Dependency Analysis API

Query dependency analysis events and findings via the Nullify API

Current endpoints use both the /sca & classifier/deps prefixes. /sca prefixed endpoints include detailed findings and remediation methods while classifier/deps provide methods for searching source history.

Base URL

https://api.<TENANT>.nullify.ai

List Active Dependencies

List org wide active package dependencies org wide (paginated):

List Tenant Wide Active Dependencies

get

Returns dependencies that are active across all repositories/projects.

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

pageSizeinteger · int32Optional

cursorstringOptional

Responses

200

application/json

nextCursorstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/classifier/deps/active

GET /classifier/deps/active HTTP/1.1
Accept: */*

{
  "dependencies": [
    {
      "direct": true,
      "ecosystem": "text",
      "introducedAt": "2026-03-05T12:14:35.231Z",
      "introducedByCommit": "text",
      "name": "text",
      "projectId": "text",
      "projectName": "text",
      "purl": "text",
      "removedAt": "2026-03-05T12:14:35.231Z",
      "removedByCommit": "text",
      "repoId": "text",
      "repositoryName": "text",
      "version": "text"
    }
  ],
  "nextCursor": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/classifier/deps/active?githubOwnerId=1234'

List Dependency History

List org wide dependency occurrence windows (paginated):

List Tenant Wide Dependencies (Historical)

get

Returns dependency history across all repositories/projects.

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

pageSizeinteger · int32Optional

cursorstringOptional

Responses

200

application/json

nextCursorstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/classifier/deps

GET /classifier/deps HTTP/1.1
Accept: */*

{
  "dependencies": [
    {
      "direct": true,
      "ecosystem": "text",
      "introducedAt": "2026-03-05T12:14:35.231Z",
      "introducedByCommit": "text",
      "name": "text",
      "projectId": "text",
      "projectName": "text",
      "purl": "text",
      "removedAt": "2026-03-05T12:14:35.231Z",
      "removedByCommit": "text",
      "repoId": "text",
      "repositoryName": "text",
      "version": "text"
    }
  ],
  "nextCursor": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/classifier/deps?githubOwnerId=1234'

Get package exposure

List projects with dependency exposure (active and historical) matching the ecosystem/package & semver range query:

Global package exposure by version filter (semver or hash)

get

Returns exposure windows across all repositories/projects intersecting a version filter (server-side filtering).

Query parameters

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

ecosystemstring · nullableOptional

namestring · nullableOptional

rangestring · nullableOptional

Responses

200

application/json

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/classifier/deps/exposure

GET /classifier/deps/exposure HTTP/1.1
Accept: */*

{
  "numItems": 1,
  "version": "text",
  "windows": [
    {
      "ecosystem": "text",
      "fromCommit": "text",
      "fromTime": "2026-03-05T12:14:35.231Z",
      "name": "text",
      "projectId": "text",
      "projectName": "text",
      "repoId": "text",
      "repositoryName": "text",
      "toCommit": "text",
      "toTime": "2026-03-05T12:14:35.231Z",
      "version": "text"
    }
  ]
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/classifier/deps/exposure?githubOwnerId=123&ecosystem=npm&name=react&range=>=0.0.0'

Events

Track dependency alerts, suppressions, and auto-remediation updates:

Get SCA Events

get

Returns SCA events after a specified timestamp or event ID. All events are returned if no timestamp or event ID is provided. A maximum of 100 events can be returned per request.

Query parameters

nextTokenstring · nullableOptional

limitinteger · nullableOptional

fromTimestring · nullableOptional

eventTypestring[]Optional

fileOwnerNamestring[]Optional

sortstring · nullableOptional

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

nextTokenstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sca/events

GET /sca/events HTTP/1.1
Accept: */*

{
  "events": [
    {
      "branch": "text",
      "data": null,
      "id": "text",
      "repository": "text",
      "time": "text",
      "timestampUnix": 1,
      "type": "account-scan-completed"
    }
  ],
  "nextToken": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/events?githubOwnerId=1234'

List Findings

Fetch the current dependency findings (including reachability and policy status):

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/findings?githubOwnerId=1234&ecosystem=npm'

Get a Finding

Retrieve detailed metadata, including recommended upgrades and reachability reasoning:

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/findings/01J6EEXK3NKYKWW9XTPQYAF41N?githubOwnerId=1234'

Allowlist a Finding

Pause alerting when you accept the risk for a dependency finding:

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"expiresAt": "2025-12-31"}' \
  'https://api.<TENANT>.nullify.ai/sca/findings/01J6EEXK3NKYKWW9XTPQYAF41N/allowlist?githubOwnerId=1234'

Trigger Autofix

Generate an upgrade pull request with lockfile updates and changelog context:

curl -s -X POST \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/findings/01J6EEXK3NKYKWW9XTPQYAF41N/autofix/fix?githubOwnerId=1234'

Finding Events

Audit every change applied to a dependency finding:

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/findings/01J6EEXK3NKYKWW9XTPQYAF41N/events?githubOwnerId=1234'

Container Findings

Dependency Analysis also evaluates container images. Use the container endpoints to fetch and triage those findings:

