Skip to main content
The tolmo findings command group lets you manage security findings for your organization — from creation through triage and closure. Findings include a severity, visibility (draft or published), and status with full audit history. All subcommands accept the global --org flag to target a specific organization and --json for machine-readable output.

Findings model

Every finding has three core classification fields: Severity — how critical the issue is:
ValueMeaning
criticalImmediate risk; requires urgent remediation
highSignificant risk; prioritize in the current cycle
mediumModerate risk; address in the near term
lowMinor risk; fix as capacity allows
infoInformational; no direct action required
Visibility — who can see the finding:
ValueMeaning
draftHidden from org members; only the creator and org owners can see it
publishedVisible to all org members
Status — where the finding is in the triage lifecycle:
ValueMeaning
openNewly created; not yet triaged
in_reviewUnder active investigation
closedResolved and closed
acknowledgedAccepted risk; no further action planned
false-positiveDetermined not to be a real issue
Finding IDs support prefix matching. The short 8-character IDs shown in tolmo findings list work in every subcommand — you don’t need to paste the full UUID.

List findings

View a finding

tolmo findings get prints the full finding, including its markdown description body.

Create a finding

You can supply the description inline with --description or load it from a file with --description-file. The two flags are mutually exclusive.
Pass - as the value to --description-file to read the description from stdin:

Update a finding

tolmo findings update changes only the fields you specify — all other fields remain unchanged.

Transition status

Use tolmo findings status to move a finding through its lifecycle. This command uses a dedicated endpoint that only changes the status field, keeping the rest of the finding intact.

Audit history

View the full status-change audit trail for a finding:
The history shows every status transition along with the timestamp and the user who made the change.

Delete a finding

Deletion is permanent and requires the --yes flag to confirm:

Flags reference

FlagValuesDefaultNotes
--titleany string (max 512 chars)Required on create
--severitycritical high medium low infoRequired on create
--descriptionmarkdown string""Mutually exclusive with --description-file
--description-filefile path or - for stdinMutually exclusive with --description
--visibilitydraft publisheddraftdraft findings are hidden from org members
--statusopen in_review closed acknowledged false-positiveopenUse findings status to transition after creation
Write finding descriptions the way you’d brief a CTO: start with a one-sentence summary of what is exposed, name the specific affected resource (e.g. the bucket ARN or role name), explain the blast radius if exploited, and end with a concrete next action and owner. Concise, evidence-backed descriptions dramatically reduce triage time.