Update finding status

PATCH

findings

{id}

curl --request PATCH \
  --url https://api.ghostsecurity.ai/v1/findings/{id} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "user_status": "active"
}'

{
  "agent_name": "race",
  "attack_feasibility": "easy",
  "attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
  "class": "race",
  "confidence": "high",
  "created_at": "2025-05-29T22:27:39.047356Z",
  "description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
  "endpoint_method": "POST",
  "endpoint_path": "/api/v3/transfer",
  "fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
  "handler_class_name": "ApiController",
  "handler_method_name": "MakeTransfer",
  "id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
  "location": {
    "file_path": "handlers/transfers.go",
    "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
    "line": 23,
    "url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
  },
  "name": "Race condition in account balance update allows overdrawing via concurrent transfers",
  "project_id": "5d41402abc4b2a76b9719d911017c592",
  "remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
  "remediation_effort": "easy",
  "repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
  "repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
  "repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
  "secret_type": "api_key",
  "severity": "high",
  "status": "open",
  "supporting_files": [
    {
      "file_path": "handlers/transfers.go",
      "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
      "line": 23,
      "url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
    }
  ],
  "updated_at": "2025-05-29T22:27:39.047356Z",
  "user_status": "active",
  "vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

string

required

Finding ID

Body

application/json

Finding status update data

Finding user status update request

user_status

enum<string>

The new user status for the finding

Available options:

open,

active,

muted

Example:

"active"

Response

Security finding information

agent_name

string

Name of the security agent that found this issue

Example:

"race"

attack_feasibility

enum<string>

Assessment of how feasible an attack would be

Available options:

easy,

medium,

hard

Example:

"easy"

attack_walkthrough

string

Step-by-step attack walkthrough

Example:

"1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint."

class

string

Vulnerability class/category

Example:

"race"

confidence

enum<string>

Confidence level of the finding

Available options:

high,

medium,

low

Example:

"high"

created_at

string

When the finding was created

Example:

"2025-05-29T22:27:39.047356Z"

description

string

Detailed description of the finding

Example:

"The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions."

endpoint_method

string

HTTP method of the vulnerable endpoint

Example:

"POST"

endpoint_path

string

Path of the vulnerable endpoint

Example:

"/api/v3/transfer"

fixed_code_block

string

Code snippet showing the fix

Example:

"tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"

handler_class_name

string

Handler class name where the vulnerability exists

Example:

"ApiController"

handler_method_name

string

Handler method name where the vulnerability exists

Example:

"MakeTransfer"

string

Finding ID

Example:

"race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500"

location

object

Location of the vulnerability in the code

Show child attributes

name

string

Finding name/title

Example:

"Race condition in account balance update allows overdrawing via concurrent transfers"

project_id

string

Project ID where the finding was discovered

Example:

"5d41402abc4b2a76b9719d911017c592"

remediation

string

Recommended remediation steps

Example:

"Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications."

remediation_effort

enum<string>

Estimated effort to fix the issue

Available options:

easy,

medium,

hard

Example:

"easy"

repo_commit_hash

string

Commit hash where the finding was discovered

Example:

"981be7365cc7b7da32d5ab28e635f6d35b0ff4f1"

repo_id

string

Repository ID where the finding was discovered

Example:

"1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683"

repo_url

string

Repository URL

Example:

"https://gitlab.com/ghostsecurity/ghostbank-go"

secret_type

string

Type of secret for secret findings

Example:

"api_key"

severity

enum<string>

Severity level

Available options:

high,

medium,

low

Example:

"high"

status

enum<string>

Current status of the finding

Available options:

open,

open_muted,

closed

Example:

"open"

supporting_files

object[]

Additional files that support this finding

Show child attributes

updated_at

string

When the finding was last updated

Example:

"2025-05-29T22:27:39.047356Z"

user_status

enum<string>

Current user status of the finding

Available options:

open,

active,

muted

Example:

"active"

vulnerable_code_block

string

Code snippet showing the vulnerability

Example:

"// find source account\nres := db.Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"

Get review issueGet detailed information about a specific review issue

Update finding status

curl --request PATCH \
  --url https://api.ghostsecurity.ai/v1/findings/{id} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "user_status": "active"
}'

{
  "agent_name": "race",
  "attack_feasibility": "easy",
  "attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
  "class": "race",
  "confidence": "high",
  "created_at": "2025-05-29T22:27:39.047356Z",
  "description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
  "endpoint_method": "POST",
  "endpoint_path": "/api/v3/transfer",
  "fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
  "handler_class_name": "ApiController",
  "handler_method_name": "MakeTransfer",
  "id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
  "location": {
    "file_path": "handlers/transfers.go",
    "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
    "line": 23,
    "url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
  },
  "name": "Race condition in account balance update allows overdrawing via concurrent transfers",
  "project_id": "5d41402abc4b2a76b9719d911017c592",
  "remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
  "remediation_effort": "easy",
  "repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
  "repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
  "repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
  "secret_type": "api_key",
  "severity": "high",
  "status": "open",
  "supporting_files": [
    {
      "file_path": "handlers/transfers.go",
      "hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
      "line": 23,
      "url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
    }
  ],
  "updated_at": "2025-05-29T22:27:39.047356Z",
  "user_status": "active",
  "vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken:     input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
}

API Reference

API Endpoints

Authorizations

Path Parameters

Body

Response