Findings & accepting risk
A finding is a single issue Vortex surfaced — for example, a missing security header or an injectable parameter. Findings are grouped on the report so related issues sit together; open a group, then open an individual finding to work with it.
Inside a finding
Section titled “Inside a finding”Open a finding to see:
- The affected location — where the issue was found.
- The evidence Vortex collected to support the finding.
- The severity and any related guidance.
From here you choose what happens next. Every finding offers the same set of actions.
Per-finding actions
Section titled “Per-finding actions”| Action | What it does | Notes |
|---|---|---|
| Fix with AI | Generates a code fix and opens a pull request in your connected repo | Requires a connected version-control integration; consumes a remediation credit |
| Accept risk | Formally records a decision not to fix it now | Keeps the finding out of the active remediation pipeline |
| Create Jira ticket | Hands the finding to your Jira project | Available for a single finding or in bulk for a group; may be plan-gated |
For the full remediation walkthrough, see AI remediation. To connect a tracker, see Jira.
Accepting a risk
Section titled “Accepting a risk”Sometimes a finding isn’t worth fixing right now — it’s a known trade-off, a false positive in your context, or scheduled for a later release. Instead of ignoring it, accept the risk so the decision is recorded and auditable.
When you accept a risk you record:
- A reason explaining the decision.
- Optionally, an expiration date, so the acceptance lapses and the finding comes back into view for review.
- Optionally, a supporting document for evidence or sign-off.
Accepted findings are kept out of the active remediation pipeline so they don’t clutter your triage, but they remain on record. See Accepted risks for how acceptances are tracked and reviewed across your organization.
Bulk actions on a group
Section titled “Bulk actions on a group”When a whole group of findings shares the same root cause, you can act on it as a unit — for example, Create Jira ticket for the group, or trigger an AI fix that addresses the group together. This keeps related work from fragmenting into dozens of tickets or pull requests.