Infrastructure as Code (IaC) Tool Mapping
The tables below show the severity and triage status mappings for all of the IaC tools that are supported by Software Risk Manager.
Tools are listed alphabetically. Tool results are mapped to the Software Risk Manager status shown at the top of each column. (A blank cell indicates that an equivalent status value is unavailable or undefined.)
Severity Mapping
| IaC Tool | Critical | High | Medium | Low | Info | Unspecified |
|---|---|---|---|---|---|---|
| Checkmarx One (IaC) | CRITICAL | HIGH | MEDIUM | LOW | INFO | |
| Checkov | CRITICAL | HIGH | MEDIUM | LOW | ||
| Orca Security | CRITICAL | HIGH | MEDIUM | LOW | INFO |
Triage Status Mapping
| IaC Tool | Ignored | False Positive | To Be Fixed | Mitigated | Fixed | Reopened |
|---|---|---|---|---|---|---|
| Checkmarx One (IaC) | NOT_EXPLOITABLE; PROPOSED_NOT_EXPLOITABLE | URGENT; CONFIRMED | ||||
| Checkov | ||||||
| Orca Security |
For SRM Triage Status definitions, click here.