Report Schema
Schema 18 separates atomic evidence (findings) from decision units (issues).
Each finding exposes detection_reliability and interpretation_reliability;
the manifest declares issue_family, evidence_role, and
constituent_kinds. coverage_manifest declares the supported mechanism and
entity-scope matrix, while coverage_summary records observed languages,
analyzed entities, parse failures, and unobservable reasons for this run.
JSON and YAML reports use schema version 18. Version 17 reports and baselines are rejected and must be regenerated. The same Rust data model is
serialized for both formats. SARIF output is a separate SARIF 2.1.0 document
that carries the same finding IDs in result fingerprints.
Top-Level Shape
{
"schema_version": 18,
"summary": {},
"stats": {},
"metrics_summary": {},
"raw_metrics": {},
"raw_metric_manifest": [],
"dependency_graph": {},
"hotspots": [],
"suppression_summary": {},
"coverage_manifest": [],
"coverage_summary": {},
"issues": [],
"detector_manifest": [],
"findings": []
}
Top-level fields:
schema_version: report schema version. Current value is18.summary: scan totals, duration, hotspot model, and churn status.stats: source files, directories, and function candidates counted.metrics_summary: percentile distributions for raw metrics.raw_metrics: directory, file, function, type, and churn measurements.raw_metric_manifest: scale, unit, scope, direction, and meaning of every raw metric family.dependency_graph: resolved source-file dependency graph snapshot.hotspots: ranked file, function, and type locations.suppression_summary: aggregate counts for findings removed by suppressions.issues: compatible atomic evidence grouped into stable human-facing refactoring issues.detector_manifest: coverage and classification metadata for every finding kind.findings: detector findings with priority, confidence, metrics, and related locations.
Reports contain maintainability and refactoring signals. They are not a
quality score, health score, bug detector, or defect probability model.
findings is the post-scoring, post-filter, post-suppression list; an empty
list does not mean raw metrics, hotspots, or suppressed signals were absent.
summary
Fields:
scanned_files: number of source files scanned.finding_count: number of findings emitted after filters and suppressions.issue_count: findings after clustered secondary facets are counted once.hotspot_count: number of hotspots emitted for the watchlist.similar_function_group_count: number of similar-function findings.duration_ms: scan duration in milliseconds.hotspot_model:static,churn, orhybrid.churn: churn collection details.
summary.churn fields:
mode: requested churn mode, one ofauto,on, oroff.enabled: whether churn metrics were collected.status:enabled,disabled, orunavailable.reason: optional human-readable reason when churn is disabled or unavailable.window_days: configured git history window.max_commit_lines: configured max added+deleted lines per commit.
stats
Fields:
source_files_scanned: source files scanned.directories_scanned: directories visited.function_candidates: function bodies considered for similarity analysis.
metrics_summary
metrics_summary contains maps for directories, files, functions,
types, and churn. Each metric has:
p50p75p90p95max
Directory metrics include source_files. Each directory contributes exactly
one observation, independent of the number of files it contains.
File metrics include loc, imports, and public_items.
Function metrics include loc, complexity, nesting_depth, and
parameter_count.
Type metrics include loc and member_count.
Churn metrics include commits_touched, lines_added, lines_deleted,
authors_count, and recent_weighted_churn.
raw_metrics
raw_metrics.files entries:
pathlocimportspublic_itemsis_testchurn
raw_metrics.directories entries:
pathsource_files
raw_metrics.files[].churn entries:
commits_touchedlines_addedlines_deletedauthors_countrecent_weighted_churn
raw_metrics.functions entries:
pathnamelineloccomplexitynesting_depthparameter_countis_test
raw_metrics.types entries:
pathnamelinelocmember_countis_test
dependency_graph
dependency_graph records the resolved source-file import graph used by the
dependency-cycle and dependency-hub detectors. External packages and unresolved
imports are not included.
dependency_graph.nodes entries:
path: source file path.fan_in: number of resolved files that import or include this file.fan_out: number of resolved files imported or included by this file.
dependency_graph.edges entries:
from: importing or including source file.to: resolved imported or included source file.
hotspots
Hotspot fields:
level:file,function, ortype.path: location path.line: source line for function/type hotspots, otherwisenull.name: function/type name, otherwisenull.priority: 0 through 100 ranking score.severity:info,warning, orcritical.static_risk: floating-point structural risk score from 0 through 100.churn_risk: floating-point git-churn risk score from 0 through 100.reason: short explanation of the ranking model and dominant risk.
The selected hotspot model converts those components into integer priority
from 0 through 100. Hotspots are retained when priority >= 35 and sorted by
priority descending.
They are watchlist entries, not detector findings, and should not be treated as
hard CI gate failures by themselves.
findings
Finding fields:
kind: detector-specific finding kind.id: stable evidence identifier in the formrf3-<hex>.severity:info,warning, orcritical.path: primary path.line: primary line ornull.metrics: finding-specific measurements.construct: primary ISO/IEC 25010-aligned maintainability construct.mechanism: primary source-observable maintenance mechanism.issue_id: owning issue ID ornull.priority: 0 through 100 refactoring priority.detection_reliability: detector reliability from 0.0 through 1.0.interpretation_reliability: interpretation reliability from 0.0 through 1.0.priority_factors: scoring inputs.rank_explanation: short ranking explanation.message: human-readable summary.recommendation: concise refactoring hint computed fromkind.related_locations: additional locations for grouped findings.
metrics entries contain:
namevaluethresholdunitexcess_rationormalizedpercentile
construct is one of modularity, reusability, analysability,
modifiability, or testability. mechanism is defined in the
metric ontology.
priority_factors contains:
impactintensityspreadchange_pressureactionabilitydetection_reliabilityinterpretation_reliability
related_locations entries contain:
pathlinename
Very large similar_functions groups serialize at most 50 related locations
to keep reports bounded.
