Code Scanning (SAST)

Use the REST API to query static code scanning (SAST) metrics

PreviousAdmin NextDependency Scanning (SCA)

Last updated 1 month ago

Was this helpful?

Code Scanning (SAST)

Use the REST API to query static code scanning (SAST) metrics

Introduction

The SAST API provides a RESTful interface for querying various metrics related to findings and events. It offers endpoints to retrieve information about SAST findings, events, and counts.

Base URL

All API endpoints are accessed through the base URL: https://api.<YOUR-TENANT-NAME>.nullify.ai

Replace <YOUR-TENANT-NAME> with your organization's tenant name. For example, if your tenant name is "acme", the base URL would be https://api.acme.nullify.ai.

Get SAST Events

This endpoint returns the list of events that have occurred related to code findings.

Event types:

new-branch-summary
new-finding
new-findings
new-fix
new-fixes
new-allowlisted-finding
new-allowlisted-findings
new-unallowlisted-finding
new-unallowlisted-findings
new-pull-request-finding
new-pull-request-findings
new-pull-request-fix
new-pull-request-fixes
new-pull-request-allowlisted-finding
new-pull-request-allowlisted-findings
new-pull-request-unallowlisted-finding
new-pull-request-unallowlisted-findings

curl -L \
   -H "Accept: application/json" \
   -H "Authorization: Bearer <YOUR-TOKEN>" \
   https://api.<YOUR-TENANT-NAME>.nullify.ai/sast/events?githubOwnerId=1234

Get SAST Findings

This endpoint returns the list of findings found in the code.

curl -L \
   -H "Accept: application/json" \
   -H "Authorization: Bearer <YOUR-TOKEN>" \
   https://api.<YOUR-TENANT-NAME>.nullify.ai/sast/findings?githubOwnerId=1234

Get SAST Finding

This endpoint returns the details of a SAST finding

curl -L \
   -H "Accept: application/json" \
   -H "Authorization: Bearer <YOUR-TOKEN>" \
   https://api.<YOUR-TENANT-NAME>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N?githubOwnerId=1234

PreviousAdmin NextDependency Scanning (SCA)

Last updated 1 month ago

Was this helpful?

Get SAST Events

get

Returns SAST events after a specified timestamp or event ID. All events are returned if no timestamp or event ID is provided. A maximum of 100 events can be returned per request.

Query parameters

nextTokenstringOptional

limitintegerOptional

fromTimestringOptional

eventTypestring[]Optional

fileOwnerNamestring[]Optional

sortstringOptional

azureOrganizationIdstringOptional

The Azure organization ID

githubOwnerIdintegerOptional

The Github owner ID

gitlabGroupIdintegerOptional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger[]Optional

githubTeamIdintegerOptional

Responses

200

application/json

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

GET /sast/events HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*

{
  "events": [
    {
      "data": null,
      "id": "text",
      "time": "text",
      "timestampUnix": 1,
      "type": "text"
    }
  ],
  "nextToken": "text",
  "numItems": 1
}

Get SAST Findings

get

Returns a filtered set of SAST findings based on query parameters

Query parameters

nextTokenstringOptional

limitintegerOptional

branchstring | nullableOptional

priorityLabelstring | nullableOptional

severitystring | nullableOptional

fileOwnerNamestring[]Optional

isFalsePositiveboolean | nullableOptional

hasPullRequestboolean | nullableOptional

workflowstring | nullableOptional

isLatestboolean | nullableOptional

isAllowlistedboolean | nullableOptional

isResolvedboolean | nullableOptional

sortBystringOptional

sortstringOptional

azureOrganizationIdstringOptional

The Azure organization ID

githubOwnerIdintegerOptional

The Github owner ID

gitlabGroupIdintegerOptional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger[]Optional

