Code Review API

Query code review findings and events via the Nullify API

Existing endpoints retain the /sast prefix for backwards compatibility. New wrappers will be introduced over time without breaking the current contract.

Base URL

All endpoints share the base URL: https://api.<TENANT>.nullify.ai. Replace <TENANT> with your tenant slug (for example https://api.acme.nullify.ai).

Events

Receive a stream of notable code-review activity (new findings, fixes, suppressions, branch summaries):

Get SAST Events

get

Returns SAST events after a specified timestamp or event ID. All events are returned if no timestamp or event ID is provided. A maximum of 100 events can be returned per request.

Query parameters

nextTokenstring · nullableOptional

limitinteger · nullableOptional

fromTimestring · nullableOptional

eventTypestring[]Optional

fileOwnerNamestring[]Optional

sortstring · nullableOptional

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

nextTokenstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sast/events

GET /sast/events HTTP/1.1
Accept: */*

{
  "events": [
    {
      "data": null,
      "id": "text",
      "time": "text",
      "timestampUnix": 1,
      "type": "account-scan-completed"
    }
  ],
  "nextToken": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/events?githubOwnerId=1234'

List Findings

List active findings with filtering by repository, severity, or status:

Get SAST Findings

get

Returns a filtered set of SAST findings based on query parameters

Query parameters

nextTokenstring · nullableOptional

limitinteger · nullableOptional

priorityLabelstring · nullableOptional

severitystring · nullableOptional

fileOwnerNamestring[]Optional

hasPullRequestboolean · nullableOptional

branchstring · nullableOptional

workflowstring · nullableOptional

repositoryIdsstring[]Optional

if not provided, all repositories will be included

isResolvedboolean · nullableOptional

combination of isFixed, isFalsePositive, isAllowlisted and isArchived

isFixedboolean · nullableOptional

isFalsePositiveboolean · nullableOptional

isAllowlistedboolean · nullableOptional

isArchivedboolean · nullableOptional

sortBystring · nullableOptional

sortstring · nullableOptional

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

nextTokenstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sast/findings

GET /sast/findings HTTP/1.1
Accept: */*

{
  "findings": [
    {
      "aiDevTitle": "text",
      "aiTitle": "text",
      "allowlistReason": "text",
      "allowlistState": "none",
      "allowlistType": "AI",
      "autoFixEndTime": "2026-03-05T12:37:15.493Z",
      "autoFixStartTime": "2026-03-05T12:37:15.493Z",
      "autoFixState": "none",
      "branch": "text",
      "category": "text",
      "commitHash": "text",
      "createdAt": "text",
      "cwe": 1,
      "endLine": 1,
      "entrypoint": "text",
      "fileOwners": [
        {
          "name": "text",
          "type": "email"
        }
      ],
      "filePath": "text",
      "firstSeenCommit": "text",
      "id": "text",
      "isAllowlisted": true,
      "isArchived": true,
      "isFalsePositive": true,
      "isLatest": true,
      "isResolved": true,
      "language": "Apex",
      "message": "text",
      "priorityLabel": "text",
