fix(findings): fix pagination, repository filter, severity, and type mapping#149
Merged
Conversation
tim-thacker-nullify
previously approved these changes
May 19, 2026
…unified endpoint Three additional issues discovered via live testing against the API: 1. Severity values must be uppercase (CRITICAL, HIGH, MEDIUM, LOW) — the unified endpoint rejects lowercase values silently, returning 0 results. 2. The unified endpoint uses PascalCase finding type names (Code, Dependencies, Containers, Secrets, Pentest, BugHunting, Cloud) rather than the CLI's internal slugs (sast, sca_dependencies, cspm, etc.). Added findingTypeToAPI mapping in both CLI and MCP. 3. Pagination uses page numbers, not scroll IDs — the API returns hasMoreData=true but scrollId=null. The loop now falls back to incrementing the page field when scrollId is absent, and correctly fetches all pages up to the requested limit.
jonathanlam
dismissed
tim-thacker-nullify’s stale review
The merge-base changed after approval.
jonathanlam
force-pushed
the
fix/findings-bugs
branch
from
2c0bb86 to
f79cfc0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Repository filter was silently ignored — the individual scanner endpoints (
/sast/findings,/sca/*/findings, etc.) don't accept arepositoryquery param. The CLI was sending it and getting unfiltered results back. Fix: switch toPOST /admin/findings, the unified endpoint the dashboard uses, which acceptsrepositoryas a real filter field.Limit was hard-capped at 100 server-side — every individual endpoint enforces a maximum of 100 results per page regardless of the
limitvalue sent. The CLI also never followed thenextTokencursor returned in responses, so only the first ≤100 findings per scanner type were ever returned. Fix: the new endpoint paginates automatically (usingpagenumbers) untilhasMoreDatais false or the requested limit is reached.Severity filter only worked for SAST and CSPM — other endpoints silently ignored it. The unified endpoint handles severity across all types, but requires uppercase values (
CRITICALnotcritical). Fixed.Type names were wrong for the unified endpoint — the API uses
Code,Dependencies,Containers,Secrets,Pentest,BugHunting,Cloudrather than the CLI slugs. AddedfindingTypeToAPImapping in both CLI and MCP.MCP used singular type names (
sca_dependency,sca_container) while the CLI used plural (sca_dependencies,sca_containers). Normalised to plural throughout.nullify_search_findingsMCP tool had the same bugs and received the same fixes: unified endpoint, pagination, severity casing, type mapping.Test plan
Validated against NIB (
api.nib.nullify.ai):total--repo <name>returns only that repository's findings--severity lowreturns onlyLOWseverity findings (correct casing applied)--type sastreturns onlyCodetype findings (mapping applied)--type sca_dependenciesreturns onlyDependenciestype findings--limit 250fetches multiple pages and returns >100 findings when total exceeds 100nullify_search_findingsproduces identical results to CLI for all of the abovego test ./cmd/cli/cmd/... ./internal/mcp/...passes