Skip to main content
Scan complete. Now turn findings into fixes — or confirm you’re ready to ship.

What’s in your scan results

{
  "agents_found": 3,
  "framework_detected": "crewai",
  "findings": [
    {
      "id": "asi05_unexpected_code_execution_001",
      "category": "asi05_unexpected_code_execution",
      "ai_spm_severity": "Critical",
      "title": "Arbitrary Code Execution via eval()",
      "cvss_scores": { "base_score": 9.3 },
      "file_path": "src/agent.py",
      "line_number": 45,
      "evidence": "eval(user_input)",
      "remediation": "Use ast.literal_eval() for safe evaluation..."
    }
  ],
  "category_summary": {
    "asi05_unexpected_code_execution": 1
  }
}

Understanding findings

Each finding shows: What’s broken:
  • title - Clear description of the issue
  • category - OWASP ASI01-ASI10 category (industry-standard mapping)
  • evidence - The actual code that triggered the finding
How severe:
  • ai_spm_severity - Critical, High, Medium, or Low
  • cvss_scores.base_score - Industry-standard CVSS v4 score (0.0-10.0)
Where to fix:
  • file_path - Exact file location
  • line_number - Line where the issue appears
  • remediation - How to fix it

What to do next

Clean scan (no findings)?
  • Attach scan_<timestamp>.json to your PR as proof
  • Ship with confidence
Issues found?
1

Review findings

Check each finding’s file path and line number.
2

Read remediation

Follow the fix guidance provided for each issue.
3

Fix the issues

Apply the recommended fixes to your agent code.
4

Re-scan to verify

flintai scan /path/to/your/agent
Confirm issues are resolved.
5

Ship with proof

Attach the clean scan to your PR.

How severity is determined

Flint AI Scan uses CVSS v4.0 (Common Vulnerability Scoring System) to calculate severity:
SeverityCVSS ScoreExamples
Critical9.0-10.0Hardcoded credentials, arbitrary code execution
High7.0-8.9Prompt injection, missing auth
Medium4.0-6.9Unbounded loops, missing validation
Low0.1-3.9Deprecated functions, warnings
Severity comes from the CVSS vector, not subjective judgment. This gives you standardized risk scores you can show to security teams.

Advanced: What Flint AI CLI filtered out

Your scan JSON may include: triage_dismissed - Findings that describe expected behavior for your agent’s purpose triage_downgraded - Findings with disproportionate severity that were adjusted This transparency shows what the Flint AI CLI AI reasoning layer filtered and why, so you can verify the triage decisions. See How scanning works for details on the 4-layer pipeline.

Share your results

Attach scan_<timestamp>.json to:
  • Pull requests (proof you validated before merging)
  • Team reviews (show what you found and fixed)
  • Security audits (OWASP/CVSS validation)
The JSON format is stable and shareable. Compare scans over time to track improvements.