> ## Documentation Index > Fetch the complete documentation index at: https://docs.golf.dev/llms.txt > Use this file to discover all available pages before exploring further. # Understanding Results > How to read scan and audit output including severity levels, risk scores, and server classifications Golf Scanner produces two types of output: **scan results** (server discovery) and **audit results** (security assessment). This page explains how to read both. ## Output Formats Styled terminal output with color-coded severity, boxed headers, and a summary table. Adapts to terminal width. Shows an animated progress spinner during audit (auto-disabled when piped). ```bash theme={null} golf-scanner audit ``` Structured JSON with 2-space indentation. Suitable for CI/CD pipelines and programmatic processing. ```bash theme={null} golf-scanner audit --json ``` ## Scan Output The `scan` command discovers MCP servers and reports where they were found. ### JSON Fields | Field | Type | Description | | ------------------ | ------ | --------------------------------------------------------------------------------- | | `ide` | string | IDE name (e.g., "Claude Code", "Cursor", "VS Code") | | `username` | string | User who owns this config (relevant for root scans) | | `scope` | string | Config scope: `user`, `project`, `workspace`, `system`, `local` | | `config_path` | string | Absolute path to the configuration file | | `config_hash` | string | SHA-256 hash of the configuration file | | `project_path` | string | Project directory (for project-scoped configs) | | `discovery_source` | string | How the config was found (e.g., `direct`, `claude_projects`, `vscode_workspaces`) | | `servers` | array | List of server entries in this config | ### Server Entry Fields Each server entry includes: | Field | Type | Description | | --------------- | ------ | ------------------------------------------------- | | `name` | string | Server name from config | | `transport` | string | `stdio`, `http`, or `sse` | | `host` | string | Server host (for HTTP/SSE) | | `cmd` | string | Command (for STDIO) | | `args` | array | Command arguments (sensitive values scrubbed) | | `env` | object | Environment variables (sensitive values scrubbed) | | `file_mode` | string | File permissions of the config file | | `cmd_file_mode` | string | File permissions of the command binary | **Argument scrubbing**: Sensitive flags (`--password`, `--token`, `--secret`) are masked to `****`. API key prefixes, high-entropy strings, URLs with credentials, and email addresses are also masked. Package names, environment variable references (`${VAR}`), and port numbers are preserved. ## Audit Output The `audit` command runs security checks and produces a structured report. ### Report Structure | Field | Type | Description | | ----------- | ------ | ------------------------- | | `version` | string | Scanner version | | `scan_time` | string | ISO 8601 UTC timestamp | | `servers` | array | Per-server audit results | | `summary` | object | Aggregate severity counts | ### Per-Server Result | Field | Type | Description | | ---------------- | ------ | -------------------------------------------------------- | | `name` | string | Server name from config | | `ide` | string | IDE that configured it | | `scope` | string | Config scope | | `type` | string | Detected server type (see [Server Types](#server-types)) | | `score` | object | Security score and risk assessment | | `findings` | array | Individual check results | | `checks_run` | array | Check IDs that executed | | `checks_skipped` | array | Check IDs that were skipped | ### Score Object | Field | Type | Description | | ------------------ | ------ | ---------------------------------------------------------- | | `status` | string | `graded`, `attention_required`, or `unknown` | | `overall_score` | float | 0–100 risk score (after hard caps) | | `risk_level` | string | `Low` (≥60), `Moderate` (>30), `High` (≤30), or null | | `hard_cap_applied` | string | `CRITICAL` (cap 30) or `HIGH` (cap 59) if applied, or null | | `uncapped_score` | float | Score before hard caps | | `checks_with_data` | int | Checks that produced non-skip findings | | `checks_total` | int | Total checks run | ### Finding Object | Field | Type | Description | | ------------- | ------ | --------------------------------------------------------- | | `check_id` | string | Check identifier (e.g., `universal.credential_detection`) | | `severity` | string | `skip`, `note`, `medium`, `high`, or `critical` | | `message` | string | Human-readable description | | `server_name` | string | Server name (optional) | | `location` | string | File path or URL (optional) | | `remediation` | string | How to fix it (optional, shown with `--verbose`) | | `metadata` | object | Check-specific data (optional) | ### Summary Object | Field | Type | Description | | --------------- | ---- | ------------------------------------- | | `total_servers` | int | Total servers audited | | `critical` | int | Servers with critical findings | | `high` | int | Servers with high findings | | `medium` | int | Servers with medium findings | | `note` | int | Servers with note-level findings only | ## Severity Levels | Severity | Meaning | Per-Check Score | Weight | Overall Impact | | ---------- | ----------------------------------------------- | --------------- | ------ | --------------------- | | `critical` | Severe vulnerability requiring immediate action | 0/10 | 10.0x | Hard caps score at 30 | | `high` | Significant security issue | 2/10 | 7.5x | Hard caps score at 59 | | `medium` | Moderate concern worth investigating | 4/10 | 5.0x | Reduces score | | `note` | Informational — check passed | 10/10 | 1.0x | No impact | | `skip` | Check not applicable to this server type | — | — | Excluded from scoring | ## Server Types Golf Scanner classifies each server based on its transport and command: | Type | Display Name | Description | | ----------------- | --------------- | ---------------------------------------- | | `package_manager` | Package Manager | Launched via npx, bunx, uvx, pip, etc. | | `container` | Container | Runs in Docker, Podman, or nerdctl | | `binary` | Local Binary | Direct binary execution (absolute path) | | `script` | Script | Interpreted code via Python, Node, etc. | | `unknown_stdio` | Unknown Command | STDIO server with unrecognized command | | `local_http` | Local Network | HTTP/SSE to localhost or private network | | `public_http` | Public Server | HTTP/SSE to public internet | | `unreachable` | Unreachable | DNS resolution failed | | `unknown` | Unknown | Cannot determine type | The detected server type determines which checks apply. See the [applicability matrix](/scanner/security-checks#check-applicability-by-server-type) for details. ## How Scoring Works Golf Scanner computes a 0–100 risk score for each server through six steps: 1. **Per-check scoring**: Each check produces findings. The worst severity across all findings for that check determines its per-check score (critical = 0/10, high = 2/10, medium = 4/10, note = 10/10). 2. **Severity-weighted average**: Per-check scores are combined using severity weights. Worse findings carry disproportionately more weight — a critical finding has 10x the influence of a note. 3. **Scale to 0–100**: The weighted average is normalized to a 0–100 scale. 4. **Hard caps**: Any critical finding caps the score at 30. Any high finding caps the score at 59. The `hard_cap_applied` field tells you which cap was applied. 5. **Coverage gating**: The score's reliability depends on how many checks produced data: * **Graded**: Sufficient coverage (≥5 checks for STDIO servers, ≥3 for HTTP) — score is reliable * **Attention required**: Some data but insufficient coverage — score may be unreliable * **Unknown**: No checks produced data — cannot score 6. **Risk level assignment**: * **Low**: Score ≥60 * **Moderate**: Score >30 * **High**: Score ≤30