MergeBase’s Scans API provides REST access to scan data. Our Scans API is based on Nucleus Security‘s “Custom Scan Import Format.” Note: you DO NOT need to be a user or customer of Nucleus Security to enable and integrate with this endpoint.
Every request must include an HTTP Authorization header as follows:
X-Authorization: <api-key>
The api-key
is provided from the “Enable MergeBase Rest Endpoint” section of the MergeBase configuration page.
Returns a list of instances with summary scan data for the customer associated with the API key.
JSON Data:
[
{
"instance_id"``: "12345"``,
"name"``:
"string"``,
"environment"``:
"string"``,
"region"``:
"string"``,
"scan_date"``:
"2019-05-14 19:18:22"``,
"finding_count_critical"``:
2
"finding_count_high"``:
1``,
"finding_count_medium"``:
2``,
"finding_count_low"``:
0
}
]
Returns the latest scan for the instance identified by instance-id
(same as the scan file upload format).
JSON Data Example:
{
"nucleus_import_version"``:
"1"``,
"scan_date"``:
"2019-05-14 19:18:22"``,
"scan_type"``:
"Application"``,
"scan_tool"``:
"MergeBase"``,
"scan_id"``: <instance-id>,
"assets"``: [
{
"host_name"``:
"Testing/Struts-Demo"``,
"ip_address"``:
"172.30.3.128"``,
"host_fqdn"``:
"ip-172-30-3-128.ec2.internal"``,
"findings"``: [
{
"finding_number"``:
"16064987443995965775"``,
"finding_name"``:
"CVE(s) found in .../fileupload@1.3.2"``,
"finding_severity"``:
"Critical"``,
"finding_type"``:
"Vuln"``,
"finding_cve"``:
"CVE-2016-1000031"``,
"finding_description"``:
"Component has 1 known vulnerability (1 rated critical)"``,
"finding_output"``:
"Package fileupload was found to be vulnerable ..."``,
"finding_path"``:
"/.../fileupload-1.3.2.jar"``,
"finding_reference"``: {
"package"``:
"commons-fileupload/commons-fileupload"``,
"vulnerable version"``:
"1.3.2"
},
"finding_result"``:
"Failed"
},
{
"finding_number"``:
"15419030703544961074"``,
"finding_name"``:
"CVE(s) found in .../commons-lang@2.4"``,
"finding_severity"``:
"Medium"``,
"finding_type"``:
"Vuln"``,
"finding_cve"``:
"CVE-2013-1571"``,
"finding_description"``:
"Component has 1 known vulnerability"``,
"finding_output"``:
"..."``,
"finding_path"``:
"/.../commons-lang-2.4.jar"``,
"finding_reference"``: {
"package"``:
"commons-lang/commons-lang"``,
"vulnerable version"``:
"2.4"
},
"finding_result"``:
"Failed"
}
]
}
]
}
Stay on top of the real risk of open source at any time.
Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility, and popularity.
More on Continuous ProtectionDetect and defend against known-vulnerabilities at runtime. The only SCA to do so.
The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.
More on RuntimeMergeBase directly integrates with Github and Bitbucket to provide an early warning system for your in-house development
Product Overview