Skip to main content

Get Code Issues from Pull Requests Scans and CICD Runs

POST 
/api/v2/code-issues/code_review_scan

Get Code Issues from Pull Requests Scans and CICD Runs

Request

Body

required
  • offset: A non-negative integer that indicates the number of items from the start of the results list to skip in the response. The offset parameter, along with the limit parameter, enables you to paginate the results. For example, if you use an offset value of 100 and a limit of 200, the response will contain issues starting from 101 to 300 in the results (matching issues) list. The default value is 0 for no offset, which returns results starting from the first issue.
  • limit: Number of items to return. A non-negative integer that indicates the number of issues from the result list to return. By default, all the matching issues are returned. The default value is 100 and the maximum value is 10000.
    filters objectrequired

    Filters to retrieve selective issues. Use the following fields to filter the search results:

    • checkStatus: Security violation status filter. Filter scan results using a status value:
      • Error: Security violation was detected.
      • Passed: No security violation
      • Suppressed: A security issue was identified, but was acknowledged and intentionally suppressed.
      • FixPending: An automated fix has been issued to the security violation, and is currently being applied to the associated resource.
    • gitUsers: Git user filter. Filter security findings based on the Git user who modified the code or configuration files.
    • codeCategories: The scopes search criteria is also available as a filter.
    • secretsRiskFactors: Secrets risk factor filter:
      • PublicRepository: Secret was found in a public repository.
      • PrivateRepository: Secret was found in a private repository.
      • User: User who committed the secret.
      • Privileged: Secret is for a role with privileged access to a Cloud Service Provider account.
      • Valid: Secret has been validated as an active secret by the service provider.
      • Invalid: Secret received an invalid response when used against the service provider’s API.
      • Unknown: Secret that could not be verified.
      • FoundInHistory: Secret was found in the Git history but not in the most recent commit.
    • iacCategories (optional): Infrastructure as code categories filter:
      • IAM (Identity and Access Management): Issues related to IAM configurations.
      • Logging: Issues related to log management and monitoring.
      • Monitoring: Issues related to monitoring and observability configurations.
      • Networking: Issues related to network configurations, such as open ports, insecure protocols, or misconfigured security groups.
      • Kubernetes: Issues specific to Kubernetes cluster configurations.
      • General: Issues that do not fit into specific predefined categories. It may include issues related to best practices, compliance checks, or general security hygiene.
      • Serverless: Issues specific to serverless function configurations, such as function permissions or environment variable protection
      • Elasticsearch: Issues related to Elasticsearch configurations, such as exposed clusters, lack of encryption, or insecure access controls.
      • Storage: Issues related to storage configurations, such as public buckets, insecure access policies, or encryption settings.
      • Secrets: Issues related to the handling and management of sensitive information, such as API keys, passwords, or cryptographic keys.
      • Public: Issues related to public-facing resources, such as exposed APIs, publicly accessible assets, or misconfigured CDN (Content Delivery Network) settings. Vulnerabilities - Vulnerabilities in your code or infrastructure including issues related to outdated software versions, known security vulnerabilities, or insecure dependencies. Compute - Issues related to compute resources, including virtual machine configurations, instance roles, or container security. VCS (Version Control Systems) - Issues associated with version control systems, such as Git repositories. Build Integrity - Issues related to the integrity of your build processes or artifacts. It involves ensuring that the build pipeline is secure, free from tampering, and follows secure build practices. Licenses - Issues related to open-source licenses in your codebase. Drift - Issues related to configuration drift, where the actual deployed infrastructure deviates from the desired state defined in the IaC templates. Policy3D - Issues related to 3rd-party policies or standards. It involves evaluating and ensuring compliance with external security policies or regulatory frameworks.
    • severities: Severity filter:
      • Critical: High-risk vulnerabilities or misconfigurations that could lead to significant security breaches or data leaks. These issues require immediate attention and remediation.
      • High: Significant security issues that have the potential to be exploited or result in significant damage if left unaddressed. These findings should be addressed as a priority.