      "priorityOverride": "text",
      "priorityScore": 1,
      "projectId": "text",
      "projectName": "text",
      "pullRequestsAllowlist": [
        {
          "createdAt": "2026-03-05T12:37:15.493Z",
          "explanation": "text",
          "firstReviewedAt": "2026-03-05T12:37:15.493Z",
          "hasCustomerCommit": true,
          "hasCustomerFeedback": true,
          "id": 1,
          "lastReviewedAt": "2026-03-05T12:37:15.493Z",
          "link": "text",
          "mergedAt": "2026-03-05T12:37:15.493Z",
          "pullRequestProvider": {
            "azure": {
              "pullRequestId": 1
            },
            "bitbucket": {
              "pullRequestId": 1
            },
            "github": {
              "pullRequestNodeId": "text",
              "pullRequestNumber": 1
            },
            "gitlab": {
              "mergeRequestNumber": 1
            },
            "id": "Nullify"
          },
          "status": "open",
          "updatedAt": "2026-03-05T12:37:15.493Z"
        }
      ],
      "pullRequestsAutofix": [
        {
          "createdAt": "2026-03-05T12:37:15.493Z",
          "explanation": "text",
          "firstReviewedAt": "2026-03-05T12:37:15.493Z",
          "hasCustomerCommit": true,
          "hasCustomerFeedback": true,
          "id": 1,
          "lastReviewedAt": "2026-03-05T12:37:15.493Z",
          "link": "text",
          "mergedAt": "2026-03-05T12:37:15.493Z",
          "pullRequestProvider": {
            "azure": {
              "pullRequestId": 1
            },
            "bitbucket": {
              "pullRequestId": 1
            },
            "github": {
              "pullRequestNodeId": "text",
              "pullRequestNumber": 1
            },
            "gitlab": {
              "mergeRequestNumber": 1
            },
            "id": "Nullify"
          },
          "status": "open",
          "updatedAt": "2026-03-05T12:37:15.493Z"
        }
      ],
      "repository": "text",
      "repositoryId": "text",
      "ruleId": "text",
      "ruleUrl": "text",
      "severity": "text",
      "startLine": 1,
      "tenantId": "text",
      "ticket": {
        "azure": {},
        "github": {
          "issueId": 1,
          "nodeId": "text",
          "number": 1,
          "repositoryName": "text",
          "url": "text"
        },
        "gitlab": {},
        "jira": {
          "issueId": "text",
          "issueKey": "text",
          "url": "text"
        },
        "linear": {
          "issueId": "text",
          "teamId": "text",
          "url": "text"
        },
        "providerId": "Nullify"
      },
      "title": "text",
      "triageEnd": "2026-03-05T12:37:15.493Z",
      "triageStart": "2026-03-05T12:37:15.493Z",
      "updatedAt": "text",
      "workflow": "text"
    }
  ],
  "nextToken": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings?githubOwnerId=1234&severity=high'

Get a Finding

Retrieve full context for a single finding, including reachability evidence and ownership metadata:

Get Finding

get

Returns a given finding with explanation and impact

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

presignedUrlstringRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sast/findings/{findingId}

