SCA Extended API
All endpoints require authentication via
X-API-Keyheader or JWT Bearer token. The base URL ishttps://codestax.co/api.
SARIF Import / Export
Export Findings as SARIF
Exports the latest SCA findings in SARIF 2.1.0 format for integration with GitHub Code Scanning, Azure DevOps, and other tools.
GET /api/sca/sarif/export/{repository_id}curl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/sarif/export/7 \
-o findings.sarifResponse: SARIF 2.1.0 JSON document.
Import SARIF
Imports findings from an external SARIF file into CodeStax.
POST /api/sca/sarif/import/{repository_id}Ignore Rules
List Ignore Rules
Returns all suppression rules configured for a repository.
GET /api/sca/ignore-rules/{repository_id}curl -H "X-API-Key: YOUR_API_KEY" \
https://codestax.co/api/sca/ignore-rules/7Response:
{
"rules": [
{
"id": 1,
"rule_type": "cve",
"value": "CVE-2026-9999",
"reason": "False positive, not exploitable",
"expires_at": "2026-06-01T00:00:00Z",
"created_by": "admin@example.com"
}
]
}Create Ignore Rule
Suppresses findings matching the specified criteria.
POST /api/sca/ignore-rules/{repository_id}curl -X POST \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"rule_type": "cve", "value": "CVE-2026-9999", "reason": "False positive", "expires_at": "2026-06-01T00:00:00Z"}' \
https://codestax.co/api/sca/ignore-rules/7Request Body:
| Field | Type | Description |
|---|---|---|
rule_type | string | cve, package, path, license, or severity |
value | string | The value to match (e.g., CVE ID, package name) |
reason | string | Justification for suppression |
expires_at | string | ISO 8601 expiration date (optional) |
Delete Ignore Rule
DELETE /api/sca/ignore-rules/{repository_id}?rule_id={rule_id}Get Filtered Findings
Returns findings with suppressed items excluded based on active ignore rules.
GET /api/sca/findings-filtered/{repository_id}Scan Scheduling
Get Scan Schedule
Returns the configured scan schedule for a repository.
GET /api/sca/schedule/{repository_id}Create / Update Scan Schedule
Configures recurring SCA scans using cron expressions.
POST /api/sca/schedule/{repository_id}curl -X POST \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"cron_expression": "0 2 * * 1", "scan_type": "sca", "enabled": true}' \
https://codestax.co/api/sca/schedule/7Request Body:
| Field | Type | Description |
|---|---|---|
cron_expression | string | Cron schedule (e.g., 0 2 * * 1 for Monday 2 AM) |
scan_type | string | Scan type to run |
enabled | boolean | Whether the schedule is active |
Delete Scan Schedule
DELETE /api/sca/schedule/{repository_id}List All Schedules
Returns all scan schedules across the organization.
GET /api/sca/schedulesJira Integration
Create Jira Ticket
Creates a Jira ticket for a specific vulnerability finding.
POST /api/sca/jira/create-ticketcurl -X POST \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"issue_id": 501, "project_key": "SEC", "issue_type": "Bug"}' \
https://codestax.co/api/sca/jira/create-ticketResponse:
{
"jira_key": "SEC-142",
"jira_url": "https://myorg.atlassian.net/browse/SEC-142",
"status": "created"
}Bulk Create Jira Tickets
Creates Jira tickets for multiple findings at once.
POST /api/sca/jira/bulk-createMerge Confidence & Auto-Update
Get Merge Confidence Score
Returns a confidence score for merging dependency updates, based on age, adoption, test coverage, and known issues.
GET /api/sca/merge-confidence/{repository_id}Response:
{
"updates": [
{
"package": "express",
"from": "4.18.2",
"to": "4.19.0",
"confidence": "high",
"score": 95,
"factors": { "age_days": 45, "adoption": 0.87, "breaking_changes": false }
}
]
}Get Auto-Update Configuration
Returns the auto-update settings for a repository (Renovate-style dependency update config).
GET /api/sca/auto-update/{repository_id}Response:
{
"enabled": true,
"strategy": "security_only",
"auto_merge": false,
"target_branch": "main",
"ignored_packages": ["legacy-lib"]
}