      • Medium: Issues that pose a potential security risk that are less severe than Critical and High. Remediation of these issues should be prioritized, but they may not require immediate attention.
      • Low: Low severity indicates issues that have a minimal impact on security or are relatively low-risk. While they may not pose an immediate threat, it is still recommended to address them to maintain a robust security posture.
      • Info: Info severity is used for informational findings or recommendations that do not pose an immediate security risk but provide helpful guidance, best practices, or suggestions for optimization. These findings can be considered as part of ongoing security hygiene efforts.
    • iacTags: Filter violation based on the tag assigned to the resource.
    • fileTypes: File type filter. Use one of the available file type strings to retrieve issues with files of that type.
    • Benchmarks: Benchmarks filter. Use one of the available benchmark strings to retrieve issues based on the corresponding security benchmark or compliance standard.
    • iacLabels: IaC filter. Use one of the following IaC labels to retrieve corresponding issues:
      • CustomPolicy: whether or not the presented security issue is associated with a custom policy created by the user.
      • HasFix: whether or not a fix suggestion is provided for the presented security issue.
    • vulnerabilityRiskFactors: Vulnerability Risk Factors filter. Use one of the following vulnerability risk factor labels to retrieve corresponding issues:
      • Attack Complexity: Level of effort or skill required for an attacker to exploit a vulnerability. A higher complexity indicates that it is more challenging for an attacker to exploit the vulnerability.
      • Attack Vector: Path or means through which an attacker can exploit a vulnerability. It describes the method or entry point an attacker can use to access the vulnerable system or application.
      • DoS (Denial of Service): DoS vulnerabilities that can be exploited to disrupt or disable the normal functioning of a system or application.
      • HasFix: Vulnerabilities that have a fix or solution, such as a patch, update, or recommended mitigation steps to address the vulnerability.
      • RemoteExecution: Vulnerabilities that can be exploited remotely, without direct physical or local access to the target system.
      • ExploitInTheWild: Vulnerabilities with reports of active exploits in real-world attacks. If a vulnerability has an exploit in the wild, it means that attackers are actively taking advantage of the vulnerability.
      • ExploitPOC: "Proof of Concept" exploits are vulnerabilities with a proof of concept code or demonstration that showcases the vulnerability's exploitation.
    • licenseType: License type filter. Use one of the available license type strings to retrieve identified violations affiliated with the specified license type.
    • repositories: Repositories filter for retrieving issues detected in PR scans and CICD runs on specific repository.
    • runId (required): Scan ID filter. Provide a PR scan or CICD run ID to retrieve issues from the corresponding PR scan or CICD run.
    • enforcementLevel: Scan Status filter. Use one of the following scan statuses to retrieve corresponding issues:
      • HARD_FAIL: The HARD_FAIL enforcement level indicates that a policy violation must be addressed, and it will result in a failure condition. When a violation is categorized as HARD_FAIL, it means that it is considered critical and must be resolved before the scan or evaluation can pass.
      • SOFT_FAIL: The SOFT_FAIL enforcement level represents a policy violation that is not critical but should still be addressed. While a SOFT_FAIL violation does not result in an immediate failure condition, it is considered a warning or advisory, indicating a potential security or compliance issue that needs attention.
      • PASS: The PASS enforcement level indicates that a policy is being evaluated, and no violations or issues have been identified. When a policy evaluation results in a PASS status, it means that the criteria defined by the policy have been met, and no corrective action is required.
      • UNKNOWN: The UNKNOWN enforcement level signifies that the status or evaluation of a policy could not be determined. This may occur due to various reasons, such as missing or incomplete information, unsupported configurations, or other limitations in the scanning process.
    benchmarks EnumValues_BenchmarkEnum_ (string)[]

    Possible values: [CIS KUBERNETES V1.5, CIS AWS V1.2, CIS AZURE V1.1, PCI-DSS V3.2, NIST-800-53, ISO27001, SOC2, CIS GCP V1.1, HIPAA, FEDRAMP (MODERATE), PCI-DSS V3.2.1, CIS AWS V1.3, CIS AZURE V1.3, CIS DOCKER V1.2, CIS EKS V1.1, CIS GKE V1.1, CIS KUBERNETES V1.6, SLSA]

    checkStatus CheckStatus (string)

    Possible values: [Error, Passed, Suppressed, FixPending]

    codeCategories ProjectsV2CodeCategory (string)[]

