Vulnerability types
Gecko detects seven high-impact, server-side classes:| Type | Name |
|---|---|
RCE | Remote Code Execution |
SQLI | SQL Injection |
XSS | Cross-Site Scripting |
SSRF | Server-Side Request Forgery |
LFI | Local File Inclusion |
AFO | Arbitrary File Operations |
IDOR | Insecure Direct Object Reference |
The function call chain
Every finding includes an ordered call chain from a source (where attacker-controlled input enters) through intermediate functions to a sink (the dangerous operation), with file paths and line numbers at each step. One step is marked the primary vulnerable step, the single decision that makes the path exploitable. This chain is the proof. It’s what lets you validate a finding quickly instead of re-deriving the data flow yourself.Example chain
Scoring
Confidence (1 to 10)
How sure the agent is that the path is real and reachable. Only findings at
9 or above are persisted.
False-positive score (1 to 10)
The agent’s own skepticism check. High scores are filtered out before a
finding is saved.
Severity (CVSS 4.0)
A 0 to 10 score computed from the CVSS 4.0 vector, labeled Critical (≥9), High
(≥7), Medium (≥4), or Low.
CWE
The Common Weakness Enumeration identifier for the underlying weakness.
Status lifecycle
Each finding moves through a status you control during triage:| Status | Meaning |
|---|---|
Open | Detected and not yet addressed. |
In progress | A fix is underway (for example, a fix PR is open). |
Fixed | The fix has been merged. |
Fix verified | A post-merge rescan confirmed the vulnerability is gone. |
False positive | Dismissed. Re-detection does not auto-reopen it. |
Accepted risk | Risk explicitly accepted, optionally with an expiry date. |