Surface vulnerability data in failed Scorecard rules

CQL captures allow you to extract specific values from entity data when a rule fails, making it easier for engineers to understand what went wrong. A typical use of captures is to show key quality metrics, such as code coverage, or detailed data like vulnerabilities in Scorecard rule failure messages. This helps engineers quickly understand why a rule is failing for an entity.

Surface security vulnerability information from custom data

You can configure custom data to track any information you want to surface, or you can choose to track information pulled in from third-party integrations.

1. Determine what vulnerability data to display.

   • In this case, custom data is configured to include details like alert name, score, severity, and detection date.

   Example custom data under key security-data:

"alerts": [
      {
        "vulnName": "CV-2844",
        "alertName": "CVA-2844",
        "vulnScore": 5.2,
        "alertStatus": "ACTIVE",
        "productName": "AssetManager",
        "vulnSeverity": "MEDIUM",
        "alertDetected": "2025-05-08T10:49:07Z"
      }
    ]

1. ​While configuring a Scorecard, add a rule that uses captures to pull in the data you want to make more visible: captures("security", custom('security-data')).get("alerts").length == 0

2. In the rule's Failure message field, configure captures to pull in the relevant information. The following example captures vulnerability information from the custom security data into a table:

1. After evaluation, inspect the failing rule in the Scorecard. Click into the affected entity and expand the rule to see the vulnerability details in a structured format.