    Possible values: [IacMisconfiguration, IacExternalModule, ImageReferencerVul, ImageReferencerLicenses, Vulnerabilities, Licenses, Secrets, BuildIntegrityRepo, BuildIntegrityOrg, BuildIntegrity, Weaknesses]

    cwes string[]
    enforcementLevel ScanStatuses (string)[]

    Possible values: [HARD_FAIL, SOFT_FAIL, PASS, UNKNOWN]

    fileTypes EnumValues_FileMetadata-at-type_ (string)[]

    Possible values: [build.gradle, gradle.properties, build.gradle.kts, pom.xml, requirements.txt, package-lock.json, package.json, bower.json, go.sum, go.mod, tf, json, yml, yaml, template, .checkov.baseline, hcl, Dockerfile, gradle-wrapper.properties, METADATA, bicep, Pipfile.lock, Pipfile, yarn.lock, Gemfile, Gemfile.lock, gemspec, env, settings.py, main.py, application.py, config.py, app.js, config.js, dev.js, db.properties, application.properties, private.pem, privatekey.pem, index.php, config.php, config.xml, strings.xml, app.module.ts, environment.ts, tpl, tfvars, unknown, csproj, packages.config, Directory.Packages.props, paket.dependencies, paket.references, paket.lock, sln, config, composer.json, composer.lock]

    fixableOnly boolean
    gitUsers string[]
    iacCategories EnumValues_IncidentConfiguration-at-category_ (string)[]

    Possible values: [IAM, Compute, Monitoring, Networking, Kubernetes, General, Storage, Secrets, Public, Vulnerabilities, Drift, BuildIntegrity, Licenses, Logging, Serverless, Elasticsearch, VCS, Policy3D, Sast, Artifact Integrity Validation, Cider Kill Chain, Credential Hygiene, Data Protection, Dependency Chain Abuse, Dependency Chains, Flow Control Mechanisms, Input Validation, Patches & Updates, Pipeline-Based Access Controls (PBAC), Pipeline Flow Control, Poisoned Pipeline Execution (PPE), System Configuration, Supply Chain]

    iacLabels EnumValues_IacLabels_ (string)[]

    Possible values: [CustomPolicy, HasFix]

    iacTags string[]
    licenseType LicenseEnum (string)[]

