Skip to main content
Because Gecko only surfaces high-confidence, proven findings, triage is mostly about deciding how to fix, not whether something is real. Each finding arrives with a call chain, a CVSS score, a proof of concept, and a patch.

The finding drawer

Open any finding to see everything you need to act:
TabContents
OverviewSeverity, confidence, CWE, file path, description, and CVSS rationale.
FixThe AI-generated patch and a button to open a fix PR.
ExploitThe proof of concept demonstrating the issue.
CVSSThe full CVSS 4.0 breakdown.
ActivityStatus-change history with timestamps.

Remediation workflow

1

Open the finding and read the chain

The source-to-sink chain and the primary vulnerable step tell you exactly why the path is exploitable. Validate it against your environment.
2

Decide the disposition

Set the status: keep it Open, move to In progress, or mark Accepted risk (optionally with an expiry) or False positive if it doesn’t apply.
3

Fix the root cause

Apply the suggested patch or write your own. Prefer removing the unsafe pattern over hiding the symptom. Use auto-fix PRs to ship the patch in one click.
4

Track the work where your team lives

Create a Jira, Linear, ClickUp, or Shortcut ticket, or get a Slack nudge, so remediation lands in your normal flow.
5

Verify with a rescan

When the fix merges, Gecko rechecks the finding and marks it Fix verified once the vulnerability is gone. That’s the proof it’s actually resolved.

Prioritize by impact

Start with the worst paths

Auth bypass, secrets, remote execution, SSRF, and broad data exposure first. Severity and confidence are right there to sort by.

Filter to what's actionable

Filter the vulnerability table by status, severity, type, repository, branch, age, or date to build a focused worklist.

Use bulk actions

Select multiple findings to change status or dismiss in bulk.

Make it routine

The best teams treat remediation as a repeatable loop, not an exception.

Status, severity, and false positives

See Findings for the full status lifecycle, the confidence and false-positive scoring model, and how de-duplication keeps a finding tracked over time instead of reappearing on every scan.