Skip to main content

Module security

Module security 

Source
Expand description

fallow security command: opt-in local security-candidate surface.

Ships the graph-structural client-server-leak rule plus the data-driven tainted-sink catalogue (one TaintedSink kind covering every CWE category in security_matchers.toml). Findings are CANDIDATES for downstream agent verification, NOT verified vulnerabilities. This command is the ONLY surface for security findings: they never appear under bare fallow or the audit gate. There is no confidence or signal_strength field; structural traces and reachability context are the only honest signals.

Structs§

SecurityBlindSpotFile
One file inside a blind-spot group.
SecurityBlindSpotGroup
One actionable blind-spot group.
SecurityBlindSpotsOutput
The fallow security blind-spots --format json envelope.
SecurityBlindSpotsSummary
Aggregate counts for blind-spot output.
SecurityOptions
Options for fallow security, mirroring the global CLI flags it honors.
SecuritySurvivor
One verifier-retained candidate row.
SecuritySurvivorsOptions
Options for fallow security survivors.
SecuritySurvivorsOutput
The fallow security survivors --format json envelope.
SecuritySurvivorsSummary
Aggregate counts for survivor rendering.
SecurityUnresolvedCalleeDiagnostics
Bounded unresolved-callee diagnostics for fallow security --format json.
SecurityUnresolvedCalleeReasonCount
Count of unresolved callees for one reason.
SecurityUnresolvedCalleeSample
One sampled unresolved-callee row.
SecurityUnresolvedCalleeTopFile
Count of unresolved callees in one file.
SecurityVerifierVerdict
One supported verifier verdict input row.

Enums§

SecurityBlindSpotsSchemaVersion
The fallow security blind-spots --format json schema version.
SecurityGateArg
CLI parser mode for fallow security --gate <mode>.
SecurityGateMode
Gate mode for fallow security --gate <mode>.
SecurityGateVerdict
Gate verdict on the wire. fail is the CI-state token; human output renders it as “REVIEW REQUIRED” because these stay unverified candidates, never confirmed vulnerabilities.
SecuritySchemaVersion
The fallow security --format json schema version. Independently versioned from the main contract, mirroring ImpactReportSchemaVersion.
SecuritySurvivorsSchemaVersion
The fallow security survivors --format json schema version.
SecurityVerifierVerdictStatus
Verifier verdict status accepted by fallow security survivors.

Functions§

render_blind_spots_json
render_human
Human output. Frames findings as candidates and states the next human action per finding; surfaces the unresolved-edge blind spot as a counted line.
render_json
JSON: the SecurityOutput envelope, pretty-printed.
render_json_summary
JSON summary: compact aggregate payload without per-finding arrays.
render_survivors_json
run
Run fallow security. Always exits 0 unless the user explicitly raised the security-client-server-leak rule to error AND findings exist (the rule defaults to off and the command forces it to warn, so the common case is advisory). Unsupported output formats exit 2.
run_blind_spots
Run fallow security blind-spots.
run_survivors
Run fallow security survivors.

Type Aliases§

SecurityGate
SecurityOutput
SecurityOutputConfig
SecurityOutputRulesConfig
SecurityRuleSeverityConfig