Currently we are combining all nested findings as a single aggregated result for a top-level file on disk.

To provide transparency into exactly why a given top-level file is being flagged as vulnerable, we should report on individual files, even when nested, along with the full nesting path at which they can be found.