Glossary
Audience: anyone reading Gadriel Code output, docs, or findings.json
who wants a single, precise definition of a term and a pointer to the page
that covers it in full.
Terms are alphabetized ignoring a leading dot (.gadriel.toml sorts under
G, .security/ under S). Each entry gives a one-to-three-sentence
definition and a cross-link to the authoritative page.
A
Amplifier — A context multiplier applied to a finding's base risk during
scoring. There are 18 conditions across three categories (standard/AST, graph,
and SCA-specific); a value > 1.0 raises risk (e.g. SimulationConfirmed
1.8×) and a damper < 1.0 lowers it (e.g. TransitiveDependency 0.8×).
See Scoring & Verdicts §2.
C
"Code never leaves the machine" — Gadriel Code's hard, non-negotiable privacy boundary: all scanning, dependency-graph construction, and secret detection run locally, and source content is never uploaded. The only outbound calls are explicitly enumerated (OSV snapshot sync, license check), and shipping a source excerpt to an AI model requires per-invocation consent. See Privacy.
Confidence tier — A High / Medium / Low label answering how sure the
engine is that a finding is real — a separate axis from severity (how bad if
real). It is derived deterministically from the evidence the rule matched
(taint flow, import gate, entropy gate, …), never from an LLM, so the same
finding always gets the same tier.
See False Positives §1.
Coverage status (GREEN / DEGRADED) — An annotation, independent of the
verdict, describing whether the analysis was complete. GREEN means every
applicable analysis ran; DEGRADED means some could not (e.g. the OSV snapshot
was absent, so CVE detection was skipped), so the score reflects less than the
full picture. It is additive — a PASS on a DEGRADED scan means "passed what we
were able to check."
See Scoring & Verdicts §7.
D
Dominating guard — A bound-check or validation that lies on every control path reaching a sink, so the sink can never be exercised without it. When Gadriel recognizes a dominating guard (or a known sanitizer) ahead of a sink, the taint finding is suppressed as provably safe — one of the engine-level FP-prevention gates. See False Positives §6.
E
Effective risk — The severity discounted by confidence
(severity_base × confidence_weight), then banded — the number a human should
actually triage on. Confidence can only lower the band, never inflate it, and
a High/Critical-severity finding at Low confidence is stamped unverified so
UIs render an UNVERIFIED badge rather than a false alarm.
See False Positives §2.
Eight-pillar scoring — The scoring framework that rolls every finding up into eight weighted pillars — Security (0.20), Compliance (0.20), Safety (0.15), Operational (0.15), FinOps (0.10), Coherence (0.10), Teamwork (0.05), Bias (0.05) — and renormalizes over the pillars actually evaluated to produce the overall 0–10 score and verdict. See Scoring & Verdicts §5.
Execution layer (L1–L4) — The four points in the development lifecycle
where a scan runs, each with its own trigger, output, and blocking behavior:
L1 Watch (file-save, non-blocking), L2 Pre-Commit (git commit, blocks
on --fail-on), L3 Pull Request (PR comment), L4 CI/CD (full artifact
set on merge).
See Execution Layers.
F
Finding ID — The identifier every code-layer finding carries, following the
grammar CODE-W[1-8]-[SCAN]-[NNN]: the W1–W8 pillar segment, a scan-type
code (L1–L9, AI, SCA, SECRET, CONFIG, CONTAINER, API, …), and a
three-digit sequence scoped to that pillar × scan-type pair. Example:
CODE-W1-L3-017 is the 7th-plus Security-pillar SAST-injection rule.
See Scan Coverage and
Reports §Finding id format.
G
.gadriel.toml — The version-controlled, per-repo configuration file
written by gadriel code init. It holds [scan], [report], [tier2], and
related sections — default --fail-on thresholds, the Tier-2 opt-in, the
corroborate toggle — with per-user overrides in ~/.gadriel/config.toml.
See Configuration.
Gadriel Scoring Model — Gadriel's deterministic, mathematics-based
risk-scoring methodology. It defines the bottom-up pipeline that turns raw
matches into a verdict: per-finding risk (base severity × amplifiers × confidence, capped at 15) → per-pillar score (10 − weighted mean of risk,
0–10, higher is better) → overall score (weighted mean across the 8 pillars) →
verdict (PASS 9.0–10 / PARTIAL 6.0–8.9 / FAIL 0–5.9). It is fully
reproducible — the same inputs always yield the same score, with no
randomness and no LLM in the decision path — and it is shared across Gadriel
products, so a code verdict and a runtime verdict mean exactly the same thing.
In a GVL rule the risk_score block declares the rule's base and
amplifiers under this model.
See Scoring & Verdicts.
GVL (Gadriel Validation Language) — The single machine-readable rule format
that defines every check across the 6 scan-types × 8 pillars × 4 layers matrix. SAST/Config/Secrets rules ship as GVL policies in the
gadriel-code-policies repository, so detection coverage grows with the policy
bundle rather than the binary.
See Scan Coverage.
M
MCP (Model Context Protocol) — The JSON-RPC 2.0-over-stdio server Gadriel
ships so AI coding assistants (Claude Code and others) can read findings and
drive fixes locally. It is also the transport by which Tier-2 borrows the host
assistant's LLM (validate_file / submit_ai_findings).
See AI Coding Integration.
O
OCSF (Open Cybersecurity Schema Framework) — The industry-standard finding
schema that findings.json is aligned to. Gadriel wraps its typed findings in
an OCSF-style envelope (OcsfReport, schema 1.1.0) carrying scan metadata,
scores, and coverage, so downstream tooling can consume results without a
Gadriel-specific parser.