Get SCA Container Findings

get

Returns a filtered set of SCA container findings based on query parameters

Query parameters

nextTokenstring · nullableOptional

limitinteger · nullableOptional

packagestring · nullableOptional

fileOwnerNamestring[]Optional

branchstring · nullableOptional

workflowstring · nullableOptional

isFalsePositiveboolean · nullableOptional

isFixedboolean · nullableOptional

isAllowlistedboolean · nullableOptional

isResolvedboolean · nullableOptional

combination of isFixed, isFalsePositive and isAllowlisted

sortBystring · nullableOptional

sortstring · nullableOptional

azureOrganizationIdstringOptional

The Azure organization ID

bitbucketWorkspaceIdstringOptional

The Bitbucket workspace ID

githubOwnerIdinteger · int64Optional

The Github owner ID

gitlabGroupIdinteger · int64Optional

The GitLab group ID

installationIdstringOptional

The Nullify installation ID

azureRepositoryIdstring[]Optional

githubRepositoryIdinteger · int64[]Optional

githubTeamIdinteger · int64Optional

bitbucketRepositoryIdstring[]Optional

Responses

200

application/json

nextTokenstringRequired

numItemsintegerRequired

versionstringRequired

400

Bad Request

application/json

403

Forbidden

application/json

500

Internal Server Error

application/json

get

/sca/containers/findings

GET /sca/containers/findings HTTP/1.1
Accept: */*

{
  "findings": [
    {
      "aiDevTitle": "text",
      "aiTitle": "text",
      "allowlistReason": "text",
      "autoFixEndTime": "2026-03-05T12:14:35.231Z",
      "autoFixStartTime": "2026-03-05T12:14:35.231Z",
      "branch": "text",
      "commitHash": "text",
      "createdAt": "text",
      "fileOwners": [
        {
          "name": "text",
          "type": "email"
        }
      ],
      "filePath": "text",
      "id": "text",
      "imageMetadata": {
        "digest": "text",
        "distro": {
          "name": "text",
          "version": "text"
        },
        "fullReference": "text",
        "registryDomain": "text",
        "registryPath": "text",
        "shortName": "text",
        "tag": "text"
      },
      "isAllowlisted": true,
      "isArchived": true,
      "isFalsePositive": true,
      "isLatest": true,
      "isResolved": true,
      "line": 1,
      "numCritical": 1,
      "numHigh": 1,
      "numLow": 1,
      "numMedium": 1,
      "numUnknown": 1,
      "priorityLabel": "text",
      "priorityOverride": "text",
      "priorityScore": 1,
      "projectId": "text",
      "projectName": "text",
      "pullRequestsAutofix": [
        {
          "createdAt": "2026-03-05T12:14:35.231Z",
          "explanation": "text",
          "firstReviewedAt": "2026-03-05T12:14:35.231Z",
          "hasCustomerCommit": true,
          "hasCustomerFeedback": true,
          "id": 1,
          "lastReviewedAt": "2026-03-05T12:14:35.231Z",
          "link": "text",
          "mergedAt": "2026-03-05T12:14:35.231Z",
          "pullRequestProvider": {
            "azure": {
              "pullRequestId": 1
            },
            "bitbucket": {
              "pullRequestId": 1
            },
            "github": {
              "pullRequestNodeId": "text",
              "pullRequestNumber": 1
            },
            "gitlab": {
              "mergeRequestNumber": 1
            },
            "id": "Nullify"
          },
          "status": "open",
          "updatedAt": "2026-03-05T12:14:35.231Z"
        }
      ],
      "repository": "text",
      "repositoryId": "text",
      "suggestedImages": [
        {
          "digest": "text",
          "distro": {
            "name": "text",
            "version": "text"
          },
          "fullReference": "text",
          "registryDomain": "text",
          "registryPath": "text",
          "shortName": "text",
          "tag": "text"
        }
      ],
      "tenantId": "text",
      "ticket": {
        "azure": {},
        "github": {
          "issueId": 1,
          "nodeId": "text",
          "number": 1,
          "repositoryName": "text",
          "url": "text"
        },
        "gitlab": {},
        "jira": {
          "issueId": "text",
          "issueKey": "text",
          "url": "text"
        },
        "linear": {
          "issueId": "text",
          "teamId": "text",
          "url": "text"
        },
        "providerId": "Nullify"
      },
      "ticketState": "text",
      "triageEnd": "2026-03-05T12:14:35.231Z",
      "triageStart": "2026-03-05T12:14:35.231Z",
      "updatedAt": "text",
      "vulnerabilitiesCVEIds": [
        "text"
      ],
      "vulnerabilitiesMaxSeverity": "text",
      "workflow": "text"
    }
  ],
  "nextToken": "text",
  "numItems": 1,
  "version": "text"
}

curl -s \
  -H "Accept: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  'https://api.<TENANT>.nullify.ai/sca/containers/findings?githubOwnerId=1234&imageDigest=sha256:...'

PreviousCode Review API NextSecrets & Data API

Last updated 2 months ago

hashtagBase URL

hashtagList Active Dependencies

hashtagList Tenant Wide Active Dependencies

hashtagList Dependency History

hashtagList Tenant Wide Dependencies (Historical)

hashtagGet package exposure

hashtagGlobal package exposure by version filter (semver or hash)

hashtagEvents

hashtagGet SCA Events

hashtagList Findings

hashtagGet a Finding

hashtagAllowlist a Finding

hashtagTrigger Autofix

hashtagFinding Events

hashtagContainer Findings

hashtagGet SCA Container Findings

Base URL

List Active Dependencies

List Tenant Wide Active Dependencies

List Dependency History

List Tenant Wide Dependencies (Historical)

Get package exposure

Global package exposure by version filter (semver or hash)

Events

Get SCA Events

List Findings

Get a Finding

Allowlist a Finding

Trigger Autofix

Finding Events

Container Findings

Get SCA Container Findings