SeentySeenty Docs

Vulnerabilities

Learn how Seenty detects known vulnerabilities in your domain technologies, repository dependencies, and infrastructure-as-code.

Vulnerabilities

Vulnerabilities are known security flaws in software -- cataloged as CVEs (Common Vulnerabilities and Exposures) in public databases. Unlike misconfigurations, which are about how something is set up, vulnerabilities are bugs in the software itself that can be exploited by attackers.

Seenty detects vulnerabilities across three surfaces: domain technologies, repository dependencies, and infrastructure-as-code.

Domain vulnerabilities

When Seenty scans your domains, it performs technology detection to identify the software running on your web servers -- web servers (Apache, Nginx), CMS platforms (WordPress, Drupal), JavaScript frameworks, programming languages, and more.

Once technologies and their versions are identified, Seenty matches them against the NVD (National Vulnerability Database) to find known CVEs.

What you see for each finding

  • CVE ID -- The unique identifier (e.g., CVE-2021-44228) linking to the full advisory.
  • CVSS score -- A standardized severity score from 0.0 to 10.0.
  • Severity -- Critical, High, Medium, or Low, derived from the CVSS score.
  • Affected technology -- The software name and detected version (e.g., Apache 2.4.49).
  • Affected versions -- The version range impacted by this CVE.
  • Fixed version -- The version that patches the vulnerability, when available.
  • Description -- A summary of the vulnerability, including attack vector and potential impact.
  • Remediation -- Actionable steps to resolve the issue, typically upgrading to the fixed version.

How it works

  1. Seenty scans your domain and subdomains for HTTP response headers, HTML meta tags, JavaScript files, and other indicators.
  2. Detected technologies are fingerprinted with version numbers when possible.
  3. Each technology-version pair is checked against the NVD CVE database.
  4. Matching CVEs are created as findings with full context and remediation guidance.

Technology detection requires a Pro plan or higher. CVE scanning requires an Ultra plan or higher.

Repository vulnerabilities

Repository vulnerability scanning analyzes your dependency files to find packages with known CVEs. Connect your repositories via the GitHub App integration for automatic scanning on every push.

Dependency scanning

Seenty scans your dependency manifests against public vulnerability databases to find packages with known CVEs. Supported file types include:

EcosystemFiles scanned
Node.jspackage.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Pythonrequirements.txt, Pipfile.lock, poetry.lock, setup.py
Gogo.mod, go.sum
RustCargo.lock
Javapom.xml, build.gradle, gradle.lockfile
RubyGemfile.lock
.NETpackages.lock.json, *.csproj
PHPcomposer.lock

What you see for each finding

  • CVE ID -- The vulnerability identifier (e.g., CVE-2023-45857).
  • Affected package -- The dependency name (e.g., axios).
  • Vulnerable version -- The version currently in use (e.g., 1.5.0).
  • Fixed version -- The version that resolves the vulnerability (e.g., 1.6.1).
  • Severity -- Based on the CVSS score from the advisory.
  • Description -- Summary of the vulnerability and its impact.

Infrastructure-as-code scanning

Seenty scans infrastructure-as-code files for security issues, catching problems before they reach production:

  • Terraform -- Misconfigured resources, insecure defaults, overly permissive access controls.
  • CloudFormation -- AWS resource templates with security weaknesses.
  • Kubernetes manifests -- Containers running as root, missing resource limits, insecure capabilities.

Each IaC finding includes the affected file, line number, a description of the issue, and the recommended fix.

Dockerfile scanning

Seenty lints Dockerfiles for security and best-practice violations:

  • Running containers as root (USER root or missing USER directive).
  • Using latest tags instead of pinned versions.
  • Installing packages without pinning versions.
  • Unnecessary privilege escalation with --privileged.
  • Missing health checks.

Remediation workflow

For all vulnerability types, the recommended workflow is:

  1. Review the finding -- Read the CVE description, understand the attack vector, and assess whether your usage is affected.
  2. Check the fixed version -- If a patched version exists, plan the upgrade.
  3. Apply the fix -- Update the affected package, technology, or configuration.
  4. Rescan -- Trigger a new scan (or wait for the next scheduled scan) to verify the fix.
  5. Mark as resolved -- If the finding does not auto-resolve after the scan, update its status manually.

Repository findings are auto-resolved if they are no longer detected after 7 days. Domain technology findings are resolved on the next scan if the vulnerable version is no longer detected.

Plan availability

Scan typeAvailable on
Repository dependency scanningStarter+
IaC scanningStarter+
Dockerfile scanningStarter+
Domain technology detectionPro+
Domain CVE scanning (NVD)Ultra+

Misconfigurations

Understand how Seenty detects and reports configuration weaknesses across your domains and cloud accounts.

Secrets

Learn how Seenty detects leaked credentials, API keys, and tokens in your code repositories.

On this page

VulnerabilitiesDomain vulnerabilitiesWhat you see for each findingHow it worksRepository vulnerabilitiesDependency scanningWhat you see for each findingInfrastructure-as-code scanningDockerfile scanningRemediation workflowPlan availability