GET /sast/findings/{findingId} HTTP/1.1
Accept: */*

{
  "finding": {
    "aiDevTitle": "text",
    "aiTitle": "text",
    "allowlistReason": "text",
    "allowlistState": "none",
    "allowlistType": "AI",
    "autoFixEndTime": "2026-03-05T12:37:15.493Z",
    "autoFixStartTime": "2026-03-05T12:37:15.493Z",
    "autoFixState": "none",
    "branch": "text",
    "budgetExhausted": true,
    "budgetLimit": 1,
    "budgetUsed": 1,
    "category": "text",
    "commitHash": "text",
    "concurrencyLimit": 1,
    "createdAt": "text",
    "cwe": 1,
    "deletedAt": "2026-03-05T12:37:15.493Z",
    "description": "text",
    "devDescription": "text",
    "endLine": 1,
    "entrypoint": "text",
    "exploitabilityConfidence": "text",
    "exploitabilityLabel": "text",
    "failedTriage": true,
    "fileOwners": [
      {
        "name": "text",
        "type": "email"
      }
    ],
    "filePath": "text",
    "firstSeenCommit": "text",
    "fixCommit": "text",
    "fixedAt": "2026-03-05T12:37:15.493Z",
    "id": "text",
    "impactConfidence": "text",
    "impactLabel": "text",
    "installationId": "text",
    "isAllowlisted": true,
    "isArchived": true,
    "isFalsePositive": true,
    "isLatest": true,
    "isResolved": true,
    "language": "Apex",
    "message": "text",
    "owner": "text",
    "platform": "text",
    "priorityLabel": "text",
    "priorityLabelReason": "text",
    "priorityOverride": "text",
    "priorityScore": 1,
    "projectId": "text",
    "projectName": "text",
    "pullRequestsAllowlist": [
      {
        "createdAt": "2026-03-05T12:37:15.493Z",
        "explanation": "text",
        "firstReviewedAt": "2026-03-05T12:37:15.493Z",
        "hasCustomerCommit": true,
        "hasCustomerFeedback": true,
        "id": 1,
        "lastReviewedAt": "2026-03-05T12:37:15.493Z",
        "link": "text",
        "mergedAt": "2026-03-05T12:37:15.493Z",
        "pullRequestProvider": {
          "azure": {
            "pullRequestId": 1
          },
          "bitbucket": {
            "pullRequestId": 1
          },
          "github": {
            "pullRequestNodeId": "text",
            "pullRequestNumber": 1
          },
          "gitlab": {
            "mergeRequestNumber": 1
          },
          "id": "Nullify"
        },
        "status": "open",
        "updatedAt": "2026-03-05T12:37:15.493Z"
      }
    ],
    "pullRequestsAutofix": [
      {
        "createdAt": "2026-03-05T12:37:15.493Z",
        "explanation": "text",
        "firstReviewedAt": "2026-03-05T12:37:15.493Z",
        "hasCustomerCommit": true,
        "hasCustomerFeedback": true,
        "id": 1,
        "lastReviewedAt": "2026-03-05T12:37:15.493Z",
        "link": "text",
        "mergedAt": "2026-03-05T12:37:15.493Z",
        "pullRequestProvider": {
          "azure": {
            "pullRequestId": 1
          },
          "bitbucket": {
            "pullRequestId": 1
          },
          "github": {
            "pullRequestNodeId": "text",
            "pullRequestNumber": 1
          },
          "gitlab": {
            "mergeRequestNumber": 1
          },
          "id": "Nullify"
        },
        "status": "open",
        "updatedAt": "2026-03-05T12:37:15.493Z"
      }
    ],
    "repository": "text",
    "repositoryId": "text",
    "resolvedAt": "2026-03-05T12:37:15.493Z",
    "ruleId": "text",
    "ruleUrl": "text",
    "severity": "text",
    "severityConfidence": "text",
    "severityLabel": "text",
    "severityOverride": "text",
    "severityScore": 1,
    "startLine": 1,
    "tenantId": "text",
    "ticket": {
      "azure": {},
      "github": {
        "issueId": 1,
        "nodeId": "text",
        "number": 1,
        "repositoryName": "text",
        "url": "text"
      },
      "gitlab": {},
      "jira": {
        "issueId": "text",
        "issueKey": "text",
        "url": "text"
      },
      "linear": {
        "issueId": "text",
        "teamId": "text",
        "url": "text"
      },
      "providerId": "Nullify"
    },
    "ticketState": "text",
    "title": "text",
    "triageAgentVersion": "text",
    "triageDurationSeconds": 1,
    "triageEnd": "2026-03-05T12:37:15.493Z",
    "triageLangfuseSessionId": "text",
    "triageLangfuseTraceId": "text",
    "triageLlmCostUsd": 1,
    "triageStart": "2026-03-05T12:37:15.493Z",
    "triageTokenCount": 1,
    "triageTraceId": "text",
    "updatedAt": "text",
    "userNotes": "text",
    "workflow": "text"
  },
  "presignedUrl": "text",
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N?githubOwnerId=1234'

Allowlist a Finding

Apply a policy exception when you accept the risk for a finding:

Allowlist Finding

post

Allowlists a finding

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Body

allowlistReasonstringRequired

The reason for allowlisting the finding

allowlistTypestring · enumRequiredPossible values:

Responses

200

application/json

linkstringRequired

A link to the pull request

titlestringRequired

The title of the pull request

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

404

Not Found

application/json

500

Internal Server Error

application/json

post

/sast/findings/{findingId}/allowlist

POST /sast/findings/{findingId}/allowlist HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 47

