Findings & Evidence

A finding is a confirmed vulnerability discovered during an audit. WithGiga’s defining principle: GigaOps only emits findings on confirmed compromise or exposure — not theoretical issues, not “potential” weaknesses, not unverified scanner output.

Finding structure

Every finding includes:
FieldDescription
idUnique identifier within the audit
titlePlain-English summary
descriptionDetailed explanation of what’s wrong and why it matters
severityCritical / High / Medium / Low / Informational
categoryClass of issue (e.g., auth_bypass, sqli, exposed_credential)
evidenceRaw output proving the finding — shell session, request/response, dumped data
recommendationHow to remediate
screenshotVisual capture at the moment of discovery
discoveredAtTimestamp

Severity levels

SeverityScore impactExamples
Critical−30 ptsConfirmed RCE, authentication bypass, exposed admin panel without auth, leaked production credentials
High−15 ptsSQLi with data extraction, stored XSS, privilege escalation, exposed sensitive PII
Medium−8 ptsReflected XSS, IDOR with limited impact, CSRF on state-changing endpoints, weak TLS
Low−3 ptsInformation disclosure, missing security headers, verbose errors, version disclosure
Informational0Observed configuration choices, hardening opportunities, no impact
See Security Score for how these compose into the letter grade.

Evidence

Evidence is what separates confirmed findings from scanner output. Every finding includes the raw artifact that proves the vulnerability exists.

What evidence looks like

For an authentication bypass, evidence might be: 
$ curl -i https://admin.acme.example.com/api/users \
    -H 'X-Forwarded-For: 127.0.0.1'

HTTP/2 200
content-type: application/json

[
  {"id": 1, "email": "ceo@acme.example.com", "role": "admin"},
  {"id": 2, "email": "cfo@acme.example.com", "role": "admin"},
  ...
]
For a SQL injection finding: 
sqlmap -u 'https://acme.example.com/search?q=foo' --batch --dump

Database: app_production
Table: users
[247 entries]
+----+----------------------+-----------+
| id | email                | password  |
+----+----------------------+-----------+
| 1  | alice@acme.com       | $2b$10... |
...
This is what auditors, customers, and engineering leads will see in the PDF report. There’s no ambiguity.

Browsing findings

From the dashboard

  • Per audit — open an audit to see all its findings, filterable by severity
  • Across the workspace — the Findings view aggregates every finding across all audits in the workspace
  • Across workspaces — the global findings page (top-level Findings) aggregates everything

From the API

# All findings for an audit
curl https://api.withgiga.ai/api/workspaces/{workspaceId}/audits/{auditId} \
  -H "Authorization: Bearer $GIGA_API_KEY"

# Just the structured report
curl https://api.withgiga.ai/api/workspaces/{workspaceId}/audits/{auditId}/report \
  -H "Authorization: Bearer $GIGA_API_KEY"

Verifying remediation

To verify a finding is remediated:
  1. Apply the fix
  2. Re-run an audit against the same target (typically Shallow is enough)
  3. Confirm the finding is no longer present
  4. Compare the asciinema recordings before/after for full transparency

Next steps

Reports & Recordings

PDF export and full session replay.

Security Score

How findings compose into a letter grade.