Skip to main content
PATCH
/
findings
/
{id}
Update finding
curl --request PATCH \
  --url https://api.example.com/findings/{id}
Updates the state, severity, duplicate_of, or any combination of them on a single finding. Every change is recorded to the finding’s audit trail and propagated to connected integrations (GitHub, Slack, Jira, Linear).
Scope required: write

Request

curl -X PATCH https://api.hacktron.ai/v1/findings/d1e2f3a4-b5c6-7890-1234-567890abcdef \
  -H "X-Api-Key: $HACKTRON_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "state": "true_positive",
    "severity": "critical",
    "duplicate_of": null,
    "reason": "Confirmed reproducible against staging. Raising from high to critical."
  }'

Path parameters

ParameterTypeDescription
idUUIDFinding UUID.

Body

At least one of state, severity, or duplicate_of must be provided. Providing none of them returns 400.
FieldTypeDescription
stateenumNew state. One of open, true_positive, false_positive, accepted_risk, resolved.
severityenumNew severity. One of critical, high, medium, low, info.
duplicate_ofUUID|nullCanonical finding UUID to mark this finding as a duplicate of, or null to unmark it. The canonical finding must be in the same repository.
state_reasonstringReason for the state change. Max 2000 chars. Falls back to reason if omitted.
severity_reasonstringReason for the severity change. Max 2000 chars. Falls back to reason if omitted.
reasonstringShorthand applied to both state and severity when their specific reason fields are omitted. Max 2000 chars.
Pass reason alone when the same justification applies to both state and severity. Use state_reason and severity_reason only when the justifications differ.
Setting duplicate_of to another finding UUID closes this finding as a duplicate. Setting duplicate_of to null removes the duplicate link and reopens the finding.

Response

200 OK 
{
  "id": "d1e2f3a4-b5c6-7890-1234-567890abcdef",
  "state": "true_positive",
  "severity": "critical",
  "duplicate_of": null
}
The response contains only the updated state, severity, and duplicate link. Fetch the full finding via GET /findings/{id} for the remaining fields.

Errors

  • 400 — none of state, severity, or duplicate_of provided, or field validation failed.
  • 404 — finding not found, still in verification, or not visible to your organization.