Findings & Canonicalization
How Basirah normalizes scanner output into a single source of truth.
A finding is a single vulnerability instance imported from a scanner and normalized into Basirah’s common data model.
Normalization
Scanners report vulnerabilities in different formats, severity scales, and identifier schemes. Basirah’s integration adapters translate each source into a common schema so you can work with a consistent set of fields — title, severity, CVE references, CVSS score, affected asset — regardless of which scanner produced the data.
Severity values are mapped to a five-level scale (Critical, High, Medium, Low, Info) across all sources. When a finding includes a CVSS score, Basirah stores it alongside the normalized severity.
Multi-scanner deduplication
When multiple scanners report the same vulnerability on the same asset, Basirah groups them into a single canonical finding. Work items are created against the canonical group rather than individual scanner records. This prevents duplicate tickets and conflicting ownership.
For example, if both Tenable and Qualys report the same CVE on web-server-01, Basirah keeps both scanner records for traceability but treats them as one item for remediation purposes. When verification confirms the fix, all linked scanner records update together.
Running multiple scanners against the same infrastructure? Basirah handles the overlap automatically. You don’t need to configure dedup rules — connect your scanners and the platform takes care of the rest.
Findings and work items
Findings don’t carry ownership — work items do. When you create a work item, you attach one or more findings to it. The work item gets an assignee, an SLA clock, and an optional dispatch target. Multiple findings can belong to a single work item when one fix resolves several vulnerabilities.