See Reports §The canonical findings.json.
OSV — The Open Source Vulnerabilities database, the CVE source for SCA and
container base-image analysis (Gadriel uses OSV, not NVD). It is synced
wholesale as a local snapshot — there are no per-finding outbound queries — and
an absent snapshot forces coverage DEGRADED.
See Scan Coverage §SCA.
P
Pillar (W1–W8) — The eight axes answering why a finding matters, mapping
to the W segment of the finding ID: W1 Security, W2 Compliance, W3
Safety, W4 Operational, W5 FinOps, W6 Coherence, W7 Teamwork,
W8 Bias. Any scan type can emit findings under any pillar.
See Scan Coverage §The eight pillars.
Provenance (source provenance) — The trust tier of a taint origin, used to
decide whether "attacker-controlled input reaches a sink" is really
attacker-controlled: Remote (recv, HTTP request.* — the real threat),
LocalCli (argv, stdin), Env (getenv), Filesystem (file
contents), Const (literals — never tainted). A source outside a rule's
declared fire set is demoted out of the gate.
See False Positives §3.
R
Reachability — Whether a vulnerable function is actually reached from an entry point via the call graph. For SCA this turns "you depend on a vulnerable package" into "you actually call the vulnerable function," and it is recall-preserving: a finding is suppressed only when proven unreachable — "reachability unknown" never suppresses. See Scan Coverage §SCA and False Positives §6.
RVF store — The .security/store/*.rvf operational data store: binary
RuVector-format files holding the longitudinal state (scan runs, findings
history, per-pillar timeseries, coverage matrix, dependency graph, fix
outcomes, audit embeddings) that powers trends, drift, and semantic audit
search across scans. Inspect it with gadriel code store list / store verify.
See Reports §The RVF operational data store.
S
Sanitizer — A function or construct that neutralizes tainted data before it
reaches a sink (e.g. shlex.quote, parameterized-query binding, an escaper).
When a recognized sanitizer dominates a sink, the taint path is treated as safe
and the finding is suppressed.
See False Positives §6.
SBOM (SPDX / CycloneDX) — The software bill of materials Gadriel emits off
the collected dependency graph, in both SPDX 2.3 (sbom.spdx.json) and
CycloneDX 1.5 (sbom.cyclonedx.json) via gadriel code sbom.
See SBOM.
Scan type — One of the six analyses Gadriel runs, auto-detected per repo:
SAST (AST + taint), SCA (dependency CVEs via OSV, license, health,
reachability), Secrets (credentials in tree + git history), Config
(CI/CD, .env, system prompts, MCP config; IaC opt-in), Container
(Dockerfile hardening + base-image CVEs), API (OpenAPI / GraphQL / route
auth). Inapplicable types are cleanly skipped and reported.
See Scan Coverage.
.security/ directory — The directory at the scanned repo's root where
every artifact lands: canonical findings.json, pillar-scores.json, SBOMs,
the append-only audit-log.jsonl, the HTML reports/ bundle, per-framework
compliance/, the RVF store/, and dated history/ snapshots. Relocatable via
the security_dir config key.
See Reports §The .security/ directory.
Sink — A dangerous operation that taint analysis tracks into: SQL
execution, shell/os.system, a path-open, an LLM prompt construction, etc. A
finding fires when a tainted source reaches a sink with no sanitizer or
dominating guard between them. Sinks are further taxonomized (CommandExec vs
PathOrMemory) to modulate provenance demotion.
See False Positives §3.1.
Source — The origin of untrusted data in taint analysis — an HTTP request field, a CLI argument, an environment variable, file contents. Each source carries a provenance tier that decides how dangerous it is. See False Positives §3.
T
Taint — Dataflow analysis that follows an untrusted source through assignments, aliases, and function parameters to a dangerous sink. Gadriel's SAST engine performs real, parameter-bound (and, for supported languages, cross-file/workspace) taint tracking, not one-hop substring matching. See Scan Coverage §SAST.
Tier 0 / 1 / 2 — The three analysis tiers by trust and default: Tier 0,
the always-on in-house deterministic engine, is the gate of record; Tier 1
orchestrates your own locally-installed analyzers (--corroborate, advisory);
Tier 2 borrows the host assistant's LLM via MCP for the semantic long-tail
(opt-in, never gates). AI is advisory and can never weaken a deterministic
verdict.
See Tiers. (Not to be confused with the four
execution layers, L1–L4.)
V
Verdict (PASS / PARTIAL / FAIL) — The overall gate outcome mapped from the
0–10 score: PASS [9.0, 10.0], PARTIAL [6.0, 9.0), FAIL
[0.0, 6.0). Thresholds are tenant-configurable; a NaN score maps
conservatively to FAIL. The same lexicon applies to each pillar score and to
runtime scenario verdicts.
See Scoring & Verdicts §6.
W
Waiver — A durable, committed disposition in .gadriel-waivers.toml, keyed
by (rule_id, path, line), that records a triaged false positive. In the
default segregate mode the finding stays in findings.json in a separate
"Waived" section but is excluded from the gate and KPIs; suppress drops it
entirely. An expired waiver is ignored and the finding gates again.
See False Positives §5.
Cross-references
- Scan Coverage — the six scan types and eight pillars.
- Scoring & Verdicts — risk, amplifiers, scores, verdicts, coverage.
- False Positives — confidence, effective risk, provenance, waivers.
- Tiers · Execution Layers · Reports · Privacy · Examples.
