# Nullify API

The Nullify REST API is available to enterprise tenants for automation, reporting, and connector use cases. Each section below documents a functional area of the platform.

All requests require a service-account token sent via the `Authorization: Bearer <token>` header. See [Authentication](https://docs.nullify.ai/api-reference/api-reference/authentication) for details.

For service-specific specs, see [Service API Specifications](https://docs.nullify.ai/api-reference/api-reference/service-specs) or download the consolidated bundle generated by `scripts/sync-openapi-specs.sh` inside the `public-docs` repository.

## Key Endpoints

| Domain                      | Endpoint                                       | Purpose                                                                                  |
| --------------------------- | ---------------------------------------------- | ---------------------------------------------------------------------------------------- |
| Code Review                 | `GET /sast/events`                             | Stream new findings, suppressions, and fixes for every repository.                       |
| Code Review                 | `GET /sast/findings`                           | List open findings with rich filters for ownership, severity, and status.                |
| Code Review                 | `POST /sast/findings/{findingId}/autofix/fix`  | Queue an automated remediation pull request for supported languages.                     |
| Code Review                 | `POST /sast/findings/{findingId}/allowlist`    | Record a governed exception while keeping audit history intact.                          |
| Dependency Analysis         | `GET /sca/findings`                            | Fetch dependency findings with reachability and policy metadata.                         |
| Dependency Analysis         | `POST /sca/findings/{findingId}/autofix/fix`   | Generate upgrade branches or pull requests with updated manifests and lockfiles.         |
| Dependency Analysis         | `GET /sca/containers/findings`                 | Review container image issues across registries and environments.                        |
| Secrets & Data Guardrails   | `GET /secrets/findings`                        | Enumerate secrets and sensitive data alerts by repository or service.                    |
| Secrets & Data Guardrails   | `POST /secrets/findings/{findingId}/allowlist` | Suppress a finding once the credential is rotated or data remediated.                    |
| Pentester                   | `POST /dast/scans`                             | Launch a new autonomous pentester engagement with optional auth context.                 |
| Pentester                   | `GET /dast/scans/{scanId}/findings`            | Retrieve findings, reproduction steps, and ownership mapping for a pentester engagement. |
| Cloud Audits                | `GET /classifier/applications`                 | Pull the catalog of audited services with their cloud posture classification and owners. |
| Security Program Management | `POST /manager/campaigns`                      | Launch or update campaigns that coordinate remediation across teams and connectors.      |
| Admin                       | `GET /admin/repositories`                      | Sync the repository catalogue, default policies, and ownership assignments.              |
| Admin                       | `GET /admin/teams`                             | Pull team definitions and CODEOWNERS mappings for asynchronous routing.                  |

Each dedicated page in this section includes usage examples, and the [Service API Specifications](https://docs.nullify.ai/api-reference/api-reference/service-specs) bundle provides the full OpenAPI contract for automation.