Book a Demo

Code Review API

Query code review findings and events via the Nullify API

Existing endpoints retain the /sast prefix for backwards compatibility. New wrappers will be introduced over time without breaking the current contract.

Base URL

All endpoints share the base URL: https://api.<TENANT>.nullify.ai. Replace <TENANT> with your tenant slug (for example https://api.acme.nullify.ai).

Events

Receive a stream of notable code-review activity (new findings, fixes, suppressions, branch summaries):

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/events?githubOwnerId=1234'

List Findings

List active findings with filtering by repository, severity, or status:

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings?githubOwnerId=1234&severity=high'

Get a Finding

Retrieve full context for a single finding, including reachability evidence and ownership metadata:

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N?githubOwnerId=1234'

Allowlist a Finding

Apply a policy exception when you accept the risk for a finding:

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Risk accepted for legacy service"}' \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/allowlist?githubOwnerId=1234'

Trigger Autofix

Request a remediation patch for supported languages:

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/autofix/fix?githubOwnerId=1234'

Finding Events

Review every decision applied to a finding (status changes, tickets, suppressions):

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/events?githubOwnerId=1234'

Link Pentester Results

Attach manual pentester evidence to an existing code review finding:

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"engagementId": "01J6EEXK3N6A1Q4JH1JHT0TK5X", "status": "confirmed"}' \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/pentest?githubOwnerId=1234'
PreviousAdminNextDependency Analysis API

Last updated

Was this helpful?