Scan Interpretation — nat ai explain
Quick use:
nat ai explain scan_001What it does
nat ai explain takes a completed scan (or a specific finding) and explains it in plain English. Instead of raw CVSS scores and technical identifiers, you get:
- What the finding means in your specific context
- Why it matters — business impact and exploitability
- How to fix it — concrete remediation steps with code examples where applicable
- What to tell stakeholders — a non-technical summary
Command options
| Flag | Description | Default |
|---|---|---|
--scan-id | The scan ID to explain (positional arg) | Required |
--finding-id | Explain a single finding instead of the full scan | — |
--verbose | Include full request/response evidence in explanation | false |
--format | Output format: markdown, json, text | markdown |
--diff | Compare to a previous scan: last, <scan-id> | — |
Example output
nat ai explain scan_001 --finding-id finding_003## Finding: Broken Object Level Authorization (BOLA)
**Endpoint:** GET /api/v1/users/{id}
**Severity:** Critical | **Risk Score:** 94/100
### What happened
NAT made a request to GET /api/v1/users/2 using a token issued to user ID 1.
The API returned a 200 response with user 2's full profile data, including email,
phone number, and billing address.
### Why this matters
An attacker with any valid account can enumerate user IDs and retrieve the personal
data of every user in your system. This is a textbook BOLA vulnerability (OWASP API
Top 10: API1:2023). Given the sequential IDs, a determined attacker could harvest
a significant portion of the user database in a very short time with automated tooling.
### Business impact
- **Regulatory:** Likely violates GDPR Article 32 and CCPA data security obligations
- **Reputational:** Full user PII exposure if exploited
- **Financial:** Data breach notification costs, potential fines
### How to fix it
Validate that the authenticated user's ID matches the requested resource ID before
returning data. Example (Node.js / Express):
if (req.user.id !== parseInt(req.params.id)) {
return res.status(403).json({ error: 'Forbidden' });
}
For role-based access (admins can view any user), check the user's role before
bypassing the ownership check.
### Non-technical summary
"Our API allows users to see other users' personal information. We need to add a
check so that users can only see their own data."Regression context
When you pass --diff last, the explanation highlights what changed since the previous scan:
nat ai explain scan_002 --diff last✅ Resolved since scan_001: SQL injection on POST /api/v1/search
🆕 New since scan_001: Missing rate limiting on POST /api/v1/auth/login
↔️ Unchanged: BOLA on GET /api/v1/users/{id} (still open)Use --diff last in your CI pipeline to make the explanation PR-comment-friendly — reviewers see only what changed, not the full scan history.
Want to just scan? Quick Scan guide →
Was this helpful?