Scans API Reference

MergeBase’s Scans API provides REST access to scan data.  Our Scans API is based on Nucleus Security‘s “Custom Scan Import Format.”  Note:  you DO NOT need to be a user or customer of Nucleus Security to enable and integrate with this endpoint.


Every request must include an HTTP Authorization header as follows:

X-Authorization: <api-key>

The api-key is provided from the “Enable MergeBase Rest Endpoint” section of the MergeBase configuration page.

REST Endpoints

GET /api/n/scans

Returns a list of instances with summary scan data for the customer associated with the API key.

JSON Data:



    "instance_id"``: "12345"``,

    "name"``: "string"``,

    "environment"``: "string"``,

    "region"``: "string"``,

    "scan_date"``: "2019-05-14 19:18:22"``,

    "finding_count_critical"``: 2

    "finding_count_high"``: 1``,

    "finding_count_medium"``: 2``,

    "finding_count_low"``: 0



GET /api/n/scans/<instance_id>  (e.g., /api/n/scans/12345)

Returns the latest scan for the instance identified by instance-id (same as the scan file upload format).

JSON Data Example:


  "nucleus_import_version"``: "1"``,

  "scan_date"``: "2019-05-14 19:18:22"``,

  "scan_type"``: "Application"``,

  "scan_tool"``: "MergeBase"``,

  "scan_id"``: <instance-id>,

  "assets"``: [


      "host_name"``: "Testing/Struts-Demo"``,

      "ip_address"``: ""``,

      "host_fqdn"``: "ip-172-30-3-128.ec2.internal"``,

      "findings"``: [


          "finding_number"``: "16064987443995965775"``,

          "finding_name"``: "CVE(s) found in .../fileupload@1.3.2"``,

          "finding_severity"``: "Critical"``,

          "finding_type"``: "Vuln"``,

          "finding_cve"``: "CVE-2016-1000031"``,

          "finding_description"``: "Component has 1 known vulnerability (1 rated critical)"``,

          "finding_output"``: "Package fileupload was found to be vulnerable ..."``,

          "finding_path"``: "/.../fileupload-1.3.2.jar"``,

          "finding_reference"``: {

            "package"``: "commons-fileupload/commons-fileupload"``,

            "vulnerable version"``: "1.3.2"


          "finding_result"``: "Failed"



          "finding_number"``: "15419030703544961074"``,

          "finding_name"``: "CVE(s) found in .../commons-lang@2.4"``,

          "finding_severity"``: "Medium"``,

          "finding_type"``: "Vuln"``,

          "finding_cve"``: "CVE-2013-1571"``,

          "finding_description"``: "Component has 1 known vulnerability"``,

          "finding_output"``: "..."``,

          "finding_path"``: "/.../commons-lang-2.4.jar"``,

          "finding_reference"``: {

            "package"``: "commons-lang/commons-lang"``,

            "vulnerable version"``: "2.4"


          "finding_result"``: "Failed"







Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility, and popularity.

More on Continuous Protection

Add Dynamic Application Surveillance and Hardening

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Runtime

Shift Left Now

MergeBase directly integrates with Github and Bitbucket to provide an early warning system for your in-house development

Product Overview