Skip to content

Findings triage

A practical workflow for working through your findings list. Aim to hit "Inbox Zero" once a week on the active findings.

Filter to what matters

The Findings page has filters across the top. The defaults show everything; narrow down with:

  • Status — start with active only.
  • Validationvalid first (live keys), then unvalidated (we couldn't auto-test).
  • Min score — set to 70 to focus on high-confidence matches.
  • Source typerepo, commit, endpoint, js_bundle, gist.
  • Tag — if you've added tags, filter by them.
  • Search — full-text across source URL, file path, and repo name.

Filter state is encoded in the URL — bookmark common views (e.g. "valid + score ≥ 80" for daily triage).

The four resolutions

Every active finding goes one of four ways:

Resolve

You rotated/revoked the credential. The key is dead.

  1. Click Resolve.
  2. Optionally add a resolution note (e.g. "Rotated AWS IAM key, removed from commit, force-pushed").
  3. Click Confirm.

If a webhook is configured, a finding.resolved event fires. If the key is in multiple places, the "Also found at" card on the detail page lists siblings — resolve them in the same session.

Suppress

The exposure is acceptable risk for now. Common reasons: test fixtures, intentionally public sandbox keys, throwaway dev environments.

  • Useful for one-off cases.
  • For recurring cases (e.g. "ignore everything under test/fixtures/"), use a suppression rule instead so future scans don't re-surface them.

False positive

Our detector matched a string that isn't actually a credential. The most common causes:

  • Documentation snippets ("Use sk-… as your key" in a README)
  • Examples in source code comments
  • Hex strings that look like API keys but are checksums/hashes

Marking a finding as false positive prevents future re-flagging at the same exact location.

Restrict

The credential is real and exposed, but its blast radius is limited:

  • An AWS IAM key with no permissions (just sts:GetCallerIdentity)
  • A Stripe restricted key with read-only scope
  • A key explicitly IP-restricted to your office VPN

Mark it customer_restricted. The finding is closed but the original exposure is acknowledged.

Tags

Add freeform short labels to a finding to group it. Useful patterns:

  • q2-audit — track findings discovered during a quarterly review.
  • client-x — for agencies, group findings by their downstream customer.
  • compliance-required — flag findings that need formal documentation for an auditor.

Tags are searchable from the filter bar (click a tag pill on any finding to filter by it).

Credential names

If the same credential appears in many places, give it a human name from the finding detail page:

  1. Click Name this credential.
  2. Enter something descriptive: "Prod AWS deployer", "Stripe Live key (legacy)".

The name propagates to every finding sharing that credential's hash, across the whole account. When you resolve any one finding, the name reminds you to also rotate at the other locations.

Analyst notes

Separate from resolution_note, every finding has an analyst note field that's editable at any time. Use it for in-progress investigation context:

  • "Owner: payments team — slacked Jamie 2025-05-21"
  • "Confirmed unused in CloudTrail since 2024-01"
  • "Will resolve after Stripe migration ships"

The note is private to your account and visible to all your team members.

Bulk actions

Currently CredWatch processes one finding at a time. If you need to bulk-resolve or bulk-suppress, use the API (POST /api/v1/findings/{id}/suppress or /resolve) in a small script.

When new findings appear

After every scan, new findings are added to the list. Two things happen automatically:

  • Validation worker tests the credential against the issuing service (usually within 60 seconds).
  • Alert dispatcher decides whether the finding warrants an immediate alert.

You don't need to refresh manually — the dashboard's New (last 7 days) counter and the trend chart update on each page load.

Recheck validity

If you've rotated a key and want CredWatch to confirm it's dead right now (instead of waiting for the next scan), open the finding detail page and click Recheck. This re-runs the validator and updates validation_status within a minute.

If validation_status flips from valid to invalid, the next scan will auto-resolve the finding.