Security

Security tab, Issue List, SDK signals, and agent findings in the dashboard.

Security tab overview

Open any integration → Security. The tab combines SDK telemetry with ranked agent findings in one surface. TestingAI results stay on the TestingAI tab — they are filtered out of Security to avoid noise.

  • Summary — counts for Errors, Vulnerabilities, Performance and Instabilities (SDK + agent, deduplicated)
  • AI Solutions — select an issue and generate a fix with GitHub context
  • Issue List (SDK events) — unified list with filters, tags and severity overrides
Issue List (SDK events)

One list merges SDK engine items and agent issues (errors, vulns, slow LCP, instability). Duplicates are grouped; performance issues are split per route (e.g. / vs /integrations).

  • Category filters — All, Error, Vulnerability, Performance, Instability
  • Pattern chips — XSS, SQLi, Path Traversal, SSRF, and more
  • Tags — auto tags (category, signal, exploit) plus custom tags via + tag (saved in browser localStorage)
  • Severity — click the severity chip to cycle low → medium → high → critical (saved locally per integration)
  • View Fix — opens AI Solutions for that row (SDK row or matched agent issue)

Agent issues load when you open the integration (not only when you visit Security), so Overview counts stay in sync with the list.

Manual fix workflow (GitHub)
  1. Select an issue → View Fix
  2. AI generates a suggestion using repo context (Locate error when a file path is available)
  3. Review the diff → Commit Correction on GitHub (PRO, repo connected)

For autonomous runs, see Agent Autonomous.

What counts in Summary vs Overview

Security Summary and the Overview Security Issues card use the same unified stats (errors, vulns, performance, instabilities). Severity chips sum across all categories.

System Health on Overview is different by design: the 0–100 score compares the last 24h of telemetry (errors, vulns, load time) to the previous day. Issue counts in that card use the 7-day SDK + agent window. See the Dashboard Guide.

SDK security best practices
  • Use only the public Integration Code (never ship secrets)
  • Avoid sending PII in events (prefer identifiers)
  • Use HTTPS/TLS for all traffic
  • Sanitize user input in your app before it reaches sinks
Vulnerability signals

Sublyzer surfaces security-related signals (insecure headers, risky patterns, scanner findings). Build noise (e.g. CSP Missing on Next.js with HTTP headers, chunk 404s) is filtered automatically. Always validate findings before acting.

TestingAI vs Security

TestingAI exercises flows with headless browsers. Its User-Agent and injected events are excluded from the Security tab. Use TestingAI for UX/A11y and exploratory findings; use Security for production SDK + agent signal.

See: TestingAI Guide

Need help? Join our Discord.