Findings¶
This page is generated from the PhiSQL spec artifacts for v1.0. Do not edit it by hand; change the artifact and rebuild.
Discovery scans produce rows in the findings table (default namespace phinder). SELECT ... FROM findings projects, filters, and aggregates over these columns; the discovery WHERE clause filters on the same column names.
| Column | Type | Required | Description |
|---|---|---|---|
finding_id |
string | yes | Stable identifier for this finding within the findings store. Engines should make this unique per (scan_id, source_uri, offset) tuple so a finding can be re-fetched later for review. |
scan_id |
string | yes | Identifier of the discovery scan that produced this finding. |
scan_date |
timestamp | yes | ISO 8601 UTC timestamp at which the scan that produced this finding began. Used in time-range filters such as WHERE scan_date > '...'. |
source_uri |
string | yes | Fully qualified source URI the finding was discovered in (the value of the IN clause that initiated the scan, or a more specific child path). |
path |
string | yes | Path within the source URI where the finding lives. For object stores this is the object key; for filesystems, the absolute path; for databases, a schema.table.column triple. |
entity_type |
string | yes | Catalog entity type detected (e.g., SSN, CREDIT_CARD, EMAIL_ADDRESS). Must be a name from entity-types.yaml or a user-defined identifier classification. |
confidence |
number | yes | Detector confidence in the range [0.0, 1.0]. |
risk_score |
number | no | Engine-assigned risk score in the range [0, 10]. Optional; engines that do not assign a risk score should omit the column or set it to null rather than zero. |
snippet |
string | no | Short surrounding text or value preview at the discovery site, suitable for human review. Engines that operate on opaque binary sources may omit this column. |
offset |
integer | no | Byte offset of the finding within the source object. For non-text sources (databases, structured records) this column should be omitted and locating information should appear in path. |
Filterable columns¶
Columns valid on the left-hand side of a WHERE predicate:
scan_id, scan_date, source_uri, path, entity_type, confidence, risk_score, offset
Groupable columns¶
Columns valid in a GROUP BY clause:
scan_id, scan_date, source_uri, path, entity_type