Scans API Reference

MergeBase’s Scans API provides REST access to scan data.  Our Scans API is based on Nucleus Security‘s “Custom Scan Import Format.”  Note:  you DO NOT need to be a user or customer of Nucleus Security to enable and integrate with this endpoint.


Every request must include an HTTP Authorization header as follows:

X-Authorization: <api-key>

The api-key is provided from the “Enable MergeBase Rest Endpoint” section of the MergeBase configuration page.

REST Endpoints

GET /api/n/scans

Returns a list of instances with summary scan data for the customer associated with the API key.

JSON Data:

    "instance_id": "12345",
    "scan_date""2019-05-14 19:18:22",



GET /api/n/scans/<instance_id>  (e.g., /api/n/scans/12345)

Returns the latest scan for the instance identified by instance-id (same as the scan file upload format).

JSON Data Example:

  "scan_date""2019-05-14 19:18:22",
  "scan_id": <instance-id>,
  "assets": [
      "findings": [
          "finding_name""CVE(s) found in .../fileupload@1.3.2",
          "finding_description""Component has 1 known vulnerability (1 rated critical)",
          "finding_output""Package fileupload was found to be vulnerable ...",
          "finding_reference": {
            "vulnerable version""1.3.2"
          "finding_name""CVE(s) found in .../commons-lang@2.4",
          "finding_description""Component has 1 known vulnerability",
          "finding_reference": {
            "vulnerable version""2.4"

Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility and popularity.

More on Continuous Protection

Add RunTime Protection

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Run-time Protection

Shift Left Now

CodeGreen is an early-warning defence for your in-house development and integrates directly into GitHub and BitBucket

More on BitBucket and Github apps