Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Prioritization Criteria (Stages)
  • Out-of-the-box criteria
  • Criteria's Specifics
  • Custom criteria
Export as PDF
  1. Introduction to Xygeni
  2. Prioritization Funnels

Prioritization Criteria (Stages)

Prioritization Criteria (Stages)

Any funnel is composed of criteria that produce the different stages of the funnel.

Out-of-the-box criteria

Xygeni provides several out-of-the-box criteria, although you can add your own custom criteria.

Nature (Technical vs Business)

  • Some criteria have a technical nature (Technical) while some others are business-oriented (Business) and their meaning has to do with custom categorization.

Calculation (Auto vs Manual)

  • Other criteria are bussiness-oriented and should be supplied by the user (Manual) .

  • There are also criteria that, although initially calculated by Xygeni, can be further modified by user (Both).

Scope (Project vs Issue)

  • Some criteria apply to all issues of a Xygeni project. The concrete value for an issue depends on some characteristic of the project to which belongs (Project).

  • Instead, other criteria applied individually to every issue (Issue).

Criteria
Description
Calculation
Nature
Scope

Reachability

Auto

Technical

Issue

Exploitability

Auto

Technical

Issue

Fixable

Auto

Technical

Issue

In application code

Is this vulnerability is app code (i.e. not in tests code)

Auto

Technical

Issue

Deployed

Is this application being deployed? Xygeni can detect if the application is being deployed to some resource, but you can also manually assign the correct value

Both

Technical

Project

Active Development

Is this application actively under development? An application is considered by Xygeni as "Active Development" if the latest commit is not older than 90 days. You can manually change this value

Auto

Technical

Project

Internet Exposed

Is this application exposed to the Internet?

Both

Technical

Project

Legacy

Is this a legacy (i.e. out of active maintenance) application?

Manual

Technical

Project

Product Unit

To which Product Unit this application belongs?

Manual

Business

Project

Business Value

What is the Business value of this application?

Manual

Business

Project

Provider

Who is the provider of this application?

Manual

Business

Project

Architecture

Which is the technical architecture of this application?

Manual

Business

Project

Business Area

To which Business Area (or dept) does the application belong to?

Manual

Business

Project

Any custom criteria

Manual

Business

Project

We are continuously adding new criteria so you will likely find more criteria than explained at the time of writing this document.

Criteria's Specifics

Additionally to the general meaning of the above prioritization criteria, every criteria has a special meaning depending on the issue type that applies.

Criteria
Open Source
Supply Chain
Secrets
IaC

Fixable

A vulnerability is Fixable if there is a safe component available remediating the vulnerability. This criteria removes from previous criteria those vulnerabilities with no available fixes.

Always True

Always True

Always True

In application code

The scope of the component is for production, not in test or compile scopes. Users can configure specific scopes used in their organization.

The issue is located into a file with a path that does not contain any "test" directory

The issue is located into a file with a path that does not contain any "test" directory

The issue is located into a file with a path that does not contain any "test" directory

Reachability

The vulnerability is reachable because the application code execution reaches the vulnerable code in the component

It includes issues that represent a security issue such as PPE, confusing names, or issues related to permissions. See each detector information for more details.

The secret is located in: - a file under version control - an image

It includes Iac security issue types (Appsec, Encryption, Gensec, IAM, Network, Secrets...) It discards issues related to best practices (as Convention).

Check detectors documentation for more details

Exploitable

This criteria includes those CVEs with a EPSS score bigger than 0,1.

Same as Reachability

Includes any secrets that have been verified or can not be verified.

All secrets that Xygeni verifies as inactive are discarded by this criteria.

Same as Reachability

Active Development

The project has commits in the last 90 days.

The project has commits in the last 90 days.

The project has commits in the last 90 days.

The project has commits in the last 90 days.

Deployed

A component's vulnerability is considered as Deployed if Xygeni detects a pipeline or workflow that deploys (checkout) the project, image or package.

Always True

A secret is considered as Deployed if it appears in a public repo or image.

An IaC issue is considered as Deployed if Xygeni detects a pipeline or workflow that uses the IaC configuration to deploy the infrastructure

Internet Exposed

Any component vulnerability is considered as Internet Exposed if the project Internet Exposed property value is set to true.

The repository with automations is public, or the issue is associated with the infrastructure.

The repository, image or package is public.

Any IaC issue is considered as Internet Exposed if the project Internet Exposed property value is set to true.

Custom criteria

Besides the above out-of-the-box criteria, you can create your own custom criteria. To do it, you just need to add custom properties to your applications (projects in Xygeni’s terminology) and those properties will be available as funnel criteria.

PreviousCustom FunnelsNextReachability

Last updated 28 days ago

Is this vulnerability reachable? (see for further details)

Is this vulnerability exploitable ? (see for further details

Is this vulnerability fixable? (see for further details)

Any custom-defined property defined for a project (see )

For any criteria with Business nature, its value depends on the value of the property and CUSPs associated to the project. Adjustments are available in the properties of the project in .

See for further info.

Project Management
Reachability
Exploitability
Fixable
Custom criteria
Project Custom Properties