    Possible values: [OSI_APACHE, OSI_ARTISTIC, OSI_BSD, OSI_EFL, OSI_FDL, OSI_LGPL, OSI_ZPL, CC-BY-SA-2.1-JP, GPL-2.0-or-later, AMDPLPA, CC-BY-SA-3.0-DE, ECL-2.0, EPICS, eCos-2.0, GPL-3.0-with-GCC-exception, KiCad-libraries-exception, GFDL-1.3-invariants-or-later, APSL-1.1, MIT, CC-BY-NC-ND-3.0-DE, GPL-3.0, CC-BY-SA-1.0, ADSL, MIT-CMU, Linux-man-pages-copyleft, diffmark, GPL-2.0, HPND, OSL-1.0, ClArtistic, IJG, IPL-1.0, NCGL-UK-2.0, CC-BY-2.5, LGPL-3.0-or-later, LiLiQ-Rplus-1.1, CC0-1.0, Glide, ImageMagick, CECILL-1.1, AGPL-3.0-only, eGenix, ANTLR-PD, CC-BY-NC-SA-4.0, CECILL-C, GFDL-1.3-no-invariants-only, SHL-0.5, MIT-Modern-Variant, CC-BY-3.0-NL, MIT-feh, SMLNJ, CC-BY-ND-2.0, HaskellReport, AGPL-1.0, BitTorrent-1.0, CDL-1.0, SISSL, CC-BY-SA-3.0, C-UDA-1.0, YPL-1.1, AGPL-1.0-or-later, NLOD-2.0, Unlicense, D-FSL-1.0, Linux-OpenIB, GPL-1.0-only, libtiff, Plexus, BSD-1-Clause, MPL-2.0, Intel-ACPI, Barr, OGL-Canada-2.0, ANTLR-PD-fallback, Zed, MIT-open-group, LGPL-2.1-or-later, mpich2, Motosoto, OGDL-Taiwan-1.0, PDDL-1.0, GFDL-1.3-invariants-only, EUPL-1.1, EUPL-1.0, Entessa, CC-BY-NC-ND-2.0, W3C, GFDL-1.2-no-invariants-or-later, Saxpath, GFDL-1.3-only, FreeImage, CNRI-Python, Apache-1.0, OLDAP-1.4, JSON, GPL-3.0-or-later, DSDP, MPL-2.0-no-copyleft-exception, Condor-1.1, Imlib2, iMatix, OLDAP-2.6, Rdisc, LiLiQ-P-1.1, xpp, FDK-AAC, CC-BY-NC-3.0, Jam, GFDL-1.3-no-invariants-or-later, GFDL-1.3-or-later, ICU, LGPL-2.1, AFL-2.1, JasPer-2.0, SSPL-1.0, CC-BY-SA-2.0, BSD-3-Clause-Clear, OSL-2.0, CC-BY-SA-4.0, SISSL-1.2, ODC-By-1.0, ZPL-2.1, QPL-1.0, LGPL-2.0-only, CC-BY-SA-2.5, Zimbra-1.3, MTLL, Eurosym, NPL-1.0, blessing, GFDL-1.3, GPL-1.0+, GFDL-1.1-no-invariants-only, CC-BY-NC-ND-3.0, Xerox, Unicode-TOU, Aladdin, CC-BY-NC-SA-2.5, Artistic-1.0, BSL-1.0, CC-BY-ND-2.5, NetCDF, MulanPSL-2.0, UCL-1.0, PostgreSQL, GFDL-1.1-only, RHeCos-1.1, Sendmail-8.23, psfrag, SNIA, EPL-2.0, 0BSD, MPL-1.0, GFDL-1.1-or-later, XFree86-1.1, WTFPL, CDLA-Sharing-1.0, CAL-1.0, CERN-OHL-S-2.0, CC-BY-NC-SA-3.0-DE, CC-BY-NC-1.0, Artistic-2.0, BUSL-1.1, EUPL-1.2, GPL-2.0-with-font-exception, LGPL-2.0+, AGPL-1.0-only, SGI-B-1.0, W3C-20150513, Adobe-2006, xinetd, BSD-3-Clause-No-Military-License, DRL-1.0, LGPL-2.0, MirOS, PolyForm-Small-Business-1.0.0, CDLA-Permissive-2.0, LiLiQ-R-1.1, Vim, curl, OLDAP-2.2.2, CATOSL-1.1, CC-BY-ND-4.0, CC-BY-NC-SA-2.0-UK, APSL-1.0, GPL-2.0-with-classpath-exception, OLDAP-2.0.1, NIST-PD-fallback, Glulxe, NPL-1.1, CC-BY-NC-ND-1.0, CC-BY-NC-2.5, Parity-6.0.0, CC-BY-NC-SA-3.0-IGO, CPAL-1.0, CC-BY-2.5-AU, SWL, LAL-1.2, NRL, OGL-UK-3.0, MS-RL, OSL-2.1, LPL-1.0, OSET-PL-2.1, OFL-1.0-no-RFN, OML, Arphic-1999, BSD-2-Clause, MulanPSL-1.0, EPL-1.0, BSD-4-Clause-Shortened, Elastic-2.0, NLPL, LPPL-1.2, SchemeReport, Multics, Net-SNMP, SHL-0.51, MIT-advertising, GPL-3.0-with-autoconf-exception, MS-PL, wxWindows, ZPL-1.1, ISC, CC-BY-NC-SA-3.0, GPL-2.0-only, Giftware, CPL-1.0, EUDatagrid, SGI-B-1.1, CC-BY-1.0, bzip2-1.0.5, libselinux-1.0, SMPPL, Latex2e, Watcom-1.0, VSL-1.0, CC-BY-NC-SA-1.0, FreeBSD-DOC, Nunit, LPPL-1.0, OLDAP-2.4, TAPR-OHL-1.0, OLDAP-2.3, CECILL-2.0, LPPL-1.3a, Qhull, CNRI-Python-GPL-Compatible, Frameworx-