CSPM module
The CSPM page lists every cloud configuration finding. It is the single largest detector by volume on most tenants.
Columns
| Column | Notes |
|---|---|
| Severity | CRITICAL / HIGH / MEDIUM / LOW, sortable by criticality. |
| Status | OPEN / IGNORED / RESOLVED. |
| Rule | Human-readable name. |
| Category | IAM, Storage, Network, Compute, Database, Cryptography, Logging, Serverless. |
| Resource | Cloud-native ID. |
| Region | Region or scope (global for IAM). |
| Drift | code_and_cloud, drift, code_only, or none. |
| Found | First-seen. |
Filters
The filter bar exposes:
- Severity, Status, the standard pair.
- Category, the rule categorisation.
- Cloud provider, when you have multiple connected.
- Region, narrows to one cloud region.
- Project if multi-project.
- Drift status, useful when you also use IaC scanning.
Use Group by → category for the most useful aggregate view of CSPM specifically: it shows you whether the bulk of your findings are in IAM, Storage, etc.
Drift status, what it means
When IaC scanning is connected to the same project, every CSPM finding gets a drift tag:
| Tag | Meaning | Action |
|---|---|---|
code_and_cloud | The misconfig is in both the IaC repo and the live cloud. | Fix the IaC, deploy. |
drift | The cloud diverged from IaC. | Reconcile, decide which is right. |
code_only | The IaC has it but the cloud doesn't yet. | Fix before merging. |
(none) | No IaC repo is associated with this resource. | Console-managed; fix in console. |
Drift is the highest-value signal for teams that take IaC seriously. A drift tag is
usually a process violation worth investigating, even if the underlying finding is
LOW severity.
Detail panel
Clicking a row opens the detail panel with:
- Rule details: long description, attack scenario, impact.
- Resource graph slice: the affected resource and its first-degree neighbours.
- Toxic combination links: if this finding sits on any open chain, you'll see them listed at the top, ranked by severity.
- Remediation tabs: Console, Terraform, CLI.
- References: vendor docs, CIS controls, MITRE techniques.
Tips
- Start with category = IAM. IAM findings are the highest-leverage to fix because they often participate in many toxic combinations.
- Filter LOW out of the default view if your team is small. They are rarely worth fixing in the first quarter.
- Compliance-only rules. Some rules exist purely for SOC 2 / ISO 27001 mapping. They do not represent active risk; they exist because an auditor needs them ticked. Tag them in your triage workflow accordingly.