githubTeamIdintegerOptional

Responses

200

application/json

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

GET /sast/findings HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*

{
  "findings": [
    {
      "allowlistState": "text",
      "autoFixState": "text",
      "branch": "text",
      "category": "text",
      "commitHash": "text",
      "createdAt": "text",
      "cwe": 1,
      "endLine": 1,
      "entrypoint": "text",
      "fileOwners": [
        {
          "name": "text",
          "type": "text"
        }
      ],
      "filePath": "text",
      "id": "text",
      "isAllowlisted": true,
      "isArchived": true,
      "isFalsePositive": true,
      "isLatest": true,
      "isResolved": true,
      "language": "text",
      "message": "text",
      "priorityLabel": "text",
      "priorityOverride": "text",
      "priorityScore": 1,
      "projectId": "text",
      "projectName": "text",
      "pullRequestsAllowlist": [
        {
          "explanation": "text",
          "id": 1,
          "link": "text",
          "status": "text"
        }
      ],
      "pullRequestsAutofix": [
        {
          "explanation": "text",
          "id": 1,
          "link": "text",
          "status": "text"
        }
      ],
      "repository": "text",
      "repositoryId": "text",
      "ruleId": "text",
      "ruleUrl": "text",
      "severity": "text",
      "startLine": 1,
      "tenantId": "text",
      "ticket": {
        "azure": {},
        "github": {
          "issueId": 1,
          "nodeId": "text",
          "number": 1,
          "repositoryName": "text",
          "url": "text"
        },
        "gitlab": {},
        "jira": {
          "issueId": "text",
          "issueKey": "text",
          "url": "text"
        },
        "providerId": "text"
      },
      "title": "text",
      "updatedAt": "text",
      "workflow": "text"
    }
  ],
  "nextToken": "text",
  "numItems": 1
}

Get Finding

get

Returns a given finding with explanation and impact

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

githubOwnerIdintegerOptional

The Github owner ID

gitlabGroupIdintegerOptional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger[]Optional

githubTeamIdintegerOptional

Responses

200

application/json

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

GET /sast/findings/{findingId} HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*

{
  "finding": {
    "aiDevTitle": "text",
    "aiTitle": "text",
    "allowlistReason": "text",
    "allowlistState": "text",
    "autoFixState": "text",
    "branch": "text",
    "category": "text",
    "commitHash": "text",
    "createdAt": "text",
    "cwe": 1,
    "description": "text",
    "devDescription": "text",
    "endLine": 1,
    "entrypoint": "text",
    "exploitabilityConfidence": "text",
    "exploitabilityLabel": "text",
    "failedTriage": true,
    "fileOwners": [
      {
        "name": "text",
        "type": "text"
      }
    ],
    "filePath": "text",
    "id": "text",
    "impactConfidence": "text",
    "impactLabel": "text",
    "installationId": "text",
    "isAllowlisted": true,
    "isArchived": true,
    "isFalsePositive": true,
    "isLatest": true,
    "isResolved": true,
    "language": "text",
    "message": "text",
    "owner": "text",
    "platform": "text",
    "priorityLabel": "text",
    "priorityLabelReason": "text",
    "priorityOverride": "text",
    "priorityScore": 1,
    "projectId": "text",
    "projectName": "text",
    "pullRequestsAllowlist": [
      {
        "explanation": "text",
        "id": 1,
        "link": "text",
        "status": "text"
      }
    ],
    "pullRequestsAutofix": [
      {
        "explanation": "text",
        "id": 1,
        "link": "text",
        "status": "text"
      }
    ],
    "repository": "text",
    "repositoryId": "text",
    "resolvedAt": "2025-06-12T15:33:11.145Z",
    "ruleId": "text",
    "ruleUrl": "text",
    "severity": "text",
    "severityConfidence": "text",
    "severityLabel": "text",
    "severityOverride": "text",
    "severityScore": 1,
    "startLine": 1,
    "tenantId": "text",
    "ticket": {
      "azure": {},
      "github": {
        "issueId": 1,
        "nodeId": "text",
        "number": 1,
        "repositoryName": "text",
        "url": "text"
      },
      "gitlab": {},
      "jira": {
        "issueId": "text",
        "issueKey": "text",
        "url": "text"
      },
      "providerId": "text"
    },
    "ticketState": "text",
    "title": "text",
    "triageAgentVersion": "text",
    "triageDurationSeconds": 1,
    "triageLangfuseSessionId": "text",
    "triageLangfuseTraceId": "text",
    "triageLlmCostUsd": 1,
    "triageTokenCount": 1,
    "triageTraceId": "text",
    "updatedAt": "text",
    "userNotes": "text",
    "workflow": "text"
  },
  "presignedUrl": "text"
}

Code Scanning (SAST)

Code Scanning (SAST)

Table of Contents

Introduction

Base URL

Get SAST Events

Get SAST Findings

Get SAST Finding

Table of Contents

Introduction

Base URL

Get SAST Events

Get SAST Findings

Get SAST Finding

Get SAST Events

Get SAST Findings

Get Finding