{
  "allowlistReason": "text",
  "allowlistType": "AI"
}

{
  "link": "text",
  "title": "text",
  "version": "text"
}

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"reason": "Risk accepted for legacy service"}' \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/allowlist?githubOwnerId=1234'

Trigger Autofix

Request a remediation patch for supported languages:

Post Finding AutoFix

post

Creates a pull request to fix a given finding

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Body

messagestringRequired

originCampaignIdstringRequired

reasoningstringRequired

Responses

200

application/json

autoFixStatestring · enumRequiredPossible values:

errorstringRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

post

/sast/findings/{findingId}/autofix/fix

POST /sast/findings/{findingId}/autofix/fix HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 421

{
  "assignees": [
    {
      "email": "text",
      "id": "text",
      "isBot": true,
      "name": "text",
      "provider": {
        "azure": {
          "id": "text"
        },
        "bitBucket": {
          "id": "text"
        },
        "gitHub": {
          "id": 1,
          "nodeId": "text"
        },
        "gitlab": {
          "id": 1
        },
        "id": "Nullify",
        "jira": {
          "id": "text"
        },
        "linear": {
          "id": "text"
        },
        "okta": {
          "id": "text"
        },
        "slack": {
          "id": "text"
        },
        "teams": {
          "id": "text",
          "teamIDs": [
            "text"
          ]
        }
      },
      "slug": "text",
      "username": "text"
    }
  ],
  "message": "text",
  "originCampaignId": "text",
  "reasoning": "text"
}

{
  "autoFixState": "none",
  "error": "text",
  "version": "text"
}

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/autofix/fix?githubOwnerId=1234'

Finding Events

Review every decision applied to a finding (status changes, tickets, suppressions):

Get Finding Events

get

Returns a list of events for a given finding.

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sast/findings/{findingId}/events

GET /sast/findings/{findingId}/events HTTP/1.1
Accept: */*

{
  "events": [
    {
      "data": null,
      "id": "text",
      "time": "text",
      "timestampUnix": 1,
      "type": "account-scan-completed"
    }
  ],
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/events?githubOwnerId=1234'

Link Pentester Results

Attach manual pentester evidence to an existing code review finding:

Update SAST Finding With Pentest Result

post

Update SAST finding with pentest result

Path parameters

findingIdstringRequired

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Body

Responses

204

No Content

403

Forbidden

application/json

500

Internal Server Error

application/json

post

/sast/findings/{findingId}/pentest

POST /sast/findings/{findingId}/pentest HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 95

{
  "pentest": {
    "logs": [
      {
        "logs": [],
        "summary": "text"
      }
    ],
    "report": "text",
    "reproductionScript": "text"
  }
}

No content

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"engagementId": "01J6EEXK3N6A1Q4JH1JHT0TK5X", "status": "confirmed"}' \
  'https://api.<TENANT>.nullify.ai/sast/findings/01J6EEXK3NKYKWW9XTPQYAF41N/pentest?githubOwnerId=1234'

PreviousAdmin NextDependency Analysis API

Last updated 4 months ago

hashtagBase URL

hashtagEvents

hashtagGet SAST Events

hashtagList Findings

hashtagGet SAST Findings

hashtagGet a Finding

hashtagGet Finding

hashtagAllowlist a Finding

hashtagAllowlist Finding

hashtagTrigger Autofix

hashtagPost Finding AutoFix

hashtagFinding Events

hashtagGet Finding Events

hashtagLink Pentester Results

hashtagUpdate SAST Finding With Pentest Result

Base URL

Events

Get SAST Events

List Findings

Get SAST Findings

Get a Finding

Get Finding

Allowlist a Finding

Allowlist Finding

Trigger Autofix

Post Finding AutoFix

Finding Events

Get Finding Events

Link Pentester Results

Update SAST Finding With Pentest Result