For AI agents: The documentation index is at https://docs.digitalocean.com/llms.txt. Markdown versions of pages use the same URL with index.html.md in place of the HTML page (for example, append index.html.md to the directory path instead of opening the HTML document).

Cloud Security Posture Management (CSPM) identifies security issues in your environment as findings. Findings represent potential risks detected on your DigitalOcean resources and help you understand what needs attention, why it matters, and how to fix it.

What Is a Finding

A finding is created when a CSPM rule detects a potential security issue on a resource. Each finding includes the affected resource, the rule that triggered it, a severity level, a description of the issue, its business impact, and recommended remediation steps.

A single resource can have multiple findings if multiple rules apply to it. For example, a Droplet may have findings for missing backups, open SSH access, and no firewall, each evaluated independently.

How Findings Are Generated

Findings are generated during scans. When you run a scan, CSPM evaluates your resources against available rules and creates a finding for each detected misconfiguration or risk condition. Examples include a Droplet without a firewall, a database cluster exposed publicly without trusted sources configured, or a user account without multi-factor authentication enabled.

Findings remain visible until the issue is resolved or the finding is suppressed.

Severity Levels

Each finding is assigned a severity level based on the potential impact if the issue is not addressed. Severity helps you prioritize what to fix first.

Critical

Critical findings indicate immediate risk to security, data integrity, or cost. These typically involve unrestricted public write access, complete exposure of critical systems, or unauthenticated access to sensitive services. For example, a Spaces bucket that allows public write access, enabling anyone to modify or delete data.

High

High findings indicate a significantly increased likelihood of compromise or data exposure. These often involve public exposure of sensitive services, weak or missing access controls, or use of insecure or outdated systems. Examples include a database cluster that is publicly accessible without restricted sources, a Droplet running an unsupported operating system, or a domain with an overly permissive SPF configuration.

Medium

Medium findings introduce risk or reduce resilience but are less urgent. They typically relate to missing safeguards, operational gaps, or reduced visibility. Examples include a Droplet without backups enabled, a Droplet without monitoring enabled, or access keys shared across multiple resources.

Low

Low findings represent best practice improvements or minor configuration gaps. They do not typically create immediate risk but should be addressed over time as part of ongoing security hygiene.

Prioritize Findings

CSPM organizes findings by severity to help you focus on what matters most. A practical approach is:

1. Address Critical findings immediately.
2. Resolve High findings next.
3. Review Medium findings based on impact and environment.
4. Address Low findings as part of ongoing improvement.

Public exposure or authentication gaps should be addressed immediately, while missing backups or monitoring can be prioritized without requiring immediate action. Security Advisor can also help summarize and prioritize findings across your environment.

Findings Lifecycle

Findings follow a lifecycle: detected during a scan, reviewed in the security experience, and then resolved by fixing the underlying issue or suppressed if not applicable. Findings are re-evaluated each time a scan runs. If the issue is resolved, the finding no longer appears in future scan results. If the issue remains, the finding continues to appear.

Findings and Suppression

In some cases, a finding may not be relevant to your environment. You can suppress findings to remove them from your active view while keeping the underlying resource unchanged. Suppression does not fix the issue, and the resource continues to be evaluated in future scans.

For more details, see Suppression Behavior.