Understanding Reports
How to read findings, interpret severity levels, and use fix suggestions.
Every scan produces a report. This page explains how to read one.
Report overview
When a scan finishes, you land on the results page. At the top is a summary bar showing the total number of findings by severity. Below that is the findings list.
Severity levels
| Severity | What it means | Examples |
|---|---|---|
| Critical | Actively exploitable, high impact. Fix immediately. | Leaked service role key, SQL injection, auth bypass |
| High | Exploitable with moderate effort. Fix before deploying. | IDOR, missing RLS on sensitive tables, privilege escalation |
| Medium | Real risk but requires specific conditions. Fix soon. | Missing security headers, overly permissive CORS, verbose errors |
| Low | Minor issue or hardening recommendation. Fix when convenient. | Server version disclosure, missing X-Content-Type-Options |
Focus on critical and high findings first. These are the vulnerabilities that get apps hacked in practice.
Anatomy of a finding
Each finding in the report contains:
| Field | What it tells you |
|---|---|
| Category | The type of vulnerability — auth, access control, injection, data exposure, etc. |
| Severity | How urgent it is (critical / high / medium / low) |
| Endpoint | The affected URL and HTTP method (e.g., GET /api/users/:id) |
| CWE | The Common Weakness Enumeration code — a standard classification for the vulnerability type |
| Description | What was found and why it matters |
| Evidence | The actual HTTP request and response that proved the issue exists |
| Fix suggestion | Step-by-step remediation tailored to your stack |
Reading the evidence
The evidence section is the most important part. It shows you exactly what Flowpatrol did and what it got back. For example:
- For an IDOR, you'll see a request made as User A that returned User B's data
- For missing RLS, you'll see an unauthenticated Supabase query that returned rows it shouldn't
- For a leaked secret, you'll see the exact file and line where the key was found in your JavaScript bundle
This isn't a theoretical warning — it's proof that the issue is real and exploitable.
Using fix suggestions
Every finding includes a fix suggestion written for your stack. If you're using Supabase, you'll get SQL for RLS policies. If you're using Next.js, you'll get middleware patterns. The suggestions are meant to be copy-paste-ready.
Fix suggestions are starting points, not complete solutions. Always review them in the context of your app's specific auth model and data access patterns.
The remediation guides go deeper on the most common issues:
- Fixing Supabase RLS — enable and configure Row Level Security
- Fixing Exposed Secrets — move credentials out of client-side code
- Fixing Access Control — prevent unauthorized data access
Scan history
Every scan is saved under Scans in the dashboard sidebar. You can go back to any previous scan and view its full report.
This is useful for tracking progress — run a scan, fix the issues, run another scan, and compare. Findings that were present before and are now gone confirm your fixes worked.
Retention
How long reports are kept depends on your plan:
| Plan | Retention |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Enterprise | Unlimited |
Retrieving reports via MCP
If you've set up MCP integration, you can pull reports directly in your editor:
Show me my latest Flowpatrol reportShow me only critical and high findings from FlowpatrolGet the Flowpatrol report for scan abc-123-defYour AI assistant formats the same data inline in the chat. See the flowpatrol_report reference for all parameters.
Next
If you want to run full scans on your production domain, you'll need to verify ownership first.