Skip to main content
GET
/
findings
Get all findings
curl --request GET \
  --url https://app.pentest-tools.com/api/v2/findings \
  --header 'Authorization: Bearer <token>'
[
  {
    "id": 420233,
    "name": "Vulnerabilities found for Apache Httpd 2.4.10",
    "test_description": "Checking for SQL Injection...",
    "test_finished": true,
    "confirmed": true,
    "epss_score": 123,
    "epss_percentile": 123,
    "in_cisa_catalog": true,
    "cve": [
      "CVE-2017-3167",
      "CVE-2019-0217"
    ],
    "cvss": 123,
    "cvssv3": 123,
    "vuln_description": "Vulnerabilities found for Apache Httpd 2.4.25 (port 80/tcp)",
    "vuln_evidence": {
      "type": "text",
      "data": {
        "headers": [
          "<string>"
        ],
        "rows": [
          [
            "<string>"
          ]
        ]
      }
    },
    "risk_description": "<string>",
    "risk_level": 0,
    "status": "open",
    "recommendation": "<string>",
    "references": [
      "<string>"
    ],
    "verified": true,
    "vuln_id": "NETSCAN-SNIPER-CVE-2021-42013-RCE",
    "owasp": {
      "owasp_2017": "<string>",
      "owasp_2021": "<string>"
    },
    "cwe": "<string>",
    "port": 32767,
    "protocol": "TCP",
    "service": "AMQP",
    "target_id": 12345,
    "task_id": 54321,
    "screenshots": 1
  }
]

Authorizations

Authorization
string
header
required

Use the "API key" from the profile page as the token

Query Parameters

workspace_id
integer

ID of the workspace to show findings from.

target_id
integer

ID of the target to show findings from

task_id
integer

ID of the scan to show findings from

group_duplicates
boolean
default:false

Group duplicates to show only the latest finding from each group.

Response

OK

id
integer | null

the ID of the finding. This is null if the scan is still running

Example:

420233

name
string

A short description of the finding

Example:

"Vulnerabilities found for Apache Httpd 2.4.10"

test_description
string

A short description of what the test does

Example:

"Checking for SQL Injection..."

test_finished
boolean

this is set to true when the test ends. If false, it indicates the failed test

Example:

true

confirmed
boolean

this is set to true if the finding has a high certainty of not being a false positive

epss_score
number<float> | null
epss_percentile
number<float> | null
in_cisa_catalog
boolean | null

Indicated whether the CVEs are part of the CISA Known Exploited Vulnerabilities Catalog

Example:

true

cve
string[]
Example:
["CVE-2017-3167", "CVE-2019-0217"]
cvss
number<float> | null
cvssv3
number<float> | null
vuln_description
string

A short description of the vulnerability

Example:

"Vulnerabilities found for Apache Httpd 2.4.25 (port 80/tcp)"

vuln_evidence
object

the evidence for the data. Depending on the type, the data type changes. This is only human friendly and its format and data might change in the future

risk_description
string

The risk posed by the vulnerability. This is only human friendly and its format and data might change in the future

risk_level
enum<integer>

Risk level:

  • 0 - Informational
  • 1 - Low
  • 2 - Medium
  • 3 - High
  • 4 - Critical
Available options:
0,
1,
2,
3,
4
status
enum<string> | null

The status of the finding. By default this is open. It is null if the scan is still running

Available options:
open,
false_positive,
ignored,
fixed,
accepted
recommendation
string

a recommendation for mitigating the vulnerability. This is only human friendly and its format and data might change in the future

references
string<uri>[]
verified
boolean | null

This is set to true if a finding was manually verified. It is null for running scans, since this is an attribute of the findings generated after a scan finished

vuln_id
string | null

A unique vulnerability identifier

Example:

"NETSCAN-SNIPER-CVE-2021-42013-RCE"

owasp
object

Vulnerability OWASP Top 10

cwe
string | null
port
integer | null

The port where this was found on the target

Required range: 0 <= x <= 65535
protocol
enum<string> | null

The transport layer protocol associated with the finding

Available options:
TCP,
UDP,
DCCP,
SCTP
service
enum<string> | null

The application layer service associated with the finding

Available options:
AMQP,
Docker,
FTP,
HTTP,
HTTPS,
MQTT,
MSSQL,
MySQL,
PostgreSQL,
RDP,
Redis,
SMB,
SSH,
STOMP,
Telnet,
VNC,
WinRM
target_id
integer

The ID of the target where the finding was found

Example:

12345

task_id
integer | null

The ID of the task where the finding was found. This is null for manual findings

Example:

54321

screenshots
integer

The number of screenshots taken for the finding

Example:

1