repositories
Get repository findings for a specific project
Get all security findings for a specific repository project
GET
/
v1
/
repos
/
{id}
/
projects
/
{project_id}
/
findings
Get repository findings for a specific project
Copy
Ask AI
curl --request GET \
--url https://api.ghostsecurity.ai/v1/repos/{id}/projects/{project_id}/findings \
--header 'Authorization: Bearer <token>'Copy
Ask AI
[
{
"agent_name": "race",
"attack_feasibility": "easy",
"attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
"class": "race",
"confidence": "high",
"created_at": "2025-05-29T22:27:39.047356Z",
"description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
"endpoint_method": "POST",
"endpoint_path": "/api/v3/transfer",
"fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
"handler_class_name": "ApiController",
"handler_method_name": "MakeTransfer",
"id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
"location": {
"file_path": "handlers/transfers.go",
"hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
"line": 23,
"url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
},
"name": "Race condition in account balance update allows overdrawing via concurrent transfers",
"project_id": "5d41402abc4b2a76b9719d911017c592",
"remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
"remediation_effort": "easy",
"repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
"repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
"repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
"severity": "high",
"status": "open",
"supporting_files": [
{
"file_path": "handlers/transfers.go",
"hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
"line": 23,
"url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
}
],
"updated_at": "2025-05-29T22:27:39.047356Z",
"user_status": "active",
"vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
}
]Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Response
200
application/json
OK
The response is of type object[].
Get repository findings for a specific project
Copy
Ask AI
curl --request GET \
--url https://api.ghostsecurity.ai/v1/repos/{id}/projects/{project_id}/findings \
--header 'Authorization: Bearer <token>'Copy
Ask AI
[
{
"agent_name": "race",
"attack_feasibility": "easy",
"attack_walkthrough": "1. The attacker authenticates as a valid user and identifies two accounts they control.\n2. The attacker crafts multiple concurrent POST requests to the /api/v3/transfer endpoint.",
"class": "race",
"confidence": "high",
"created_at": "2025-05-29T22:27:39.047356Z",
"description": "The MakeTransfer handler performs a read-modify-write sequence on account balances without any locking or database transaction, making it vulnerable to race conditions.",
"endpoint_method": "POST",
"endpoint_path": "/api/v3/transfer",
"fixed_code_block": "tx := db.Begin()\nres := tx.Clauses(clause.Locking{Strength: \"UPDATE\"}).Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)",
"handler_class_name": "ApiController",
"handler_method_name": "MakeTransfer",
"id": "race-3f1174136e93fdf8d26511869343804fddcfeb0a948aa81aafa352f3612dd500",
"location": {
"file_path": "handlers/transfers.go",
"hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
"line": 23,
"url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
},
"name": "Race condition in account balance update allows overdrawing via concurrent transfers",
"project_id": "5d41402abc4b2a76b9719d911017c592",
"remediation": "Wrap the balance check and update logic in a database transaction and use row-level locking (e.g., SELECT ... FOR UPDATE) to prevent concurrent modifications.",
"remediation_effort": "easy",
"repo_commit_hash": "981be7365cc7b7da32d5ab28e635f6d35b0ff4f1",
"repo_id": "1e7d8c9b-ce80-41ae-8645-5b2a89165615-gitlab-69265683",
"repo_url": "https://gitlab.com/ghostsecurity/ghostbank-go",
"severity": "high",
"status": "open",
"supporting_files": [
{
"file_path": "handlers/transfers.go",
"hash": "70a9f266f7e90b1ea18bd82ed6700128c3da974e95d6d19cae7844b2de44038a",
"line": 23,
"url": "https://gitlab.com/ghostsecurity/ghostbank-go/-/blob/981be7365cc7b7da32d5ab28e635f6d35b0ff4f1/handlers/transfers.go#L23"
}
],
"updated_at": "2025-05-29T22:27:39.047356Z",
"user_status": "active",
"vulnerable_code_block": "// find source account\nres := db.Where(&models.Account{\n\tToken: input.AccountFrom,\n\tPartition: currentUser.Partition,\n}).First(&source)"
}
]Assistant
Responses are generated using AI and may contain mistakes.