues by Severity

Shows the count of issues by severity (Severity Breakdown). You can click on the severity to filter the results based on your selection.

Issues by Status

Shows a trend of the open and resolved issues over the past 30 days.

Collectively, the above charts provide an overview of your application’s security health and trends, based on which you can take the necessary actions.

Issue Listings

Each entry on the page represents a unique issue, when grouped by Issue Name (default), with each column providing the following details. If you wish to drill down into an issue and manage it individually according to your requirements, see Navigating the Issues Flow.

Column

Description

Issue Name

Specifies the name of the issue, for example, Broken Object Level Authorization. This name is used across the Traceable platform for identification purposes.

Endpoint

Specifies the API or system endpoint, for example, PUT /identity/api/v2/user/videos/{video_id} where Traceable observed the issue. This helps you focus on which parts of the infrastructure are targeted and may require additional security.

Severity

Each issue is categorized by color-coded labels, for example, Low, Medium, High, and Critical, allowing you to gauge its impact and urgency. This is helpful as it provides a way to prioritize issue resolution based on risk, focusing on high-severity issues that may require immediate attention, while lower-severity issues can be addressed as part of routine maintenance.

Source

Displays information about the origin of the issue, here AST.

OWASP API Top 10

Specifies the mapping to the OWASP API Top 10 security risks. This helps you understand and prioritize issues based on their global recognition.

Last Seen

Specifies the most recent occurrence of the issue. This helps you determine whether the issue is still active, has reappeared, or is no longer a threat.

Status

Displays the current status of the issue. This serves as a communication medium to indicate whether or not an issue requires prioritization. For more information on the available statuses, see Issue Management.

Integrations

Displays the Jira icon. This helps you track an issue by creating a Jira ticket directly from the Traceable platform.

Note

This icon is enabled only when you configure the Jira integration. For more information, see Jira integration.

Actions

Enables you to re-test the issue. Upon clicking, Traceable shows a pop-up window where you can run a scan using the terminal or the platform.

Grouping, Filtering, and Additional Options

While Traceable groups the issues on the page based on their name, you can filter and group issues based on several criteria:

Group By

Category

Description

Issue Name

Groups issues based on the specific issue. This helps you understand how widespread an issue is across environments and focus on resolving the most recurring issues.

Category

Groups issues based on broader classifications such as Authentication, Authorization, or JSON Web Token. This helps you analyze the issues from a broader level, as to which issues are most common across the system.

OWASP API Top 10

Groups issues based on their mapping in OWASP API Top 10 categories. This helps you align your analysis based on the recognized industry standards.

API Endpoints

Groups issues based on the endpoints in which they were detected. This helps you analyze the risk exposure for endpoints and prioritize resolution based on them.

Owner

Groups issues based on the assigned owner of the API. This helps you direct these issues to the right individual or team for faster and effective resolution. For more information on ownership and its assignment, see API Ownership.

Label

Groups issues based on the labels assigned to APIs. This helps you assess and prioritize issues by business function, risk, or internal tagging conventions.

Domain

Groups issues based on the domain of the API where the issue was detected. This helps you assess and prioritize issues by the application area or team affected.

To group the issues using either of the above criteria, use the Group by drop-down, as shown in the image above.

Filters

The filters help you narrow down the issues based on options such as status, severity, source, timestamp, or sensitivity, allowing you to analyze them more effectively. To filter the issues based on your requirements, use the Filter () icon, as shown in the image above. Post-application, you can also save the filter for later use. The saved filters are visible under the Filter icon → Saved tab.

For information on managing issues based on the above groups and filters, see Issue Management.

Additional Options

Apart from the above options, Traceable also provides the following features on the page:

  • Search bar — Locate an issue by typing its name.

  • Visualization toggle — Show or hide the visual insight section on the page.

  • Download icon — Download the issue listings on the page for offline analysis.