Finding type.
Severity levels
| Severity | Meaning |
|---|---|
CRITICAL | Actively exploitable or confirmed-dangerous configuration. Triggers exit code 2 when at or above the configured severity_threshold. |
HIGH | High-confidence, high-impact risk that should be reviewed before trusting a tool. Default severity_threshold. |
MEDIUM | Notable risk pattern that warrants inspection, especially in sensitive contexts. |
LOW | Low-impact or low-confidence signal. Useful for auditor-persona scans. |
INFO | Informational observation with no direct risk implication. |
Confidence values
| Confidence | Meaning |
|---|---|
HIGH | Pattern match is unambiguous; false-positive rate is low. |
MEDIUM | Heuristic or partial match; review is recommended. |
LOW | Weak signal; context-dependent; may require manual verification. |
Layers
| Layer | Value | Source |
|---|---|---|
| Layer 1 | L1 | Discovery phase (file walker, config parser, tool detector) |
| Layer 2 | L2 | Static analysis phase (rule engine, detectors) |
| Layer 3 | L3 | Deep scan phase (meta-agent analysis, remote resource fetching) |
Finding categories
ENV_OVERRIDE
ENV_OVERRIDE
Triggered when a configuration file sets or overrides environment variables in a way that could redirect API traffic, exfiltrate credentials, or suppress safety controls. Common sources include MCP server env blocks and AI tool workspace settings that inject
OPENAI_API_BASE, ANTHROPIC_BASE_URL, or similar variables pointing to attacker-controlled endpoints.COMMAND_EXEC
COMMAND_EXEC
Triggered when a configuration defines an executable command that CodeGate cannot verify as safe. Covers MCP server
command fields that invoke shells (bash, sh), network tools (curl, wget, nc), or interpreters (python, node) that are on the blocked_commands list. Also covers hook scripts and formatter entries that reference unexpected binaries.CONSENT_BYPASS
CONSENT_BYPASS
Triggered when configuration attempts to suppress, disable, or pre-answer tool consent dialogs and trust prompts. Relates to known CVEs such as CVE-2025-59536 (MCP consent bypass). Includes settings that set
allow_all, disable trust prompts, or configure auto-approval for tool calls without user interaction.RULE_INJECTION
RULE_INJECTION
Triggered when instruction files (
CLAUDE.md, AGENTS.md, CODEX.md, .cursorrules, custom rule files) contain patterns that attempt to override the agent’s safety policy, hijack tool selection, suppress output, redirect the agent to attacker instructions, or exfiltrate context. Detected by rule-file heuristics including unicode analysis when unicode_analysis is enabled.IDE_SETTINGS
IDE_SETTINGS
Triggered when workspace or user-level IDE settings files (
.vscode/settings.json, .cursor/settings, etc.) contain configurations that could alter agent behavior or execution environment in a security-relevant way. Controlled by the check_ide_settings config key; can be disabled with check_ide_settings: false.SYMLINK_ESCAPE
SYMLINK_ESCAPE
Triggered when a symbolic link inside the scanned project tree resolves to a target outside the project root. Symlink escapes can be used to make an agent read or write files outside the intended workspace boundary. Detected during the Layer 1 file walk.
GIT_HOOK
GIT_HOOK
Triggered when a
.git/hooks/ script is present and not on the known_safe_hooks allow-list. Git hooks execute automatically on git operations and are a common persistence and lateral-movement vector in repository-level attacks. known_safe_hooks entries are matched against hook paths relative to the repository root (for example .git/hooks/pre-commit).CONFIG_PRESENT
CONFIG_PRESENT
Triggered by rule-pack matches when the matched category cannot be resolved to a more specific category. Also used as the fallback category for rule-pack rules that specify an unrecognized
category value. Indicates that a known-risky configuration construct is present and deserves review.PARSE_ERROR
PARSE_ERROR
Triggered when a resource or instruction file cannot be parsed, fetched, or interpreted during Layer 3 deep scan. Includes consent-skipped outcomes, timeout, auth failure, network failure, and response schema mismatches. These findings allow operators to audit why deep scan did not fully complete for a given resource.
