Vulnerabilities - REST API

List Application Vulnerabilities

List Application Vulnerabilities

List the complete history of identified vulnerability records for a given application. One way to think of these identified vulnerability records is as distinct issues that might be opened in a vulnerability management system. Rather than treating every distinct vulnerability, in every assessment, as its own issue, we instead treat a given vulnerability which is persistent across contiguous assessments as a single entity, only closing when we test a new version of the app where it has been tested for but not found to affect this version. Once closed, however, a given identified vulnerability will remain closed, and a new identified vulnerability will be opened.

curl -H "Authorization: Bearer ${API_TOKEN}" \


Field Type Description
Authorization String  Send header with value Bearer: ${API_TOKEN} to authenticate



Field Type Description
app_ref String UUID application reference which uniquely identifies an application within a specific org analysis group


Success 200

Field Type Description
vulnerabilities Object[ ]  Identified vulnerability record
unique_vulnerability_id Number  Monotonically increasing 64-bit integer key representing the identified vulnerability record
finding_id String  Finding key enum representing the specific finding associated with vulnerability
opened_at Date  Timestamp representing when this specific identified vulnerability record was created
last_seen_at Date  Timestamp representing the last time we recorded when this specific vulnerability recurred
last_seen_cvss Number  CVSS value associated with the finding
closed_at Date  Timestamp representing when the associated finding was found to no longer be a vulnerability (i.e. either it was tested for and found to not be affected, or the finding was edited to push the CVSS score down to 0, making it no longer a vulnerability)
opened_in_assessment_id String  UUID assessment "ref" associated with last assessment where vulnerability was first discovered (e.g. assessment with a non-zero CVSS score for associated finding, and no preexisting identified vuln associated with this app and finding was already open)
last_seen_in_assessment_id String  UUID assessment "ref" associated with most recent assessment where finding was found to still be vulnerable
opened_in_app_version String  Textual app version associated with assessment
last_seen_in_app_version String  Textual app version associated with last seen assessment
closed_in_assessment_id (optional) String  If vulnerability record is closed, the uuid assessment "ref" associated with assessment which closed the vuln
closed_in_app_version (optional) String  If vulnerability record is closed, the textual app version associated with assessment which closed the vuln



Article is closed for comments.