Create a finding
Sample endpoints
Create a finding
Push a finding from an external scanner, audit, or custom check into Matproof’s unified Findings view.
POST
Create a finding
Use this endpoint to push findings from any source that doesn’t have a native Matproof integration — a custom security scanner, a CI/CD pipeline check, an internal-audit ticketing system, a manual entry from a board meeting. Pushed findings appear in the unified Findings view alongside findings from internal audits, pen-tests, the device agent, and connected integrations.
The
Common use cases
- Custom security scanner — pipe results from a scanner that isn’t on the integrations list (Trivy, Grype, custom SAST)
- CI/CD pipeline — fail-the-build checks generate findings that are tracked through to remediation
- Manual escalation — issues raised in board / management meetings logged formally
- Bridging external GRC — mirror findings from a parent-org GRC tool into a subsidiary’s Matproof tenant
Idempotency
Always sendIdempotency-Key on POST /v1/findings — most use cases retry on transient failure, and you don’t want duplicate findings:
Idempotency-Key should encode the originating system’s stable identifier — for the Aikido example above, aikido-issue-{aikido_issue_id} — so retries always resolve to the same Matproof finding.
Linked controls
WhenlinkedControlIds is provided, the finding immediately appears on those controls’ Findings tabs and contributes to the framework’s compliance-score calculation. Multiple controls can be linked when a single finding affects multiple frameworks.
Severity values
informational / low / medium / high / critical
For external scanners, map their severity scale to Matproof’s: most scanners use 0–10 CVSS, where 7+ → high and 9+ → critical.
Response
On success, the response includes the created finding’sid. Store this in your originating system to support future updates (PATCH /v1/findings/{id}) — for example, when the underlying scanner reports the issue resolved.Authorizations
API key for authentication
Headers
Organization ID (required for session auth, optional for API key auth)
Body
application/json
Finding data
Task ID this finding is associated with
Example:
"tsk_abc123"
Type of finding (SOC 2 or ISO 27001)
Available options:
soc2, iso27001 Finding content/message
Maximum string length:
5000Example:
"The uploaded evidence does not clearly show the Organization Name or URL."
Finding template ID (optional)
Example:
"fnd_t_abc123"
Response
The created finding