Get findings

GET

findings

curl --request GET \
  --url https://api.ghostsecurity.ai/v1/findings \
  --header 'Authorization: Bearer <token>'

{
  "has_more": true,
  "items": [
    {
      "agent_name": "race",
      "attack_feasibility": "easy",
      "attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
      "class": "race",
      "confidence": "high",
      "created_at": "2025-05-29T22:27:39.047356Z",
      "description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
      "endpoint_method": "POST",
      "endpoint_path": "/api/v3/transfer",
      "fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
      "handler_class_name": "ApiController",
      "handler_method_name": "MakeTransfer",
      "id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
      "location": {
        "file_path": "handlers/transfers.go",
        "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
        "line": 23
      },
      "name": "Race condition in account balance update allows overdrawing via concurrent transfers",
      "remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
      "remediation_effort": "easy",
      "repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
      "repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
      "repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
      "severity": "high",
      "supporting_files": [
        {
          "file_path": "handlers/transfers.go",
          "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
          "line": 23
        }
      ],
      "updated_at": "2025-05-29T22:27:39.047356Z",
      "vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
    }
  ],
  "next_cursor": "eyJzb3J0X3ZhbHVlIjoiMjAyNC0wMS0xNVQxMDozMDowMFoiLCJkb2N1bWVudF9pZCI6InJlcG8xMjMiLCJzb3J0X2ZpZWxkIjoiY3JlYXRlZF9hdCJ9"
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Query Parameters

cursor

string

Pagination cursor

sort

string

default:created_at

Sort field

order

enum<string>

default:desc

Sort order

Available options:

asc,

desc

size

integer

default:100

Page size

Required range: 1 <= x <= 1000

Response

200

application/json

The response is of type object.

Get findingGet detailed information about a specific security finding

curl --request GET \
  --url https://api.ghostsecurity.ai/v1/findings \
  --header 'Authorization: Bearer <token>'

{
  "has_more": true,
  "items": [
    {
      "agent_name": "race",
      "attack_feasibility": "easy",
      "attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
      "class": "race",
      "confidence": "high",
      "created_at": "2025-05-29T22:27:39.047356Z",
      "description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
      "endpoint_method": "POST",
      "endpoint_path": "/api/v3/transfer",
      "fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
      "handler_class_name": "ApiController",
      "handler_method_name": "MakeTransfer",
      "id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
      "location": {
        "file_path": "handlers/transfers.go",
        "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
        "line": 23
      },
      "name": "Race condition in account balance update allows overdrawing via concurrent transfers",
      "remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
      "remediation_effort": "easy",
      "repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
      "repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
      "repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
      "severity": "high",
      "supporting_files": [
        {
          "file_path": "handlers/transfers.go",
          "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
          "line": 23
        }
      ],
      "updated_at": "2025-05-29T22:27:39.047356Z",
      "vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
    }
  ],
  "next_cursor": "eyJzb3J0X3ZhbHVlIjoiMjAyNC0wMS0xNVQxMDozMDowMFoiLCJkb2N1bWVudF9pZCI6InJlcG8xMjMiLCJzb3J0X2ZpZWxkIjoiY3JlYXRlZF9hdCJ9"
}

API Reference

API Endpoints

Authorizations

Query Parameters

Response