πŸ›‘ Pentestas β€Ί help

Findings API

Findings are the primary output of a scan. This API lets you list them, filter by severity / status / verification, and export in bulk.

Schema

json 
{
  "id": "uuid",
  "scan_id": "uuid",
  "tenant_id": "uuid",
  "vuln_type": "SQLI",
  "severity": "HIGH",
  "title": "Blind SQL injection in /api/search",
  "description": "A time-based blind SQL injection was confirmed...",
  "endpoint": "https://app.example.com/api/search",
  "evidence": "Request: ...\nResponse: ...",
  "payload_used": "' AND SLEEP(5)--",
  "cwe_id": "CWE-89",
  "recommendation": "Parameterise the query...",
  "cvss_score": 8.1,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
  "verified": true,
  "ai_narrative": "Authenticated users can...",
  "ai_impact": "Exposed customer database including...",
  "ai_false_positive": null,
  "ai_remediation": "Use parameterised queries via...",
  "owasp_category": "A03:2021-Injection",
  "validation_steps": [
    {"step": 1, "action": "POST /api/search with body='...'"},
    {"step": 2, "action": "Observe response delay of 5s"}
  ],
  "exploit_candidates": [
    {"edb_id": 51234, "confidence": 0.87, ...}
  ],
  "created_at": "2026-04-20T21:05:00Z"
}

List findings for a scan

GET /api/scans/{scan_id}/findings

Query parameters:

  • severity β€” one of CRITICAL / HIGH / MEDIUM / LOW / INFO, repeatable.
  • verified β€” true / false.
  • vuln_type β€” filter by class (e.g. XSS, SQLI, SSRF).
  • owasp β€” OWASP category prefix.
  • search β€” substring in title or description.
  • limit / offset β€” pagination.
  • order β€” severity (default) or created_at.

Get a single finding

GET /api/findings/{finding_id}

Bulk export

GET /api/scans/{scan_id}/findings/export?format=csv

Formats: csv, json, jira (creates a JSON payload you can feed to your Jira importer), sarif (SARIF 2.1.0 for GitHub code-scanning UI).

Cross-scan queries

GET /api/findings?severity=CRITICAL&since=2026-01-01

Returns CRITICAL findings across every scan in your tenant since Jan 1. Useful for dashboards.

Additional filters:

  • target_host β€” find by the endpoint's host.
  • vuln_type β€” all SQLi findings across your estate.
  • verified β€” trust-bar.

Status updates

PATCH /api/findings/{finding_id}
Content-Type: application/json
{
  "status": "triaged",  // or "false_positive", "fixed", "wontfix"
  "notes": "Fixed in PR #4242, awaiting deploy"
}

Status is a Pentestas-side annotation; it doesn't affect the underlying finding object, but it filters into the dashboard views.

Rescan

POST /api/findings/{finding_id}/rescan

Re-runs the exact payload that produced this finding. Cheap β€” doesn't re-crawl, just re-fires the probe. Returns 200 if the finding no longer triggers (fix verified), or 409 if still vulnerable.

Webhook on finding

If you want push-based updates, subscribe at Webhooks. Events:

  • finding.created
  • finding.status_changed
  • scan.completed

See also