1.0, CDLA-Permissive-1.0, X11-distribute-modifications-variant, EFL-1.0, DOC, GFDL-1.2-or-later, BSD-3-Clause-No-Nuclear-License, LPPL-1.1, CC-BY-3.0-US, TOSL, Spencer-99, copyleft-next-0.3.1, FSFAP, CC-BY-NC-ND-4.0, OLDAP-2.8, Bahyph, Newsletr, CC-BY-NC-4.0, OFL-1.1, TU-Berlin-2.0, GFDL-1.2-invariants-or-later, BSD-2-Clause-NetBSD, Crossword, YPL-1.0, GPL-2.0-with-bison-exception, NIST-PD, IPA, GFDL-1.1-invariants-or-later, CC-BY-NC-ND-3.0-IGO, BSD-Source-Code, BitTorrent-1.1, AFL-3.0, Zend-2.0, GFDL-1.1, HPND-sell-variant, Abstyles, Interbase-1.0, MakeIndex, EFL-2.0, LPL-1.02, OLDAP-2.2, LGPL-3.0-only, LPPL-1.3c, libpng-2.0, Hippocratic-2.1, BSD-3-Clause-No-Nuclear-License-2014, AAL, NOSL, CC-BY-3.0-AT, HTMLTIDY, GPL-1.0-or-later, RPL-1.5, BSD-4-Clause-UC, Wsuipa, Cube, SCEA, IBM-pibs, Borceux, CC-BY-ND-3.0-DE, CC-BY-NC-SA-2.0-FR, Afmparse, CUA-OPL-1.0, CC-BY-SA-3.0-AT, LGPL-2.1+, OLDAP-2.7, GLWTPL, CC-BY-NC-SA-2.0, OCCT-PL, CNRI-Jython, Leptonica, OFL-1.0-RFN, OpenSSL, RSA-MD, TORQUE-1.1, X11, BSD-Protection, JPNIC, App-s2p, GFDL-1.2-only, CPOL-1.02, CC-BY-ND-3.0, GPL-1.0, Zlib, Python-2.0, OLDAP-1.3, Mup, LGPLLR, CC-BY-4.0, OCLC-2.0, OGTSL, DL-DE-BY-2.0, OFL-1.0, GFDL-1.2-invariants-only, Sendmail, CC-BY-NC-3.0-DE, VOSTROM, Beerware, FSFULLR, Fair, BSD-2-Clause-FreeBSD, Community-Spec-1.0, SSH-short, FSFUL, GFDL-1.1-no-invariants-or-later, CrystalStacker, GFDL-1.1-invariants-only, Ruby, BSD-3-Clause-Open-MPI, Baekmuk, Libpng, GD, OLDAP-2.1, Sleepycat, CERN-OHL-P-2.0, GFDL-1.2, CC-BY-2.0, SPL-1.0, OLDAP-1.2, etalab-2.0, TMate, NCSA, NBPL-1.0, Intel, GPL-3.0-only, APSL-2.0, GPL-2.0-with-autoconf-exception, TU-Berlin-1.0, Noweb, SSH-OpenSSH, BSD-3-Clause-Attribution, PSF-2.0, psutils, CERN-OHL-1.2, SimPL-2.0, OLDAP-2.2.1, SGI-B-2.0, GPL-2.0+, COIL-1.0, Naumen, CC-BY-ND-1.0, Unicode-DFS-2016, AFL-1.2, OSL-3.0, OFL-1.1-RFN, SAX-PD, Xnet, AML, Apache-1.1, NAIST-2003, NGPL, ZPL-2.0, OFL-1.1-no-RFN, APSL-1.2, MPL-1.1, BlueOak-1.0.0, Unicode-DFS-2015, PHP-3.01, GL2PS, NTP-0, BSD-4-Clause, TCL, RSCPL, MIT-enna, CERN-OHL-1.1, OSL-1.1, BSD-3-Clause-LBNL, Bitstream-Vera, Adobe-Glyph, MITNFA, CC-BY-3.0-DE, CECILL-1.0, SugarCRM-1.1.3, CAL-1.0-Combined-Work-Exception, BSD-3-Clause, Info-ZIP, LGPL-3.0+, Zimbra-1.4, zlib-acknowledgement, Spencer-94, MIT-0, AGPL-3.0, CC-PDDC, CC-BY-NC-2.0, mplus, ODbL-1.0, RPSL-1.0, APAFML, OGL-UK-1.0, CDDL-1.1, bzip2-1.0.6, LGPL-2.1-only, OGC-1.0, BSD-3-Clause-No-Nuclear-Warranty, ErlPL-1.1, ECL-1.0, CERN-OHL-W-2.0, OGL-UK-2.0, O-UDA-1.0, NTP, NASA-1.3, copyleft-next-0.3.0, TCP-wrappers, Apache-2.0, CC-BY-3.0, CECILL-B, Nokia, GPL-3.0+, GPL-2.0-with-GCC-exception, OPL-1.0, OPUBL-1.0, UPL-1.0, AFL-2.0, LGPL-2.0-or-later, CECILL-2.1, gnuplot, Caldera, PolyForm-Noncommercial-1.0.0, OLDAP-2.0, CDDL-1.0, APL-1.0, dvipdfm, XSkat, Spencer-86, NLOD-1.0, W3C-19980720, BSD-2-Clause-Patent, AMPAS, AGPL-3.0-or-later, RPL-1.1, Parity-7.0.0, OLDAP-1.1, AFL-1.1, Artistic-1.0-cl8, FTL, Dotseqn, CC-BY-NC-ND-2.5, GFDL-1.2-no-invariants-only, PHP-3.0, CC-BY-SA-2.0-UK, BSD-3-Clause-Modification, LAL-1.3, gSOAP-1.3b, StandardML-NJ, NPOSL-3.0, LGPL-3.0, Artistic-1.0-Perl, OLDAP-2.5, BSD-2-Clause-Views]

