Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.fallow.tools/llms.txt

Use this file to discover all available pages before exploring further.

Surface local security candidates for verification. The first rule, client-server-leak, looks for a "use client" file that directly reads, or transitively imports a module that reads, a non-public process.env secret.
Findings are candidates, not confirmed vulnerabilities. Fallow reports a structural trace so an agent or human can verify whether the value can actually reach client-bundled code.
fallow security

Options

Output

FlagDescription
-f, --format <FORMAT>Output format: human (default), json, or sarif
-q, --quietSuppress progress output
--summaryShow a compact human summary instead of per-finding detail
--ciCI mode: equivalent to --format sarif --fail-on-issues --quiet
--fail-on-issuesExit with code 1 if security candidates are found
--sarif-file <PATH>Write SARIF output to a file in addition to the primary output
--legacy-envelopeEmit JSON without the top-level kind discriminator for one migration cycle

Scoping

FlagDescription
-r, --root <PATH>Project root directory (default: current working directory)
-c, --config <PATH>Path to config file (default: auto-detected)
--changed-since <REF> (alias: --base)Only report candidates whose client anchor or trace hops touch files changed since a git ref
--diff-file <PATH>Narrow candidates to added hunks on the client anchor or import trace. Secret-source hops use file-level retention because member-access spans are not yet stored. Use - to read from stdin.
--diff-stdinRead the unified diff from stdin
-w, --workspace <PATTERNS>Scope output to selected workspace packages
--changed-workspaces <REF>Scope output to workspace packages touched since the given git ref

Performance

FlagDescription
--no-cacheDisable incremental caching
--threads <N>Number of parser threads

Rule: client-server-leak

The detector starts at files with a top-level "use client" directive and walks static imports. It reports a candidate when the client boundary can reach a module that reads a non-public process.env value. Public-by-convention env values are excluded:
Public prefixExample
NODE_ENVprocess.env.NODE_ENV
NEXT_PUBLIC_*process.env.NEXT_PUBLIC_API_URL
VITE_*process.env.VITE_API_URL
NUXT_PUBLIC_*process.env.NUXT_PUBLIC_SITE_URL
REACT_APP_*process.env.REACT_APP_API_URL
PUBLIC_*process.env.PUBLIC_SITE_URL
GATSBY_*process.env.GATSBY_SITE_URL
EXPO_PUBLIC_*process.env.EXPO_PUBLIC_API_URL
STORYBOOK_*process.env.STORYBOOK_THEME
Dynamic import() edges that the graph cannot follow are counted in the output as unresolved edge files. A clean finding list with a non-zero unresolved count is not a clean bill.

Suppression

Suppress a known false positive at file level: 
// fallow-ignore-file security-client-server-leak
"use client";
Use suppression only after verifying that the value cannot ship to client-bundled code, for example because the import is type-only, server-only, or guarded out by the build.

JSON output

--format json emits a typed root envelope with kind: "security" unless --legacy-envelope is set. 
{
  "kind": "security",
  "schema_version": "1",
  "security_findings": [],
  "unresolved_edge_files": 0
}
Each finding includes kind, path, line, col, evidence, trace, and actions.

Examples

fallow security