SCA Advanced API
All endpoints require authentication via
X-API-Keyheader or JWT Bearer token. The base URL ishttps://codestax.co/api.
Package Intelligence
Get Package Health
Returns health metrics for all dependencies from their upstream registries (download counts, maintenance score, last publish date).
GET /api/sca/package-health/{repository_id}curl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/package-health/7Response:
{
"packages": [
{
"name": "express",
"ecosystem": "npm",
"health_score": 92,
"weekly_downloads": 28500000,
"last_published": "2026-01-15T00:00:00Z",
"maintainers": 5
}
]
}Get Dependency Tree
Returns the full dependency tree structure including transitive dependencies.
GET /api/sca/dependency-tree/{repository_id}curl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/dependency-tree/7Response:
{
"tree": [
{
"name": "express",
"version": "4.18.2",
"children": [
{ "name": "body-parser", "version": "1.20.1", "children": [] }
]
}
]
}Reachability Analysis
Determines whether vulnerable code paths are actually reachable from your application code.
GET /api/sca/reachability/{repository_id}Response:
{
"results": [
{
"cve_id": "CVE-2026-1234",
"package": "lodash",
"reachable": true,
"call_chain": ["src/utils.js:12", "node_modules/lodash/lodash.js:4532"]
}
]
}Check for Malicious Packages
Scans dependencies against known malicious package databases.
GET /api/sca/malicious-check/{repository_id}curl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/malicious-check/7Response:
{
"malicious_count": 0,
"suspicious_count": 1,
"packages": [
{ "name": "ev1l-pkg", "reason": "typosquat of 'evil-pkg'", "risk": "suspicious" }
]
}Security Policy
Get Security Policy
Returns the SCA security policy configured for a repository.
GET /api/sca/policy/{repository_id}Update Security Policy
Sets severity thresholds, blocked licenses, and auto-fail rules.
POST /api/sca/policy/{repository_id}curl -X POST \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"fail_on_severity": "high", "blocked_licenses": ["GPL-3.0"], "max_critical": 0}' \
https://codestax.co/api/sca/policy/7Check Policy Compliance
Evaluates the latest scan against the configured policy and returns pass/fail.
GET /api/sca/policy-check/{repository_id}Response:
{
"compliant": false,
"violations": [
{ "rule": "max_critical", "threshold": 0, "actual": 2 },
{ "rule": "blocked_license", "package": "viral-lib", "license": "GPL-3.0" }
]
}Cross-Repository Analysis
Cross-Repo Vulnerability Summary
Returns a summary of vulnerabilities across all repositories in the organization.
GET /api/sca/cross-repo/summarycurl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/cross-repo/summaryShared CVEs Across Repos
Identifies CVEs that appear in multiple repositories.
GET /api/sca/cross-repo-cvesSBOM & Compliance
Import SBOM
Imports a CycloneDX or SPDX SBOM document for a repository.
POST /api/sca/sbom/import/{repository_id}Generate VEX Document
Exports a Vulnerability Exploitability eXchange (VEX) document.
GET /api/sca/vex/{repository_id}Scan Container Image
Triggers a container image scan for vulnerabilities and misconfigurations.
POST /api/sca/container-scan/{repository_id}Compliance Framework Mapping
Maps findings to compliance frameworks (SOC 2, PCI-DSS, HIPAA, ISO 27001).
GET /api/sca/compliance/{repository_id}Response:
{
"frameworks": {
"SOC2": { "compliant": 42, "non_compliant": 3 },
"PCI-DSS": { "compliant": 40, "non_compliant": 5 }
}
}