The tolmo findings command group lets you manage security findings for your organization — from creation through triage and closure. Findings include a severity, visibility (draft or published), and status with full audit history. All subcommands accept the global --org flag to target a specific organization and --json for machine-readable output.
Findings model
Every finding has three core classification fields:
Severity — how critical the issue is:
| Value | Meaning |
|---|
critical | Immediate risk; requires urgent remediation |
high | Significant risk; prioritize in the current cycle |
medium | Moderate risk; address in the near term |
low | Minor risk; fix as capacity allows |
info | Informational; no direct action required |
Visibility — who can see the finding:
| Value | Meaning |
|---|
draft | Hidden from org members; only the creator and org owners can see it |
published | Visible to all org members |
Status — where the finding is in the triage lifecycle:
| Value | Meaning |
|---|
open | Newly created; not yet triaged |
in_review | Under active investigation |
closed | Resolved and closed |
acknowledged | Accepted risk; no further action planned |
false-positive | Determined not to be a real issue |
Finding IDs support prefix matching. The short 8-character IDs shown in tolmo findings list work in every subcommand — you don’t need to paste the full UUID.
List findings
View a finding
tolmo findings get prints the full finding, including its markdown description body.
Create a finding
You can supply the description inline with --description or load it from a file with --description-file. The two flags are mutually exclusive.
Pass - as the value to --description-file to read the description from stdin:
Update a finding
tolmo findings update changes only the fields you specify — all other fields remain unchanged.
Transition status
Use tolmo findings status to move a finding through its lifecycle. This command uses a dedicated endpoint that only changes the status field, keeping the rest of the finding intact.
Audit history
View the full status-change audit trail for a finding:
The history shows every status transition along with the timestamp and the user who made the change.
Delete a finding
Deletion is permanent and requires the --yes flag to confirm:
Flags reference
| Flag | Values | Default | Notes |
|---|
--title | any string (max 512 chars) | — | Required on create |
--severity | critical high medium low info | — | Required on create |
--description | markdown string | "" | Mutually exclusive with --description-file |
--description-file | file path or - for stdin | — | Mutually exclusive with --description |
--visibility | draft published | draft | draft findings are hidden from org members |
--status | open in_review closed acknowledged false-positive | open | Use findings status to transition after creation |
Write finding descriptions the way you’d brief a CTO: start with a one-sentence summary of what is exposed, name the specific affected resource (e.g. the bucket ARN or role name), explain the blast radius if exploited, and end with a concrete next action and owner. Concise, evidence-backed descriptions dramatically reduce triage time.