DefectDojo MCP Server

update_finding_status

Modify the status of a vulnerability finding in DefectDojo to values like Active, Verified, or False Positive. This tool helps manage and track findings efficiently within the vulnerability management system.

Instructions

Update the status of a finding (Active, Verified, False Positive, Mitigated, Inactive)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`finding_id`	Yes
`status`	Yes

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

src/defectdojo/findings_tools.py:90-148 (handler)

The main handler function that implements the tool logic: maps user-provided status strings to DefectDojo API fields, handles flag conflicts, calls the client to update the finding, and returns success/error response.

async def update_finding_status(finding_id: int, status: str) -> Dict[str, Any]:
    """Update the status of a finding.

    Args:
        finding_id: ID of the finding to update
        status: New status for the finding (Active, Verified, False Positive, Mitigated, Inactive)

    Returns:
        Dictionary with status and data/error
    """
    data = {"active": True}  # Default to active

    # Map common status values to API fields
    status_lower = status.lower()
    if status_lower == "false positive":
        data["false_p"] = True
    elif status_lower == "verified":
        data["verified"] = True
    elif status_lower == "mitigated":
        data["active"] = False
        data["mitigated"] = True # Assuming API uses 'mitigated' boolean field
    elif status_lower == "inactive":
        data["active"] = False
    elif status_lower != "active":
        # Check against API specific values if needed, or raise error for unsupported input
        return {"status": "error", "error": f"Unsupported status: {status}. Use Active, Verified, False Positive, Mitigated, or Inactive."}

    # Clear conflicting flags if setting a specific status
    if data.get("false_p"):
        data.pop("verified", None)
        data.pop("active", None)
        data.pop("mitigated", None)
    elif data.get("verified"):
         data.pop("false_p", None)
         # Verified implies active usually, but check API docs if explicit setting is needed
         data["active"] = True
         data.pop("mitigated", None)
    elif data.get("mitigated"):
         data.pop("false_p", None)
         data.pop("verified", None)
         data["active"] = False # Mitigated implies inactive
    elif not data.get("active", True): # Handling "Inactive" case
         data.pop("false_p", None)
         data.pop("verified", None)
         data.pop("mitigated", None)
         data["active"] = False
    else: # Handling "Active" case (default or explicit)
         data.pop("false_p", None)
         data.pop("verified", None)
         data.pop("mitigated", None)
         data["active"] = True

    client = get_client()
    result = await client.update_finding(finding_id, data)

    if "error" in result:
        return {"status": "error", "error": result["error"], "details": result.get("details", "")}

    return {"status": "success", "data": result}

src/defectdojo/tools.py:42-45 (registration)

Registers the update_finding_status handler function as an MCP tool with name and description.

mcp.tool(
    name="update_finding_status",
    description="Update the status of a finding (Active, Verified, False Positive, Mitigated, Inactive)"
)(update_finding_status)

Tool Definition Quality

B3.1/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It states 'Update' which implies a mutation, but doesn't disclose critical traits: whether this requires specific permissions, if changes are reversible, what happens to associated data, or any rate limits. The description adds minimal behavioral context beyond the basic action.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads the core action and lists all status options without unnecessary words. Every element (verb, resource, options) earns its place, making it highly concise and well-structured for quick understanding.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given a mutation tool with 2 parameters, 0% schema coverage, no annotations, but an output schema exists, the description is minimally adequate. It covers the purpose and status values, but lacks behavioral details (e.g., permissions, side effects) and parameter semantics for 'finding_id'. The output schema reduces the need to explain return values, but more context would improve completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the schema provides no parameter descriptions. The description lists the status options, which adds meaning for the 'status' parameter beyond the schema's basic type. However, it doesn't explain 'finding_id' (e.g., how to obtain it) or provide format details for either parameter. It partially compensates for the coverage gap but not fully.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb 'Update' and the resource 'status of a finding', specifying the exact status options (Active, Verified, False Positive, Mitigated, Inactive). It distinguishes from siblings like 'create_finding' or 'get_findings' by focusing on status modification rather than creation or retrieval. However, it doesn't explicitly differentiate from other update tools like 'update_engagement' beyond the resource name.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites (e.g., needing an existing finding ID), when not to use it (e.g., for other finding attributes), or refer to sibling tools like 'add_finding_note' for related actions. Usage is implied by the action but not explicitly contextualized.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

create_findingD
@jamiesonio/defectdojo-mcp
create_engagementD
@jamiesonio/defectdojo-mcp
add_finding_noteC
@jamiesonio/defectdojo-mcp
get_findingsC
@jamiesonio/defectdojo-mcp
list_engagementsC
@jamiesonio/defectdojo-mcp
update_security_finding_status
@rad-security/mcp-server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jamiesonio/defectdojo-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server