Struct SecurityFinding 

pub struct SecurityFinding {

    pub finding_id: String,
    pub kind: SecurityFindingKind,
    pub category: Option<String>,
    pub cwe: Option<u32>,
    pub path: PathBuf,
    pub line: u32,
    pub col: u32,
    pub evidence: String,
    pub source_backed: bool,
    pub trace: Vec<TraceHop>,
    pub actions: Vec<IssueAction>,
    pub dead_code: Option<SecurityDeadCodeContext>,
    pub reachability: Option<SecurityReachability>,
    pub candidate: SecurityCandidate,
    pub taint_flow: Option<SecurityTaintFlow>,
    pub runtime: Option<SecurityRuntimeContext>,
    pub attack_surface: Option<SecurityAttackSurfaceEntry>,
}

A local security CANDIDATE for downstream agent verification, NOT a verified vulnerability. Emitted only by fallow security, never under bare fallow or the audit gate. There is deliberately no confidence or signal_strength field: fallow does not prove exploitability, so the trace (its hops and length) is the only honest signal.

Fields

finding_id: String

Stable per-finding correlation id, identical across runs for the same rule + anchor path + line. An autonomous agent that triaged this candidate on a prior run uses it to correlate the candidate after a rebase. Equal to the SARIF partialFingerprints value for the same finding (one shared helper computes both).

kind: SecurityFindingKind

The rule that produced this candidate.

category: Option<String>

The catalogue category id (e.g. "dangerous-html"). None for ClientServerLeak; Some for TaintedSink.

cwe: Option<u32>

The CWE number declared by the matched catalogue entry. None for ClientServerLeak; never fabricated beyond the catalogue’s value.

path: PathBuf

File the finding is anchored on (the client boundary). Absolute internally; JSON strips the project root via serde_path::serialize.

line: u32

1-based line number of the anchor.

col: u32

0-based byte column offset of the anchor.

evidence: String

Agent/human-readable evidence (e.g. the named env var the chain reaches).

source_backed: bool

Whether the sink argument was associated with a known untrusted source by the intra-module source-to-sink back-trace (issue #859): a local binding referenced in the argument was sourced from a catalogue source path (req.query, process.argv, message-event data, etc.). true ranks the candidate higher and annotates the evidence; false does NOT suppress the finding (the association is conservative, never a proof, and fallow prefers false-negatives over false-positives). Always false for ClientServerLeak. Skipped from JSON when false for output stability.

trace: Vec<TraceHop>

Structural import-hop trace from the client boundary to the secret source. The hop count is the uncalibrated signal; fallow does not prove the path is exploitable.

actions: Vec<IssueAction>

Machine-actionable next steps. Always emitted (possibly empty for forward-compat). For security candidates this is a single file-level suppress hint (auto_fixable: false); there is no auto-fix because verification is the agent’s job, not fallow’s.

dead_code: Option<SecurityDeadCodeContext>

Dead-code cross-link when the same sink candidate sits in code fallow also reports as removable. Agents should verify the dead-code finding and delete the code instead of hardening the sink when deletion is safe.

reachability: Option<SecurityReachability>

Graph-derived reachability ranking signal (issues #860 and #885). None until the post-detection ranking pass fills it; additive on the wire (skipped when absent). Drives the order findings are emitted in: runtime-reachable candidates sort first, followed by source-backed and source-reachable candidates, then wider blast radius.

candidate: SecurityCandidate

Agent-actionable candidate record: the untrusted input kind, the sink, and the boundary the flow crosses. fallow fills these three slots; the exploitability verdict is the agent’s job and is not a field here. Always present.

taint_flow: Option<SecurityTaintFlow>

Source-to-sink taint-flow triple, present only when an untrusted source is import-reachable to this sink. Absent (skipped) otherwise.

runtime: Option<SecurityRuntimeContext>

Production runtime coverage context for the function enclosing this security sink. Present only when fallow security --runtime-coverage runs and the candidate is a tainted-sink.

attack_surface: Option<SecurityAttackSurfaceEntry>

Internal projection used by fallow security --surface. The CLI strips this from per-finding JSON and promotes it to the top-level attack_surface field only when requested.

Trait Implementations

impl Clone for SecurityFinding

fn clone(&self) -> SecurityFinding

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SecurityFinding

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Serialize for SecurityFinding

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.