Skip to main content
POST
/
api
/
findings
/
{id}
/
apply-patch
Apply Patch
curl --request POST \
  --url https://api.example.com/api/findings/{id}/apply-patch
{
  "success": true,
  "data": {
    "finding_id": "123e4567-e89b-12d3-a456-426614174000",
    "patch_id": "789e1234-e89b-12d3-a456-426614174333",
    "applied_by": "555e5555-e89b-12d3-a456-426614175555",
    "event": {
      "id": "987e6543-e89b-12d3-a456-426614174999",
      "finding_id": "123e4567-e89b-12d3-a456-426614174000",
      "user_id": "555e5555-e89b-12d3-a456-426614175555",
      "event_type": "patch_applied",
      "old_value": null,
      "new_value": "789e1234-e89b-12d3-a456-426614174333",
      "comment": null,
      "metadata": null,
      "created_at": "2026-03-12T15:45:00Z"
    }
  }
}
Apply the suggested patch for a security finding. This operation marks the patch as applied and creates an audit event to track who applied it and when.
This endpoint requires authentication. The authenticated user will be recorded as the person who applied the patch.
This endpoint only marks the patch as applied in Heimdall’s database. It does not automatically modify your source code. You must apply the actual code changes separately.

Path Parameters

id
string
required
The unique UUID of the finding whose patch should be applied

Patch Application Process

When you call this endpoint, Heimdall performs the following steps:
  1. Validates the finding exists - Ensures the specified finding ID is valid
  2. Retrieves the latest patch - Fetches the most recent patch associated with this finding
  3. Checks patch status - Verifies the patch hasn’t already been applied
  4. Marks patch as applied - Updates the patch record with the applied status and user ID
  5. Creates audit event - Records a patch_applied event for tracking
Each finding can have multiple patches generated over time. This endpoint always applies the most recent patch.

Response

Returns information about the applied patch and the audit event that was created.
data
object
{
  "success": true,
  "data": {
    "finding_id": "123e4567-e89b-12d3-a456-426614174000",
    "patch_id": "789e1234-e89b-12d3-a456-426614174333",
    "applied_by": "555e5555-e89b-12d3-a456-426614175555",
    "event": {
      "id": "987e6543-e89b-12d3-a456-426614174999",
      "finding_id": "123e4567-e89b-12d3-a456-426614174000",
      "user_id": "555e5555-e89b-12d3-a456-426614175555",
      "event_type": "patch_applied",
      "old_value": null,
      "new_value": "789e1234-e89b-12d3-a456-426614174333",
      "comment": null,
      "metadata": null,
      "created_at": "2026-03-12T15:45:00Z"
    }
  }
}

Error Responses

404 Not Found - Finding Not Found

Returned when the specified finding does not exist. 
{
  "success": false,
  "code": 404,
  "message": "Finding '123e4567-e89b-12d3-a456-426614174000' not found"
}

404 Not Found - No Patch Available

Returned when no patch exists for the finding. 
{
  "success": false,
  "code": 404,
  "message": "No patch available for finding '123e4567-e89b-12d3-a456-426614174000'"
}

409 Conflict

Returned when attempting to apply a patch that has already been applied. 
{
  "success": false,
  "code": 409,
  "message": "Patch has already been applied"
}

500 Internal Server Error

Returned when the patch application fails or the event cannot be recorded. 
{
  "success": false,
  "code": 500,
  "message": "Failed to apply patch: database connection error"
}

{
  "success": false,
  "code": 500,
  "message": "Patch applied but failed to record event: database error"
}

Best Practices

1

Review the patch first

Use the Get Finding endpoint to retrieve the suggested_patch field and review the proposed changes before applying.
2

Apply code changes

Manually apply the patch to your source code or use your preferred patching tool. This endpoint does not modify your code automatically.
3

Mark as applied

Call this endpoint to record that the patch has been applied, enabling proper tracking and audit trails.
4

Verify the fix

After applying the patch, consider running a new scan to verify the vulnerability has been resolved.

Build docs developers (and LLMs) love

Get started for freeTalk to us