GCA · OUTPUTS & REPORTING

    Reports & Outputs

    Every scan writes results into .security/ — here is the shape of every artifact.

    Reports & Outputs

    Every Gadriel Code scan writes its results into a .security/ directory at the root of the scanned repository. That directory is the single place to look for everything the tool produces: the canonical machine-readable findings, the human-facing HTML report bundle, per-framework compliance reports, the SBOM, and the operational data store that powers trends and drift.

    This page describes each artifact, the schema of the canonical findings.json, the HTML report bundle, and how to read findings from the command line.

    Related pages: Compliance reporting · SBOM · Troubleshooting.


    The .security/ directory

    A scanned repository accumulates the following layout. Not every file is present on every run — SBOM, compliance, and report bundles are only written by the commands that produce them.

    .security/
    ├── findings.json              # Canonical findings (OCSF-style envelope) — see below
    ├── pillar-scores.json         # Per-pillar scores
    ├── metrics.json               # Scan metrics
    ├── metrics/                   # scan-activity.json, learning.json, gadriel-progress.json
    ├── sbom.spdx.json             # SPDX 2.3 SBOM        (gadriel code sbom)
    ├── sbom.cyclonedx.json        # CycloneDX 1.5 SBOM   (gadriel code sbom)
    ├── audit-log.jsonl            # Append-only reasoning/audit log (NDJSON)
    ├── reports/                   # HTML report bundle   (gadriel code report)
    │   ├── index.html
    │   ├── findings.html
    │   ├── compliance.html
    │   ├── drift.html
    │   ├── trends.html
    │   ├── audit.html
    │   ├── executive-summary.pdf
    │   └── report.json
    ├── compliance/                # Per-framework reports (gadriel code report --compliance …)
    │   ├── <slug>.md / <slug>.typ / <slug>.pdf
    │   └── …
    ├── store/                     # RVF operational data store — see below
    │   └── *.rvf
    └── history/                   # Time-series snapshots
        └── YYYY-MM-DD/
            ├── findings.json
            ├── pillar-scores.json
            └── metrics.json
    

    The location of .security/ can be relocated with the security_dir configuration key. A --ephemeral scan writes to a throwaway temp directory instead of the repo.


    The canonical findings.json

    findings.json is the source of truth for a scan. It is an OCSF-style envelope (OcsfReport) that wraps an array of typed findings together with scan-level metadata, scores, and coverage information. Every other artifact — the HTML bundle, the compliance reports, gadriel code findings — is derived from it, and downstream consumers should read this file rather than scraping HTML.

    Envelope fields

    FieldTypeMeaning
    schema_versionstringUpstream OCSF schema version (currently 1.1.0).
    report_idstringUnique id for this report.
    vendor_name / product_name / product_versionstringGadriel / Gadriel Preflight / version.
    gadriel_finding_schema_versionstringGadriel's own finding-schema version (currently 1.2.0) for code-layer reports.
    scan_types_runstring[]Which scan types executed.
    scan_types_skipped{type, reason}[]Scan types that were skipped and why.
    scan_type_countsmapFinding counts per scan type.
    severity_countsmapCounts keyed by critical/high/medium/low/info.
    verdictstringOverall gate verdict.
    overall_scorenumberAggregate score.
    overall_score_derivationstep[]Per-pillar weight/contribution breakdown.
    pillar_scoresmap → number|nullPer-pillar score; null means the pillar had no rules evaluated.
    pillar_rules_evaluatedmap → intRule counts per pillar.
    sbom_generated / sbom_pathsbool / {spdx?, cyclonedx?}Whether an SBOM was produced and where.
    graph_statsobjectNodes, edges, paths analyzed, cycles detected.
    findingsFinding[]The findings themselves (see below).
    coverage_statusenumcomplete or degraded (e.g. OSV data unavailable — see Troubleshooting).
    coverage_advisoriesadvisory[]Human-readable notes about degraded coverage.
    osv_syncedboolWhether the OSV vulnerability snapshot was in place for this scan.
    unanalyzed_languagesmap → intLanguages present but not analyzed.

