Skip to main content
A finding (used interchangeably with vulnerability) is a confirmed, exploitable security issue in a specific file, backed by a proven path from user input to a dangerous operation.

Vulnerability types

Gecko detects seven high-impact, server-side classes:
TypeName
RCERemote Code Execution
SQLISQL Injection
XSSCross-Site Scripting
SSRFServer-Side Request Forgery
LFILocal File Inclusion
AFOArbitrary File Operations
IDORInsecure Direct Object Reference

The function call chain

Every finding includes an ordered call chain from a source (where attacker-controlled input enters) through intermediate functions to a sink (the dangerous operation), with file paths and line numbers at each step. One step is marked the primary vulnerable step, the single decision that makes the path exploitable. This chain is the proof. It’s what lets you validate a finding quickly instead of re-deriving the data flow yourself.
Example chain
RCE · CVSS 9.8 (Critical) · confidence 10/10

 ① source   api/routes.py:31        cmd = request.json["cmd"]
 ② flow     services/runner.py:60   run_task(cmd)
 ③ sink     utils/shell.py:12       subprocess.run(cmd, shell=True)   ← primary vulnerable step

Scoring

Confidence (1 to 10)

How sure the agent is that the path is real and reachable. Only findings at 9 or above are persisted.

False-positive score (1 to 10)

The agent’s own skepticism check. High scores are filtered out before a finding is saved.

Severity (CVSS 4.0)

A 0 to 10 score computed from the CVSS 4.0 vector, labeled Critical (≥9), High (≥7), Medium (≥4), or Low.

CWE

The Common Weakness Enumeration identifier for the underlying weakness.
You can override severity on an individual finding when your environment’s context differs from the default CVSS assessment.

Status lifecycle

Each finding moves through a status you control during triage:
StatusMeaning
OpenDetected and not yet addressed.
In progressA fix is underway (for example, a fix PR is open).
FixedThe fix has been merged.
Fix verifiedA post-merge rescan confirmed the vulnerability is gone.
False positiveDismissed. Re-detection does not auto-reopen it.
Accepted riskRisk explicitly accepted, optionally with an expiry date.

De-duplication

Each finding has a fingerprint derived from its type and sink. When a later scan detects the same issue, Gecko updates the existing finding (refreshing “last seen”) instead of creating a duplicate. A longer, better-proven chain supersedes the old one while keeping the same finding.

What you can do with a finding

From the finding drawer you can change status, adjust severity, request a fix PR, create a ticket in Jira, Linear, ClickUp, or Shortcut, export to JSON or Markdown, and copy a permalink.