Deviations are the core output of FANGS. Each deviation represents a single behavioral fingerprint — a network destination, DNS lookup, TLS SNI, file path, or spawned process — that appeared in a sandbox run but was not present in that package’s baseline. UseDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt
Use this file to discover all available pages before exploring further.
fangs deviation list to triage findings across packages and severity levels, and fangs deviation show to see the raw eBPF event that produced a specific finding.
Subcommands
| Subcommand | Description |
|---|---|
fangs deviation list | List deviations with optional filters by package, severity, or run |
fangs deviation show <deviation_id> | Show full deviation metadata and the underlying evidence event |
fangs deviation list
Flags
Filter to deviations from runs of this package only.
Filter by severity level. Accepted values:
info, warn, crit. Omit to include all severities.Filter to deviations from a specific run. Accepts the full run ID or a short hex prefix.
Maximum number of rows to return. Rows are ordered most-recently detected first.
Output Columns
| Column | Description |
|---|---|
DEV_ID | Short hex prefix of the deviation’s UUID |
DETECTED | UTC timestamp when the deviation was recorded |
SEV | Severity: info, warn, or crit |
CATEGORY | Deviation category (see table below) |
VALUE | The new fingerprint value (truncated to 60 characters) |
RUN_ID | Short hex prefix of the run that produced this deviation |
Deviation Categories
| Category | Description | Default Severity |
|---|---|---|
net_new_destination | New IP:port dialed, not in prior baseline runs | warn |
net_new_dns | New hostname resolved via DNS lookup | warn |
net_new_https_host | New TLS Server Name Indication (SNI) value | warn |
fs_new_path_read | New file path read under a watched_paths prefix | info |
fs_new_path_write | New file path written under a watched_paths prefix | info |
proc_new_exec | New process executable spawned | warn |
Examples
fangs deviation show
Displays the complete record for a single deviation, including its suppression status and the raw eBPF evidence event that triggered it. The evidence event contains the kernel-level payload captured at the moment the fingerprint was first observed.<deviation_id> accepts either the full hex UUID or any unique short prefix (the same value shown in DEV_ID in deviation list output).
Output Fields
Deviation metadata:| Field | Description |
|---|---|
run_id | The run that produced this deviation |
category | Deviation category (e.g. net_new_destination) |
value | The full (untruncated) fingerprint value |
severity | info, warn, or crit |
detected | UTC timestamp when the deviation was written |
suppressed | Whether this deviation is suppressed by an allow-list entry |
| Field | Description |
|---|---|
Event number (#N) | Sequential event ID within the run |
type | eBPF probe type that generated the event (e.g. tcp_connect, dns_query, open_at) |
ts_ns | Kernel monotonic timestamp in nanoseconds |
| JSON payload | Full event-specific data, pretty-printed (fields vary by probe type) |
Output Examples
Acting on a Deviation
After reviewing a deviation, you have three options:Promote to baseline
If the deviation is a legitimate behavior change (new CDN, updated dependency), promote the entire run:
fangs baseline promote <run_id>. All deviations in the run are absorbed into the new baseline.Suppress with allow-list
If the deviation is recurring noise (e.g. a shared CDN CIDR), add an allow-list entry so future runs won’t flag it:
fangs allow add -kind cidr -value <CIDR> -note "reason".Escalate
If the deviation looks malicious — especially credential path reads (
/root/.ssh/, /etc/shadow) or unexpected outbound destinations — do not promote. Notify your security team and investigate the package before any production deployment.