Skip to content
Pilot Docs

Findings & secrets

The Vulnerabilities page is where you triage what Pilot’s scanners found. It has two tabs:

  • Scanner — Nuclei vulnerability findings (CVEs, exposed admin panels, misconfigurations).
  • Secrets — leaked credentials recovered from crawled pages, JavaScript bundles, and connected repos.

Both are verified data — Pilot saw it. The hypothetical “what could go wrong” scenarios live elsewhere (Attack Graph → What-if and SaaS Matrix chains).

Nuclei findings

Nuclei is the template-based vulnerability scanner Pilot runs against your targets. Each match is a finding: a template that fired against a specific host, with severity, evidence, and a CVE id when applicable.

The list is filterable by severity, by template, by host, by CVE, and by company scope. Each row shows the matched-at value — the URL or parameter where the template fired — so you can re-test manually.

Severities follow Nuclei’s standard ladder: critical → high → medium → low → info. The home dashboard’s “What’s urgent” panel shows only critical + high.

Running a scan

From the Vulnerabilities page, Active → Launch:

  1. Pick the targets to scan (or use the search filter to multi-select).
  2. Choose Scan power (Small / Medium / Large) — controls how much compute the scan gets. Small is fine for first runs and small target sets.
  3. Click Start Scan. The job queues, then runs in the background. Toast notifications fire when it completes.

You can dispatch many scans in parallel; Pilot serialises them when capacity is constrained and auto-dispatches the next as a slot frees.

Secrets

The Secrets tab lists pattern matches — strings that look like credentials. Pilot’s pattern catalogue covers AWS / GCP / Azure keys, GitHub tokens, Slack tokens, Stripe live keys, Twilio SIDs, database DSNs, JWTs, and many SaaS-specific formats.

Every match carries:

  • Pattern id (e.g. aws_access_key, slack_bot_token, stripe_live_sk).
  • Source — URL of the crawled page, JS bundle, or repo file the match came from.
  • Triage verdict — what Pilot’s automated triage decided.

Triage verdicts

Most “secret matches” in real-world crawl data are false positives — third-party JS minification artefacts, build hashes, CSS class mangles, test fixtures. Pilot’s secondary triage pass tags each match with one of:

  • unverified — not yet triaged.
  • probable_fp — confidently a false positive (obfuscated JS, build artefact, etc.). Hidden from the default Secrets list view; surface via the filter.
  • public_by_design — a real value that’s intentionally public (e.g. Stripe publishable keys, public Algolia search keys, OAuth client ids without secrets). Useful to track but not an exposure.
  • real_secret — high-confidence true positive. These are the ones to act on.

The headline number Pilot reports — and the agent quotes when asked about leaked-secret exposure — is the real-secret count, not the raw pattern-match count. So “50 matches, all triaged as false positives” is the honest summary; reporting “50 leaked secrets” would be alarmist and wrong.

Where to dig in

  • A critical CVE with a CVSS ≥ 9.0 on a public host → triage now.
  • A high-severity finding with a CVE id → check whether the template asserts the CVE conditions or just fingerprints the version (Nuclei templates vary). Confirm before escalating.
  • A real_secret match in a public source → rotate the credential first, then investigate scope of exposure.
  • A probable_fp match with surprising context → flip the verdict manually if Pilot’s triage was wrong. The change is per-customer and persists.

Connecting your repos

Repo scanning runs from the Code Security page — see Integrations → Code Security for setup. Findings from connected repos appear in the Secrets tab with a repo source badge.