Skip to main content
PATCH
/
findings
/
{id}
Update finding
curl --request PATCH \
  --url https://api.example.com/findings/{id}
Updates the state, severity, or both on a single finding. Every change is recorded to the finding’s audit trail and propagated to connected integrations (GitHub, Slack, Jira, Linear).
Scope required: write

Request

curl -X PATCH https://api.hacktron.ai/v1/findings/d1e2f3a4-b5c6-7890-1234-567890abcdef \
  -H "X-Api-Key: $HACKTRON_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "state": "true_positive",
    "severity": "critical",
    "reason": "Confirmed reproducible against staging. Raising from high to critical."
  }'

Path parameters

ParameterTypeDescription
idUUIDFinding UUID.

Body

At least one of state or severity must be provided. Providing neither returns 400.
FieldTypeDescription
stateenumNew state. One of open, true_positive, false_positive, accepted_risk, resolved.
severityenumNew severity. One of critical, high, medium, low, info.
state_reasonstringReason for the state change. Max 2000 chars. Falls back to reason if omitted.
severity_reasonstringReason for the severity change. Max 2000 chars. Falls back to reason if omitted.
reasonstringShorthand applied to both state and severity when their specific reason fields are omitted. Max 2000 chars.
Pass reason alone when the same justification applies to both state and severity. Use state_reason and severity_reason only when the justifications differ.

Response

200 OK 
{
  "id": "d1e2f3a4-b5c6-7890-1234-567890abcdef",
  "state": "true_positive",
  "severity": "critical"
}
The response contains only the updated state and severity. Fetch the full finding via GET /findings/{id} for the remaining fields.

Errors

  • 400 — neither state nor severity provided, or field validation failed.
  • 404 — finding not found, still in verification, or not visible to your organization.