    Finding fields

    Each entry in findings[] is a typed Finding. The most commonly used fields:

    FieldMeaning
    idThe finding identifier — equal to the catalog rule id, e.g. CODE-W4-SECRET-023.
    scan_sequencePer-scan ordinal. When one rule fires at N sites, all N findings share the same id; (id, scan_sequence) is the per-scan unique key.
    rule_idDeprecated top-level alias carrying the same value as id; may be absent.
    layercode or runtime. Distinguishes code-layer findings from Preflight runtime findings.
    severitycritical / high / medium / low / info.
    confidence_tierhigh / medium / low — how confident the engine is that the finding is real. Combined with severity to produce an effective risk.
    scan_typesast / sca / secrets / config / container / api / test_coverage / runtime / graph.
    scan_type_codeShort code embedded in the id (e.g. SECRET, L3, SCA).
    pillarOne or more of the 8 pillars (Security, Compliance, Safety, Operational, FinOps, Coherence, Teamwork, Bias).
    code_contextTyped location context: file, line_start, line_end, function, ast_summary, excerpt, redacted, attack_path.
    what_was_testedWhat the rule checked for (free-form JSON).
    what_we_analyzedWhat was inspected — file/line/function/AST summary, or runtime prompts.
    what_we_measuredMetrics gathered (list of {metric_id, name, value, unit?}).
    failureWhy it failed — for code findings, {reason, risk_score, score_breakdown, amplifiers_applied}.
    remediationHow to fix it: {adr_ref?, effort?, steps[], code_example?, framework_guidance?}.
    finding_originProvenance: deterministic, deterministic_ai_corroborated, ai_advisory, or deterministic_ai_contested.
    claude_reasoningOptional AI narrative (confirmation, explanation, effort estimate, codebase match).
    correlation_idGroups findings that share a canonical root cause.
    tool_provenanceWhether the finding came from an in-house scanner or a Tier-1 external adapter.

    Field-name note. In prose these subsections are often called "what was tested / analyzed / measured", but the on-the-wire keys are what_was_tested, what_we_analyzed, and what_we_measured. Consumers should match those exact keys.

    Finding id format

    Code-layer finding ids follow the grammar:

    CODE-W<pillar>-<scan_type_code>-<NNN>
    
    • W1W8 map to the eight pillars (W1 Security, W2 Compliance, W3 Safety, W4 Operational, W5 FinOps, W6 Coherence, W7 Teamwork, W8 Bias).
    • <scan_type_code> is one of L1L9 (SAST, numbered by OWASP Web Top 10 position), AI, ATLAS, GRAPH, PRED, SCA, SECRET, CONFIG, CONTAINER, API.
    • NNN is a three-digit zero-padded sequence, scoped to the pillar × scan-type pair.

    Example: CODE-W1-L3-007 is the 7th Security/SAST-injection rule. Runtime (Preflight) findings use separate grammars (MATH-F*-NNN, ATLAS-NNN, GOV-NNN) and are distinguished by the CODE- prefix or the layer field.

    Secret redaction

    Secret findings never write the secret value into findings.json. The value is replaced with [REDACTED], preserving a short recognizable prefix (up to 12 characters, e.g. sk-ant-api03-, AKIA, ghp_). The full value lives only in the encrypted .security/secrets-vault.enc.


    Reading findings from the CLI

    gadriel code findings # human-readable table (default)
    gadriel code findings --format json # machine-readable JSON

    gadriel code findings reads .security/findings.json from the current working directory (it errors if the file is absent).

    • --format table (default) prints the total count, a "by risk" breakdown along the severity × confidence axis, a count of unverified findings (high/critical severity but low confidence), and then the findings table.
    • --format json validates the file as an OcsfReport and prints it, additively enriching each finding with flat convenience fields (file, line, message, and a location {file, line} object) derived from the context. It never overwrites existing keys, and the on-disk file stays canonical OCSF.

    The only accepted format values are table and json.


    The HTML report bundle

    gadriel code report

    The report command renders a self-contained, offline HTML bundle into .security/reports/. Point a browser at it, zip it, or attach it to a compliance package — it works with no network access.

