# Vulnerabilities

The **Vulnerabilities** section in Sprinto helps you continuously track and manage security flaws across your cloud infrastructure, code repositories, and integrated tools. It acts as a central hub that pulls in vulnerability logs from connected monitoring sources like **AWS Inspector**, **GitLab**, **Snyk**, **Google Security Center**, **SonarCloud**, and more.

This area enables security teams to:

* View real-time vulnerability alerts from all integrated scanners.
* Track open, resolved, or overdue vulnerabilities against defined SLA timelines.
* Manually upload pentest findings and resolve vulnerabilities as needed.
* Add periodic workflow checks to satisfy framework-specific controls when integrations are not available.

{% hint style="info" %}
Vulnerability detection and remediation are critical pillars of your compliance posture. Sprinto ensures that all findings—whether automated or manually uploaded—are logged, actioned, and audited correctly.
{% endhint %}

***

#### Where to find it?

To access this section:

1. Log in to the Sprinto dashboard.
2. Go to **Data Library** > **Vulnerabilities**.

You will land on the **Overview** tab, where all integrated monitoring sources are listed, alongside their compliance-mapped frameworks and open issue counts.

***

#### Key Capabilities

* **Native Integrations**: Connect with leading vulnerability scanners for infrastructure and code security. For example, Snyk, AWS Inspector, Google Security Center, and more.
* **Pentest Uploads**: Import vulnerabilities found during certified penetration tests—individually or in bulk—alongside the official VPAT report.
* **SLA Monitoring**: Automatically flag issues that miss resolution deadlines. Each vulnerability is tagged with severity, status, and assignee.
* **Special Case Handling**: Mark specific vulnerabilities as out-of-scope or under extension with justification and expiry.
* **Workflow Checks**: Add manual checks (e.g., for bias testing, AI system scans, red teaming) to meet framework requirements not covered via integrations.

***

#### Types of Monitoring Sources

<table><thead><tr><th width="193.76171875">Source Type</th><th width="257.421875">Examples</th><th>Description</th></tr></thead><tbody><tr><td><strong>Infrastructure</strong></td><td>AWS Inspector, Google Security Center</td><td>Scans your cloud infrastructure and services.</td></tr><tr><td><strong>Codebase</strong></td><td>GitLab, SLScan, Dependabot, Snyk</td><td>Detects issues in application code and third-party libraries.</td></tr><tr><td><strong>Endpoints</strong></td><td>CrowdStrike Spotlight</td><td>Detects endpoint vulnerabilities (e.g., user devices).</td></tr><tr><td><strong>Ticketing/Tracking</strong></td><td>Jira</td><td>Centralises remediation workflow across all sources.</td></tr></tbody></table>

***

#### Mapped Frameworks

Sprinto maps vulnerabilities to frameworks such as:

* **PCI DSS**
* **SOC 2**
* **ISO 27001**
* **GDPR**
* **CPRA**
* **NIST 800-53**

Mapped control IDs (e.g., SDC 55, SDC 56, SDC 63) are displayed in the sidebar and next to each integration.

***

#### Example View

From the **Overview tab**, you can:

* View all integrated monitoring sources.
* Check the number of open vulnerabilities.
* View associated controls for compliance mapping.
* Add new workflow checks or monitoring sources.
* View integration issues (if any).