Findings
Findings are the durable issues Qodex creates when a test, scan, or review finds something worth tracking. A finding includes the bug description, severity, evidence, reproduction steps, category, status, and the scenario or review that produced it. Qodex does not turn every failed run into a finding. It first classifies the failure as a real bug, stale test, or environment issue. Only real product or security issues should become findings.What a finding contains
| Field | What it tells you |
|---|---|
| Title and description | What Qodex believes is wrong. |
| Severity | Impact if the issue ships or remains unfixed. |
| Category | Security, functional, UI, performance, accessibility, API error, or other. |
| Evidence | Request, response, screenshot, log, URL, or note. |
| Reproduction steps | Steps a human can follow to confirm the issue. |
| Status | Open, fixed, false positive, or wontfix. |
How findings are created
Findings can come from several places:- API scenarios that fail with a real product issue.
- UI scenarios with evidence-backed failures.
- Security scenarios where the attack succeeds.
- PR reviews that identify risky code changes.
- Agent investigations that call the finding-reporting tool.
Explore this section
Severity model
Understand critical, high, medium, low, and info.
Failure classification
See how Qodex decides whether a failed run is a real bug.
Triage workflow
Move findings through open, fixed, false positive, and wontfix.
Findings concept
Read the shorter conceptual overview.
Related
Security testing
Learn how attack scenarios produce security findings.
Run tests
Run scenarios that can create or verify findings.