# Amazon Inspector finding types
<a name="findings-types"></a>

 This section describes the different finding types in Amazon Inspector. 

**Topics**
+ [Package vulnerability](#findings-types-package)
+ [Code vulnerability](#findings-types-code)

## Package vulnerability
<a name="findings-types-package"></a>

Package vulnerability findings identify software packages in your Amazon environment that are exposed to Common Vulnerabilities and Exposures (CVEs). Attackers can exploit these unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of data, or to access other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. For more information, see [https://www.cve.org/](https://www.cve.org/). 

Amazon Inspector can generate package vulnerability findings for EC2 instances, ECR container images, and Lambda functions. Package vulnerability findings include details that are unique to this type of finding. These details are the [Inspector score and vulnerability intelligence](findings-understanding-score.md).

For Windows EC2 instances, package vulnerability findings can be identified by Microsoft Knowledge Base (KB) IDs instead of individual CVEs. If a KB update addresses one or more CVEs, Amazon Inspector reports a single KB finding, for example `KB5023697`, instead of a separate finding for each CVE. A KB finding specifies the highest CVSS score, EPSS score, and exploit availability across all constituent CVEs.

## Code vulnerability
<a name="findings-types-code"></a>

 Code vulnerability findings help identify lines of code that can be exploited. Code vulnerabilities include missing encryption, data leaks, injection flaws, and weak cryptography. Amazon Inspector generates code vulnerability findings through [Lambda function scanning](https://docs.amazonaws.cn/inspector/latest/user/scanning-lambda.html) and its [Code Security](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments.html) feature. 

 Amazon Inspector evaluates Lambda function application code using automated reasoning and machine learning to analyzes application code for overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon Q. For a list of possible detections, see [Amazon Q Detector Library](https://docs.amazonaws.cn/amazonq/detector-library/). 

 Code scanning captures snippets of code to highlight detected vulnerabilities. For example, a code snippet might show hardcoded credentials or other sensitive materials in plaintext. Amazon Q stores code snippets associated with code vulnerabilities. By default, your code is encrypted with an [Amazon owned key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk). However, you can create a customer managed key to encrypt your code if you want more control over this information. For more information, see [Encryption at rest for code in your findings](encryption-rest.md#encryption-code-snippets). 

**Note**  
 The delegated administrator for an organization cannot view code snippets that belong to member accounts.