Struct FindingExtras 

pub struct FindingExtras {

    pub finding_group_id: Option<String>,
    pub time_to_fix: Option<FixEffort>,
    pub compensating_controls: Vec<String>,
    pub suppressed: bool,
    pub original_severity: Option<Severity>,
    pub suppression_reason: Option<String>,
    pub fingerprint_anchor: Option<String>,
    pub confidence_scope: Option<String>,
    pub runtime_preconditions: Vec<String>,
    pub portal_control_dependency: bool,
    pub authority_kinds: Vec<String>,
    pub attacker_surface_kinds: Vec<String>,
    pub template_resolution_strength: Option<String>,
    pub cve_relationship: Option<String>,
}

Optional finding metadata. Lives on every Finding via #[serde(flatten)] so consumers see the fields at the top of the finding object — same place they’d appear if declared inline on Finding. Default-constructed extras serialize to nothing (all Option::None and empty Vecs skip-serialize), so existing snapshots remain byte-stable until a rule populates a field.

Why a wrapper struct? The 30+ rule call sites use struct literal syntax. Adding fields directly to Finding would force every site to edit. With extras: FindingExtras::default(), new extras can be added in a single place.

Fields

finding_group_id: Option<String>

Stable UUID v5 over (NAMESPACE, fingerprint) — collapses per-hop findings against the same authority root into one group for SIEM display. See compute_finding_group_id.

time_to_fix: Option<FixEffort>

Coarse remediation effort. See FixEffort.

compensating_controls: Vec<String>

Human-readable list of controls that already neutralise (or partially neutralise) this finding — populated when a compensating-control detector downgrades severity. Empty when no downgrade applied.

suppressed: bool

Set to true by the suppression applicator when a matching .taudit-suppressions.yml entry exists AND the configured mode is Suppress. The finding still appears in output (audit trail preserved) but consumers can filter on this field.

original_severity: Option<Severity>

Original pre-downgrade severity. Populated by the suppression applicator OR a compensating-control detector when severity is mutated. None means the current severity is the rule-emitted value.

suppression_reason: Option<String>

Operator-supplied justification from the matching suppression entry. None when no suppression applies.

fingerprint_anchor: Option<String>

Per-finding stable anchor mixed into the fingerprint canonical string. Populated by rules that have no natural graph node to place in nodes_involved (e.g. ADO resources.repositories[] aliases, GitLab include: entries, workflow-level invariants). When two findings of the same rule fire in the same file, their anchors must differ for the fingerprints to differ.

Round-trips through JSON so external tools that recompute fingerprints from loaded findings get the same value as the emitting taudit run. None (the default) and Some("") are the same equivalence class — both contribute the empty marker to the canonical string.

confidence_scope: Option<String>

Scope of confidence for this finding. Current built-in rules are yaml_only: taudit has proved a static authority shape in the scanned YAML artifact, but runtime/provider settings may still affect exploitability.

runtime_preconditions: Vec<String>

Human-readable runtime or control-plane assumptions that must be verified before treating the static finding as live exploitability.

portal_control_dependency: bool

True when exploitability materially depends on provider-side controls not represented in the YAML artifact, such as Azure DevOps service connection authorization or GitHub repository settings.

authority_kinds: Vec<String>

Coarse authority kinds involved in the finding: e.g. job_token, oidc_identity, service_connection, variable_group, credential_named_variable, artifact, or image.

attacker_surface_kinds: Vec<String>

Coarse attacker-influenced surfaces involved in the finding: e.g. untrusted_checkout, script_sink, mutable_dependency_ref, reusable_workflow_boundary, or self_hosted_runner.

template_resolution_strength: Option<String>

Template/reusable-workflow resolution strength for delegation findings: resolved, partial, opaque, or not_applicable.

cve_relationship: Option<String>

Relationship between this finding and any cited CVE/advisory: same_primitive, same_authority_shape, analogue_only, or not_applicable.

Implementations

impl FindingExtras

pub fn with_anchor(anchor: impl Into<String>) -> FindingExtras

Convenience constructor for the common case of “default extras plus a per-finding fingerprint anchor”. Used by rules whose emission sites have no natural graph-node anchor and need the anchor to discriminate multiple findings of the same rule in one file (see compute_fingerprint v3 contract).

pub fn with_confidence_scope(scope: impl Into<String>) -> FindingExtras

Convenience constructor for report-facing metadata that is not a fingerprint anchor. Keeps rule call sites additive rather than forcing every built-in rule to hand-populate publication context.

Trait Implementations

impl Clone for FindingExtras

fn clone(&self) -> FindingExtras

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for FindingExtras

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Default for FindingExtras

fn default() -> FindingExtras

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for FindingExtras

fn deserialize<__D>( __deserializer: __D, ) -> Result<FindingExtras, <__D as Deserializer<'de>>::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for FindingExtras

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.