    FileContents
    index.htmlSingle-page report with tabs: Home / Findings / Trends / Compliance / Drift / Audit.
    findings.htmlFindings-only deep dive.
    compliance.htmlCompliance view (auditor-facing).
    drift.htmlDrift view (tech-lead-facing).
    trends.htmlLongitudinal trends.
    audit.htmlAudit-log search (client-side filtering; the only page with non-trivial JS).
    report.jsonThe full underlying data dump backing the pages. Written only when you pass --json (not part of the default bundle).
    executive-summary.pdfOne-page CISO/executive summary (see below).

    Self-contained and offline by design

    The bundle makes no CDN or network requests. Fonts use the system font stack; CSS is inlined in <style>; data is embedded in <script type="application/json">; and charts use a Chart.js bundle vendored into the crate (pinned by SHA-256 checksum), never fetched at runtime. This is enforced by tests that fail the build if a network client crate is linked in or if an external URL appears outside an inline data script.

    Report flags

    FlagPurpose
    --format <list>HTML/compliance output formats. For the HTML bundle the relevant value is html; also accepts pdf, markdown. Default when no format flag is given: pdf,html.
    --sections <list>Which standalone HTML pages to emit: findings, compliance, drift, trends, audit (home is a tab of index.html, not a standalone file). Default: all. index.html is always written regardless.
    --jsonEmit report.json (orthogonal to --format). Opt-in — off by default; report.json is written only when this flag is passed.
    --output <dir>Output directory for the HTML/JSON bundle (default .security/reports/).
    --no-executiveSkip generating executive-summary.pdf.

    HTML output is selected via --format html (or --format all). There is no standalone --html flag.

    Executive summary PDF

    Every gadriel code report run generates executive-summary.pdf by default, rendered in-process from an embedded Typst template (no external binary required). Failure to render it is non-fatal — the rest of the bundle still writes. Opt out with --no-executive.

    The report command also drives per-framework compliance output; see Compliance reporting.


    The RVF operational data store

    .security/store/*.rvf holds Gadriel's operational data — the longitudinal state that powers trends, drift, compliance history, and audit search across scans. These are binary RVF files (not meant to be hand-edited), keyed by a per-run ULID.

    FileHolds
    scan-runs.rvfCanonical join hub — one row per scan (timestamps, duration, runner, rule/file/finding counts, cost). Append-only.
    findings-history.rvfPer-scan finding counts grouped by rule/severity/pillar/scan-type, with delta-vs-previous. FIFO-capped.
    compliance-history.rvfPer-framework, per-control verdict snapshots, one per run.
    pillar-timeseries.rvfEight-pillar score points per run. FIFO-capped.
    coverage.rvfFiles × rules coverage matrix (paths stored hashed only).
    events.rvfStructured scan event log (companion to the NDJSON audit log). FIFO-capped.
    sbom-cache.rvfContent-hash-deduplicated SBOMs (blobs stored in a sbom-blobs/ sidecar).
    dependencies-graph.rvfResolved dependency adjacency and vulnerable paths.
    fix-outcomes.rvfFix lifecycle chain (Proposed → Applied → Verified → Reverted/Rejected/Stale).
    fingerprint.rvfPer-repo fingerprint.
    audit-embeddings.rvfHNSW index over the audit log, enabling semantic audit search.

    Inspect the store from the CLI:

    gadriel code store list # every .rvf: kind, size, mtime (alias: status)
    gadriel code store verify # integrity: signatures, witness chain, truncation

    store verify reports one of: ok, missing_sidecar, rvf_truncated, witness_chain_broken, signature_invalid, or not_checked per file. Both subcommands accept --format table|json.

    Implementation status. The RVF store is the intended canonical operational substrate, but as of this writing several stores are still backed by JSON sidecars rather than fully migrated to RVF. The history/YYYY-MM-DD/ snapshots continue to exist alongside the store; gadriel code store migrate --backfill can seed the newer stores from that legacy history.


    Quick reference

    I want…Command / file
    The raw, canonical results.security/findings.json
    Findings in the terminalgadriel code findings
    Findings as JSON for a scriptgadriel code findings --format json
    A browsable, shareable reportgadriel code report.security/reports/index.html
    A one-pager for leadership.security/reports/executive-summary.pdf
    Compliance reportsgadriel code report --compliance …Compliance
    A software bill of materialsgadriel code sbomSBOM
    Historical/operational datagadriel code store list