REST API
Everything in the web console is available over a REST API, described by an OpenAPI 3.1 spec served at /api/openapi.json on every instance. Bearer-token authenticated, JSON in and out.
Authentication
Authenticate with a personal access token (PAT) as a bearer token. PATs are scope-limited — issue a read-only token for reporting, a scan-scoped token for CI.
request
curl https://dpndncy.example.com/api/scans \
-H "Authorization: Bearer $DPNDNCY_TOKEN"Endpoint catalogue
| Area | Endpoints |
|---|---|
| Scans | POST /api/scanRepo/async, POST /api/analyzeProject/async, GET /api/scans, GET /api/scans/:id |
| Findings | GET /api/findings (filter by severity, type, reachability, tier) |
| Policies | GET/PUT /api/policies |
| Artifacts / signatures | POST /api/artifacts/fingerprint, POST /api/artifacts/match |
| Runtime agent | GET /api/agent/runs, GET /api/agent/runs/:id/findings |
| Integrations / monitors / signing keys / projects | full CRUD |
| Webhooks | subscription management (see Webhooks) |
Conventions
- Pagination — cursor-based; follow the
nextcursor. - Rate limits — per-token and per-tenant; limit headers are returned on every response.
- Async scans — scan endpoints return a job id; poll
GET /api/scans/:idfor status + results.
Generate a client from the spec
The OpenAPI 3.1 document at
/api/openapi.json on your instance is the source of truth — generate a typed client in any language directly from it.See also
- CLI · Webhooks · Configuration