Skip to main content

SecurityOutput

Type Alias SecurityOutput 

Source
pub type SecurityOutput = SecurityOutput<SecurityOutputConfig, SecurityGate>;

Aliased Type§

pub struct SecurityOutput {
    pub schema_version: SecuritySchemaVersion,
    pub version: ToolVersion,
    pub elapsed_ms: ElapsedMs,
    pub config: SecurityOutputConfig<Severity>,
    pub meta: Option<Meta>,
    pub gate: Option<SecurityGate<SecurityGateMode>>,
    pub security_findings: Vec<SecurityFinding>,
    pub attack_surface: Option<Vec<SecurityAttackSurfaceEntry>>,
    pub unresolved_edge_files: usize,
    pub unresolved_callee_sites: usize,
    pub unresolved_callee_diagnostics: Option<SecurityUnresolvedCalleeDiagnostics>,
}

Fields§

§schema_version: SecuritySchemaVersion

Schema version of this envelope.

§version: ToolVersion

Fallow CLI version that produced this output.

§elapsed_ms: ElapsedMs

Wall-clock milliseconds spent producing the report.

§config: SecurityOutputConfig<Severity>

Privacy-safe config context relevant to security candidate generation.

§meta: Option<Meta>

Security-specific rule and field metadata, emitted with --explain.

§gate: Option<SecurityGate<SecurityGateMode>>

Gate verdict, present only when --gate <mode> was set (issue #886). Emitted on pass too (verdict: "pass", new_count: 0) so consumers distinguish “gate ran and passed” from “gate did not run” (absent).

§security_findings: Vec<SecurityFinding>

Security candidates. Paths are project-root-relative, forward-slash.

§attack_surface: Option<Vec<SecurityAttackSurfaceEntry>>

Opt-in attack-surface inventory from untrusted entry points to reachable sinks. Present only when --surface was requested.

§unresolved_edge_files: usize

In-band blind spot: number of "use client" files whose transitive import cone contains a dynamic import() the reachability BFS could not follow. A leak hidden behind such an edge would not be reported, so a zero finding count with a non-zero value here is NOT a clean bill.

§unresolved_callee_sites: usize

In-band blind spot: number of sink-shaped nodes the catalogue detector could not flatten to a static callee path (dynamic dispatch, computed members, aliased bindings). A zero finding count with a non-zero value here is NOT a clean bill.

§unresolved_callee_diagnostics: Option<SecurityUnresolvedCalleeDiagnostics>

Bounded diagnostics for unresolved callee blind spots.