Finding IDs are deterministic for the same evidence identity. The rf3- ID
uses the finding kind, metric names, and the normalized, sorted, deduplicated
set of primary and related path/line locations. It intentionally does not
include the representative location choice, related-location order, names,
message text, or metric values. Baseline comparison therefore recognizes the
same evidence group when detector traversal order or ranking changes.
issues
Issues contain id, construct, mechanism, action, path, line,
primary_finding_id, finding_ids, kinds, priority, and severity.
Finding id values are stable EvidenceId values (rf3-...). Issue id
values are stable IssueKey values (ri3-...) derived only from the issue
family and canonical subject, not from evidence membership or input order.
Every compatible atomic evidence group emits an issue. The
primary member is the highest-priority finding; member findings remain in
findings for baselines and detector-specific filtering.
detector_manifest
Each entry contains kind, construct, mechanism, action, entity_scope,
approach, supported_languages, precision_risk, typed input_metrics,
issue_family, evidence_role, constituent_kinds,
default_detection_reliability, default_interpretation_reliability, impact,
and actionability. Consumers can distinguish
unsupported analysis from an observed absence of findings.
raw_metric_manifest
Each entry contains a stable dotted name, entity_scope, unit, scale,
direction, and description. higher_is_more_pressure means larger values
may contribute to hotspot or finding intensity; context_only metrics remain
observable but do not independently vote for maintenance pressure. A metric
definition describes an observation, not a universal threshold or quality
grade.
findings=0 means no unsuppressed findings were emitted. Consumers should
avoid presenting that as proof that the scanned code is healthy or bug-free.
suppression_summary
Fields:
suppressed_count: number of findings removed by suppressions.suppressed_by_kind: map of finding kind to suppressed count.suppressed_by_severity: map of severity to suppressed count.highest_suppressed_priority: highest suppressed finding priority, ornullwhen no findings were suppressed.
Suppressions remove matching entries from findings before report emission
and CI gate selection. The suppression summary is report context, not a
finding: its purpose is to show that findings were intentionally removed and
whether an empty finding list means zero unsuppressed findings rather than zero
observed signals.
Schema version 13 does not serialize suppressed finding bodies in
findings. Consumers should render suppression_summary near
summary.finding_count and avoid counting suppressed findings as gate
failures.
SARIF Output
--output sarif and .sarif output files emit SARIF version 2.1.0.
The SARIF log contains one run with Reforge as the tool driver. Rules are keyed
by finding kind, and each result contains:
ruleId: finding kind.ruleIndex: index into the run’s rule table.level:errorforcritical,warningforwarning, andnoteforinfo.message.text: finding message.locations[].physicalLocation: primary path and line.relatedLocations: related finding locations when present.partialFingerprints.reforgeFindingId: stable findingid.properties.id: stable findingid.properties.recommendation: concise refactoring hint.
Finding Kinds
Current kind values:
large_filelarge_directorydebt_markersimilar_functionslong_functioncomplex_functiondeep_nestingmany_parametersreadability_risklarge_typelarge_public_surfaceimport_heavy_filefunction_proliferationunused_functionrepeated_literalrepeated_error_patterntest_duplicationhappy_path_only_testsfile_naming_driftdirectory_driftdata_clumpparallel_implementationshadowed_abstractionduplicate_type_shapeconfig_key_driftfixture_factory_driftgeneric_bucket_driftadapter_boundary_bypassstale_compatibility_pathmissing_documentation_setmissing_user_guidemissing_report_schema_docsmissing_metrics_model_docsmissing_architecture_docsstale_cli_documentationstale_schema_documentationdependency_cycledependency_hub
Compatibility Notes
Consumers should check schema_version before assuming field shape. Schema
version 18 formalizes rf3- EvidenceIds and ri3- IssueKeys over canonical
subjects. Issue identity is independent of alternative evidence membership and
input ordering. Schema
version 16 gives every finding metric a canonical dotted ID, adds directory
raw metrics and percentile summaries, removes repeated parent-directory counts
from file raw metrics and file hotspots, and exposes detector metric and
ranking-policy inputs in detector_manifest. Schema
version 14 adds finding constructs and mechanisms, issue clusters, detector
manifests, and summary.issue_count; it removes metric dimension. Schema
version 13 does not emit the legacy v4 fields score, score_breakdown, or
rank_reason; use priority, priority_factors, and rank_explanation
instead. Schema version 13 includes stable finding id, per-finding
recommendation, the dependency_graph snapshot, and suppression_summary.
Schema version 12 included stable finding IDs, recommendations, and
dependency_graph, but did not include suppression summary context. Schema
version 11 included stable finding IDs and recommendations, but did not
include dependency_graph. Reports without IDs should be regenerated before
being used as baselines.
New finding kinds may be added in future schema versions. Consumers should
handle unknown kind values gracefully when possible.