Archiving vulnerabilities from zero-vulnerability scan files
Concert can automatically archive previously detected vulnerabilities or exposures when you upload a zero-vulnerability scan file through the API. This capability keeps your vulnerability inventory accurate when a scanner reports that no issues are present for a scanned resource.
This functionality is available only through the API and is not supported in the Concert UI.
Supported scan types
Archiving from zero-vulnerability scan files is supported for all vulnerability and exposure scan types, including:
- vm_scan
- image_scan
- code_scan
- exposure_scan (SAST and DAST)
How archiving works
When you upload a scan file that contains no vulnerabilities or exposures, Concert evaluates the metadata included in the API request.
- If all required metadata fields are provided, Concert archives all previously detected findings for the specified scan objects associated with the specified scanner.
- If any required metadata is missing or incomplete, Concert processes the file as a zero-vulnerability scan, but no archiving occurs.
Required metadata
To archive previously detected vulnerabilities or exposures, include the following metadata fields in the upload request:
| Metadata field | Required | Description |
|---|---|---|
| scanner_name | Yes | The name of the scanner used (for example, qualys, nessus, trivy, checkmarx, and so on). |
| scan_objects | Yes | A list of scanned objects. The structure depends on the scan type:
|