scan.json. This page walks every field of that output and shows
how to act on it.
The terminal summary line
The last stdout line of every scan is the summary:--model stub), so the score is n/a and the
band is Not Evaluated (stub mode) — the stub model cannot adjudicate
authoritatively. Swap in a real evaluator (--model gemini:gemini-2.5-flash)
to get a numeric AIVSS and a real band.
Field-by-field:
| Field | Meaning |
|---|---|
scan | The scan id. Deterministic when paired with --seed. |
AIVSS=n/a | Inverse-risk score in [0, 100]. Lower = more vulnerable. n/a here because the stub model cannot score. With a real evaluator this is a number. |
band=Not Evaluated (stub mode) | The bucket the AIVSS lands in (rendered by humanise_band). Not Evaluated is forced when --model stub is in play or coverage drops below the authoritative threshold. See Severity Levels. |
tier=T4 | Auto-detected target risk tier. T1 = tools + memory + PII (most exposed). T4 = prompt-only (least). The swarm sizes per-agent budgets off the tier. |
findings=12 | How many adversarial probes produced a real, grader-confirmed vulnerability. |
coverage=54% | Fraction of the planned probe corpus the swarm actually executed inside the budget (only printed when below 100%). |
report=... | Absolute path to the canonical, signed scan.json for this scan. |
The findings table
When the swarm finishes, the Rich-rendered final panel prints a per-finding table (here is an ASCII excerpt — actual terminal output uses panels and colours):http://127.0.0.1:7474/scan/<scan_id> and in the SARIF + Markdown
exports.
A single finding in detail
Openscan.json and grab the first record under findings[]. A
goal-hijack finding from a real testbench scan looks like this:
Finding fields from
src/agent_guardian/models/finding.py — the same shape documented in
Report schema.
What each field means
id
Stable finding identifier, unique within the scan.
probe_id
The specific attack payload that triggered the finding. Every probe is
a YAML file under src/agent_guardian/probes/asi*/ — open the file to
see the seed prompt, the expected signal, and the rule-based pre-grader
expression. Probes are versioned; the probe_library_version at the top
of scan.json pins which corpus produced the finding.
asi · mitre_atlas · csa_category
Every finding is cross-tagged to three taxonomies:
asi— a single OWASP ASI category (ASI01..ASI10), Top 10 for Agentic Applications 2026. The primary taxonomy.mitre_atlas— a list of MITRE ATLAS technique IDs.csa_category— one CSA Agentic-AI Red Teaming category (kebab-case).
severity
critical / high / medium / low. The per-finding weight that feeds the
AIVSS deduction. See AIVSS Score.
attempt_count · success · confidence
attempt_count is how many turns the attacker spent on this scenario;
success is the binary outcome; confidence is the evaluator’s
confidence in the verdict (0–1).
summary
A one-line, redacted description of what happened — this is what an
auditor reads first.
transcript_ref · trigger_prompt · trigger_response · evidence_quote
The chain-of-custody record. transcript_ref is a relative path under
~/.agentguardian/scans/<id>/ to the full transcript; trigger_prompt
is the (redacted) attack prompt that produced the finding;
trigger_response is the target’s reply that proves the compromise; and
evidence_quote is the judge’s verbatim quoted span justifying the
verdict. Use --bundle ./evidence/ to persist the full attacker
transcripts plus a SHA-256 manifest. See
Evidence Timeline.
pov_reference · pov_reliability
pov_reference points at a Proof-of-Vulnerability reproducer script
(e.g. pov/<id>.py inside the bundle); pov_reliability is the
Wilson-lower-bounded N-fold rerun success rate. Both are null for
findings produced without the PoV harness.
created_at
ISO 8601 timestamp of when the finding was recorded.
Reproducing the finding
The whole report is reproducible by design. Re-run with the deterministic seed:--model gemini:gemini-2.5-flash-latest is not pinned;
--model gemini:gemini-2.5-flash is, as of v1.1).
Verifying the signature
Everyscan.json is signed with both HMAC-SHA256 (machine-local) and
Ed25519 (publish-able). Verify with:
Next step
AIVSS Score
The deterministic formula behind the headline number.
Severity Levels
The 6-band table and what
not_evaluated actually means.Evidence Timeline
Bundle layout, signature chain, auditor-ready export.
Report Schema
The canonical
agentguardian-scan-v1 JSON schema in full.Screenshots of the live dashboard, the GitHub Security tab, and the
PDF cover sheet are tracked under GTM-007. Until that ships this page
uses ASCII / code blocks as the canonical visual reference.