    owasp string[]
    repositories string[]

    Possible values: >= 1, <= 1

    runId doublerequired
    sastLabels SastLabelValue (string)[]

    Possible values: [CustomPolicy, CWE top 25, OWASP top 10]

    secretsRiskFactors SecretsRiskFactor (string)[]

    Possible values: [PublicRepository, PrivateRepository, User, Privileged, Valid, Invalid, Unknown, FoundInHistory]

    severities Severity (string)[]

    Possible values: [CRITICAL, HIGH, MEDIUM, LOW, INFO]

    vulnerabilityRiskFactors VulnerabilityRiskFactor (string)[]

    Possible values: [AttackComplexity, AttackVector, DoS, HasFix, RemoteExecution, ExploitInTheWild, ExploitPOC, IsUsed, ReachableFunction, ManifestInRuntime, RepositoryInRuntime, PackageInRuntime]

    search object

    The search field allows you to search for a given term or set of terms across issues of a particular type or types. The search field consists of the term and the scopes fields.

    • term: field is required. It can be a single word, or multiple words joined by the ‘or’ and ‘and’ logical operators.
    • scopes: field is optional. You can provide one or more code categories in this field. The platform searches for the term across issues that have the code categories you provide. The following code category scopes are applicable to this endpoint:
      • IacMisconfiguration: Issues with Infrastructure-as-Code (IaC or iac) templates and scripts that provision and manage cloud resources.
      • vulnerabilites: Findings related to known security vulnerabilities in open-source packages used in applications that could be exploited by attackers.
      • buildintegrity: Findings related to the integrity and security of the build pipeline or the software supply chain.
      • Secrets: Findings related to the handling and management of sensitive information, such as API keys, passwords, or cryptographic keys, within code files.
      • Licenses: Filter value to retrieve issues related to the non-compliance with license requirements.
    scopes ProjectsV2CodeCategory (string)[]

    Possible values: [IacMisconfiguration, IacExternalModule, ImageReferencerVul, ImageReferencerLicenses, Vulnerabilities, Licenses, Secrets, BuildIntegrityRepo, BuildIntegrityOrg, BuildIntegrity, Weaknesses]

    term stringrequired
    limit double
    offset double

Responses

Schema
    data object[]required
  • Array [
    • anyOf
    firstDetected date-timerequired
    labels IacLabels (string)[]required

    Possible values: [CustomPolicy, HasFix]

    policy stringrequired
    repository string
    resourceName string
    resourceScanType ResourceScanType (string)

    Possible values: [Runtime, Buildtime]

    resourceUuid string
    severity Severity (string)required

    Possible values: [CRITICAL, HIGH, MEDIUM, LOW, INFO]

    violationId string
  • ]
    • hasNext booleanrequired
Loading...