New: Explore the Hacktron Platform for org-wide setup, reviews, billing, and pentests.
Scans
List scan findings
curl --request GET \
--url https://api.example.com/scans/{id}/findingsScans
List scan findings
Paginate through the findings produced by a scan.
GET
/
scans
/
{id}
/
findings
List scan findings
curl --request GET \
--url https://api.example.com/scans/{id}/findingsReturns findings produced by a specific scan, with the same filtering and sorting controls as List findings.
Only findings that have passed automated verification (
See List findings for the field reference.
verification_status = approved) are returned.
Scope required:
readRequest
curl "https://api.hacktron.ai/v1/scans/a1b2c3d4-e5f6-7890-abcd-ef1234567890/findings?severity=high&state=open&page=1&limit=50" \
-H "X-Api-Key: $HACKTRON_API_KEY"
Path parameters
| Parameter | Type | Description |
|---|---|---|
id | UUID | Scan UUID. |
Query parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 1 | 1‑based page number. |
limit | integer | 15 | Items per page. Max 100. |
severity | enum | — | Filter by severity: critical, high, medium, low, info. |
state | enum | — | Filter by state: open, true_positive, false_positive, accepted_risk, resolved. |
sort_by | enum | found_at | One of found_at, updated_at, severity. |
sort_order | enum | DESC | ASC or DESC. |
Response
200 OK
{
"data": [
{
"id": "d1e2f3a4-b5c6-7890-1234-567890abcdef",
"title": "SQL injection in /api/v1/checkout",
"category": "injection",
"severity": "critical",
"state": "open",
"description": "User-supplied cart ID is concatenated into a SQL query...",
"affected_file": "apps/api/src/checkout/checkout.service.ts",
"affected_code": "const rows = await conn.query(`SELECT * FROM carts WHERE id = '${cartId}'`);",
"proof_of_concept": "POST /api/v1/checkout with cart_id=1' OR '1'='1",
"impact": "Full read access to the carts table, including other customers' items.",
"root_cause": "String interpolation instead of parameterised query.",
"remediation": "Use parameterised queries via the driver's placeholder API.",
"tags": ["injection", "sql"],
"scan_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"found_at": "2026-04-13T12:15:00.000Z",
"updated_at": "2026-04-13T12:20:00.000Z"
}
],
"total": 11,
"page": 1,
"limit": 50
}
Errors
404— scan not found or not visible to your organization.
⌘I