dpndncY

REST API

Everything in the web console is available over a REST API, described by an OpenAPI 3.1 spec served at /api/openapi.json on every instance. Bearer-token authenticated, JSON in and out.

Authentication

Authenticate with a personal access token (PAT) as a bearer token. PATs are scope-limited — issue a read-only token for reporting, a scan-scoped token for CI.

request
curl https://dpndncy.example.com/api/scans \
  -H "Authorization: Bearer $DPNDNCY_TOKEN"

Endpoint catalogue

AreaEndpoints
ScansPOST /api/scanRepo/async, POST /api/analyzeProject/async, GET /api/scans, GET /api/scans/:id
FindingsGET /api/findings (filter by severity, type, reachability, tier)
PoliciesGET/PUT /api/policies
Artifacts / signaturesPOST /api/artifacts/fingerprint, POST /api/artifacts/match
Runtime agentGET /api/agent/runs, GET /api/agent/runs/:id/findings
Integrations / monitors / signing keys / projectsfull CRUD
Webhookssubscription management (see Webhooks)

Conventions

  • Pagination — cursor-based; follow the next cursor.
  • Rate limits — per-token and per-tenant; limit headers are returned on every response.
  • Async scans — scan endpoints return a job id; poll GET /api/scans/:id for status + results.
Generate a client from the spec
The OpenAPI 3.1 document at /api/openapi.json on your instance is the source of truth — generate a typed client in any language directly from it.

See also