Understanding Results
The JSON Report
Section titled “The JSON Report”When you run fleet scan --output json, you get a structured report with these top-level keys:
| Key | Contents |
|---|---|
scan | Timestamp, duration, commit SHA, CI provider |
catalog | Catalog version and total requirement count |
project | Languages, file counts |
summary | Pass/fail/review counts |
findings | Array of individual requirement assessments |
evidence | Array of evidence records (one per finding) |
sbom | CycloneDX 1.6 Software Bill of Materials |
cbom | CycloneDX 1.6 Cryptographic Bill of Materials |
cbom_summary | Crypto primitive counts by compliance status |
Findings
Section titled “Findings”Each finding represents a single requirement assessment:
{ "requirement_id": "CRYPTO-01-R1", "risk_id": "CRYPTO-01", "status": "fail", "confidence": 0.85, "detector": "crypto", "message": "Weak cryptographic algorithm MD5 detected...", "source_locations": [ { "file": "src/utils/hash.py", "line": 12, "snippet": "hashlib.md5(data)" } ]}Finding Status
Section titled “Finding Status”| Status | Meaning | Action |
|---|---|---|
pass | Requirement satisfied | None — this is evidence of compliance |
fail | Requirement violated | Fix the code, or override as false-positive/accepted-risk |
needs_review | Pattern detected, judgment needed | Review manually or enable LLM review |
not_applicable | Requirement doesn’t apply | Automatically set (e.g., no AI usage = AI-* is N/A) |
Confidence Scores
Section titled “Confidence Scores”| Range | Interpretation |
|---|---|
| 0.85 - 1.0 | High confidence — clear pattern match |
| 0.65 - 0.84 | Good — strong match, likely correct |
| 0.50 - 0.64 | Moderate — review recommended |
| Below 0.50 | Low — likely needs human judgment |
Evidence Records
Section titled “Evidence Records”Each finding produces an evidence record:
{ "requirement_id": "CRYPTO-01-R1", "evidence_type": "auto", "source": "scanner", "content": "Requirement CRYPTO-01-R1 assessed as fail (confidence: 85%): Weak cryptographic algorithm MD5 detected...", "content_hash": "sha256:a1b2c3d4...", "commit_sha": "abc12345", "status": "draft"}Evidence records are immutable — once created, they’re never modified. This is by design for the CRA 10-year retention obligation.
SBOM (Software Bill of Materials)
Section titled “SBOM (Software Bill of Materials)”The SBOM lists every dependency in CycloneDX 1.6 format:
{ "bomFormat": "CycloneDX", "specVersion": "1.6", "components": [ { "type": "library", "name": "express", "version": "4.18.2", "purl": "pkg:npm/express@4.18.2" } ]}Fleet parses lockfiles from 9 ecosystems: Rust, npm, Yarn, Python (Poetry/Pipenv), Go, PHP, .NET, Ruby.
CBOM (Cryptographic Bill of Materials)
Section titled “CBOM (Cryptographic Bill of Materials)”The CBOM inventories every cryptographic primitive found in the source:
{ "type": "cryptographic-asset", "name": "AES-256-GCM", "properties": [ { "name": "category", "value": "symmetric-cipher" }, { "name": "compliance", "value": "approved" }, { "name": "key-length", "value": "256" }, { "name": "source-file", "value": "src/crypto.rs" }, { "name": "source-line", "value": "42" } ]}Each crypto primitive is classified as approved, deprecated, or prohibited.
Dashboard Views
Section titled “Dashboard Views”When results are uploaded to the Fleet API, the dashboard provides:
- Compliance score: Percentage of requirements with evidence
- Coverage bar: Visual breakdown by status
- Gap analysis: Prioritized list of missing/failing requirements
- Evidence vault: Searchable, filterable evidence record viewer
- Catalog explorer: Browse the full catalog tree with per-requirement status