Skip to content
Firmis

Finding States & Grades

Every finding in Firmis has a state that represents where it is in the verification lifecycle. States drive your security grade and determine what shows up in reports.

States

Section titled “States”
StateMeaningSet By
detectedFound by static rules, not yet verifiedfirmis scan
confirmedAI verified as exploitablefirmis scan --deep or firmis triage
dismissedAI assessed as not exploitablefirmis scan --deep or firmis triage
acceptedHuman reviewed and accepted the riskfirmis accept

State Transitions

Section titled “State Transitions”
detected --> confirmed    (deep scan finds it exploitable)
detected --> dismissed    (deep scan finds it not exploitable)
detected --> accepted     (human accepts the risk)
confirmed -> accepted     (human accepts a confirmed risk)
dismissed -> accepted     (human accepts despite dismissal)
accepted --> detected     (acceptance expires or version changes)

How States Are Resolved

Section titled “How States Are Resolved”

When deep scan analyzes a finding:

  • CVE findings (osv-* rules) always stay detected regardless of AI analysis. CVEs are verified by the OSV database, not by AI.
  • Analyzed and matched: finding becomes confirmed with attack technique and reasoning
  • Analyzed and unmatched: finding becomes dismissed
  • Not analyzed (skipped or rate-limited): stays detected

Security Grades

Section titled “Security Grades”

After deep scan, Firmis computes a security grade from A (best) to F (worst).

How Grades Are Computed

Section titled “How Grades Are Computed”

The grade calculation excludes:

  • Dismissed findings (AI verified as safe)
  • Non-CVE detected findings (not yet verified)

The grade includes:

  • Confirmed findings (verified exploitable)
  • CVE findings (always counted)
  • Accepted findings affect a separate “grade without acceptances” metric

Grade Comparison

Section titled “Grade Comparison”

When accepted risks exist, reports show both:

Grade: B (without accepted risks: C)

This transparency lets teams and auditors see the impact of risk acceptance decisions.

Deep Scan Metadata

Section titled “Deep Scan Metadata”

Each finding gains additional metadata after deep scan:

FieldDescription
stateCurrent finding state
attack_techniqueHow the finding could be exploited
reasoningAI explanation of the assessment
suggestedDispositionAI recommendation: accept, fix, or investigate
confidence0-1 score. Higher means more certain.

JSON Output

Section titled “JSON Output”

In JSON reports (firmis scan --json), finding states appear as:

{
  "schema_version": "2.0",
  "scan_mode": "deep",
  "grade": "B",
  "findings": [
    {
      "ruleId": "tool-poisoning-004",
      "state": "confirmed",
      "attack_technique": "Tool description override",
      "reasoning": "The tool description contains instructions that override the agent's system prompt..."
    }
  ]
}

Workflow

Section titled “Workflow”

The recommended workflow using states:

  1. Scan: firmis scan . produces detected findings
  2. Verify: firmis scan --deep . promotes findings to confirmed or dismissed
  3. Accept: firmis accept lets you accept verified risks with audit trail
  4. Monitor: firmis monitor watches for new findings at runtime