CONFIG_CHANGE
CONFIG_CHANGE
Triggered when an MCP server’s configuration hash differs from the baseline recorded in
scan-state.json. Indicates that a server’s definition changed between scans, which may signal a rug-pull or unexpected update. Baseline is stored at ~/.codegate/scan-state.json (or the path set by scan_state_path).NEW_SERVER
NEW_SERVER
Triggered when an MCP server identifier appears in the scan that has not been seen in prior scans recorded in the baseline state. First-seen server detection helps surface newly introduced servers that have not been reviewed.
TOXIC_FLOW
TOXIC_FLOW
Triggered by Layer 3 meta-agent analysis when a data-flow path from an external or untrusted input reaches a sensitive sink (for example: a tool call that writes files, executes commands, or exfiltrates data). Requires
--deep to produce. Sources and sinks are recorded in the finding’s metadata.sources and metadata.sinks fields.CI_SUPPLY_CHAIN
CI_SUPPLY_CHAIN
Triggered by workflow audit detectors for GitHub Actions supply-chain risks. Covers unpinned action references (
uses: owner/repo@tag instead of a full commit SHA), archived action references, stale action refs, floating action versions, and known-vulnerable action references (online mode only).CI_TRIGGER
CI_TRIGGER
Triggered when a GitHub Actions workflow uses a high-risk trigger event. Currently detects
pull_request_target and workflow_run triggers, which allow workflows triggered by untrusted forks to run with repository write permissions if not carefully guarded.CI_PERMISSIONS
CI_PERMISSIONS
Triggered when a GitHub Actions workflow grants overly broad permissions. Covers
write-all permission grants, explicit write grants on sensitive scopes, undocumented permissions, overprovisioned secrets, secrets passed via inheritance (secrets: inherit), and secrets used outside environment blocks.CI_TEMPLATE_INJECTION
CI_TEMPLATE_INJECTION
Triggered when a GitHub Actions
run: step or known sink input uses a ${{ }} template expression that interpolates untrusted context values (for example github.event.pull_request.title or github.head_ref) directly into shell commands. Template injection in run steps is a common code execution path in compromised workflows.CI_VULNERABLE_ACTION
CI_VULNERABLE_ACTION
Triggered when a workflow references a GitHub Action that appears in the known-vulnerable action registry. Requires
--runtime-mode online to perform the live advisory lookup. In offline mode this check is skipped.Finding type reference
TheFinding interface is defined in src/types/finding.ts. The fields are:
| Field | Type | Description |
|---|---|---|
rule_id | string | Identifier of the rule or detector that produced this finding. |
finding_id | string | Unique identifier for this specific finding instance. |
fingerprint | string | undefined | Stable hash of the finding’s key attributes, used for suppression matching. |
severity | Severity | One of CRITICAL, HIGH, MEDIUM, LOW, INFO. |
category | FindingCategory | One of the 17 categories listed above. |
layer | FindingLayer | L1, L2, or L3. |
file_path | string | Path to the file that contains the finding. |
description | string | Human-readable description of the risk. |
affected_tools | string[] | AI coding tools affected by this finding. |
cve | string | null | Associated CVE identifier, if known. |
owasp | string[] | Associated OWASP category references. Omitted from output when owasp_mapping: false. |
cwe | string | Associated CWE identifier. |
confidence | FindingConfidence | HIGH, MEDIUM, or LOW. |
fixable | boolean | Whether CodeGate can apply an automated fix via --remediate or --fix-safe. |
remediation_actions | string[] | List of remediation action identifiers applicable to this finding. |
suppressed | boolean | Whether this finding has been suppressed by a suppress_findings or suppression_rules entry. |