Skip to main content
GET
/
api
/
v1
/
deployments
/
{deploymentSlug}
/
findings
List code or supply chain findings
curl --request GET \
  --url https://semgrep.dev/api/v1/deployments/{deploymentSlug}/findings \
  --header 'Authorization: Bearer <token>'
{
  "sastFindings": {
    "findings": [
      {
        "assistant": {
          "autofix": {
            "explanation": null,
            "fix_code": "cookie.setHttpOnly(true);\\nresponse.addCookie(cookie);"
          },
          "autotriage": {
            "reason": "The matched code is used for a non-security related feature.",
            "verdict": "false_positive"
          },
          "component": {
            "risk": "high",
            "tag": "user data"
          },
          "guidance": {
            "instructions": null,
            "summary": "Use a template rendering engine such as EJS instead of string concatenation."
          },
          "rule_explanation": {
            "explanation": "This code is vulnerable to SQL injection because user input from the `username` parameter is directly concatenated into the SQL query string without sanitization or parameterization.",
            "summary": "User input directly concatenated into SQL query"
          }
        },
        "categories": [
          "security"
        ],
        "click_to_fix_failures": [
          {
            "created_at": "2024-01-15T10:30:00.000Z",
            "reason": "merge conflict in target branch"
          }
        ],
        "click_to_fix_prs": [
          {
            "created_at": "2024-01-15T10:30:00.000Z",
            "url": "https://github.com/myorg/myrepo/pull/123"
          }
        ],
        "confidence": "medium",
        "created_at": "2020-11-18T23:28:12.391Z",
        "external_ticket": {
          "externalSlug": "OPS-158",
          "id": 123,
          "linkedIssueIds": [
            123
          ],
          "url": "<string>"
        },
        "first_seen_scan_id": 1234,
        "id": 1234567,
        "line_of_code_url": "https://github.com/semgrep/semgrep/blob/39f95450a7d4d70e54c9edbd109bed8210a36889/src/core_cli/Core_CLI.ml#L1",
        "location": {
          "column": 8,
          "endColumn": 16,
          "endLine": 124,
          "filePath": "frontend/src/corpComponents/Code.tsx",
          "line": 120
        },
        "match_based_id": "0f8c79a6f7e0ff2f908ff5bc366ae1548465069bae8892088051e1c3b4b12c6b8df37d5bcbb181eb868aa79f81f239d14bf2336d552786ab8ccdc7279adf07a6_1",
        "ref": "refs/pull/1234/merge",
        "relevant_since": "2020-11-18T23:28:12.391Z",
        "repository": {
          "name": "semgrep",
          "url": "https://github.com/semgrep/semgrep"
        },
        "review_comments": [
          {
            "externalDiscussionId": "af04762b69acfb74c8f9",
            "externalNoteId": 123523
          }
        ],
        "rule": {
          "category": "security",
          "confidence": "high",
          "cweNames": [
            "CWE-319: Cleartext Transmission of Sensitive Information"
          ],
          "message": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.",
          "name": "html.security.plaintext-http-link.plaintext-http-link",
          "owaspNames": [
            "A03:2017 - Sensitive Data Exposure",
            "A02:2021 - Cryptographic Failures"
          ],
          "subcategories": [
            "vuln"
          ],
          "vulnerabilityClasses": [
            "Mishandled Sensitive Information"
          ]
        },
        "rule_message": null,
        "rule_name": "typescript.react.security.audit.react-no-refs.react-no-refs",
        "severity": "medium",
        "sourcing_policy": {
          "id": 120,
          "name": "Default Policy",
          "slug": "default-policy"
        },
        "state": "unresolved",
        "state_updated_at": "2020-11-19T23:28:12.391Z",
        "status": "open",
        "syntactic_id": "440eeface888e78afceac3dc7d4cc2cf",
        "triage_comment": "This finding is from the test repo",
        "triage_reason": "acceptable_risk",
        "triage_state": "untriaged",
        "triaged_at": "2020-11-19T23:28:12.391Z"
      }
    ]
  },
  "scaFindings": {
    "findings": [
      {
        "categories": [
          "security"
        ],
        "confidence": "medium",
        "created_at": "2020-11-18T23:28:12.391Z",
        "epss_score": {
          "percentile": 0.994,
          "score": 0.97
        },
        "external_ticket": {
          "externalSlug": "OPS-158",
          "id": 123,
          "linkedIssueIds": [
            123
          ],
          "url": "<string>"
        },
        "first_seen_scan_id": 1234,
        "fix_recommendations": [
          {
            "package": "System.Drawing.Common",
            "version": "5.0.3"
          }
        ],
        "found_dependency": {
          "ecosystem": "npm",
          "lockfile_line_url": "https://github.com/yourorg/yourrepo/blob/main/package-lock.json#L25",
          "package": "System.Drawing.Common",
          "transitivity": "direct",
          "version": "5.0.0"
        },
        "id": 1234567,
        "is_malicious": true,
        "line_of_code_url": "https://github.com/semgrep/semgrep/blob/39f95450a7d4d70e54c9edbd109bed8210a36889/src/core_cli/Core_CLI.ml#L1",
        "location": {
          "column": 8,
          "endColumn": 16,
          "endLine": 124,
          "filePath": "frontend/src/corpComponents/Code.tsx",
          "line": 120
        },
        "match_based_id": "0f8c79a6f7e0ff2f908ff5bc366ae1548465069bae8892088051e1c3b4b12c6b8df37d5bcbb181eb868aa79f81f239d14bf2336d552786ab8ccdc7279adf07a6_1",
        "reachability": "reachable",
        "reachable_condition": "you use the package on a host running Linux or MacOS",
        "ref": "refs/pull/1234/merge",
        "relevant_since": "2020-11-18T23:28:12.391Z",
        "repository": {
          "name": "semgrep",
          "url": "https://github.com/semgrep/semgrep"
        },
        "review_comments": [
          {
            "externalDiscussionId": "af04762b69acfb74c8f9",
            "externalNoteId": 123523
          }
        ],
        "rule": {
          "category": "security",
          "confidence": "high",
          "cweNames": [
            "CWE-319: Cleartext Transmission of Sensitive Information"
          ],
          "message": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.",
          "name": "html.security.plaintext-http-link.plaintext-http-link",
          "owaspNames": [
            "A03:2017 - Sensitive Data Exposure",
            "A02:2021 - Cryptographic Failures"
          ],
          "subcategories": [
            "vuln"
          ],
          "vulnerabilityClasses": [
            "Mishandled Sensitive Information"
          ]
        },
        "rule_message": null,
        "rule_name": "typescript.react.security.audit.react-no-refs.react-no-refs",
        "severity": "medium",
        "state": "unresolved",
        "state_updated_at": "2020-11-19T23:28:12.391Z",
        "status": "open",
        "syntactic_id": "440eeface888e78afceac3dc7d4cc2cf",
        "triage_comment": "This finding is from the test repo",
        "triage_reason": "acceptable_risk",
        "triage_state": "untriaged",
        "triaged_at": "2020-11-19T23:28:12.391Z",
        "usage": {
          "external_ticket": {
            "externalSlug": "OPS-158",
            "id": 123,
            "linkedIssueIds": [
              123
            ],
            "url": "<string>"
          },
          "location": {
            "column": 8,
            "endColumn": 16,
            "endLine": 124,
            "filePath": "frontend/src/corpComponents/Code.tsx",
            "line": 120
          }
        },
        "vulnerability_identifier": "CVE-2021-24112"
      }
    ]
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Get access to data with your API token. Example header:

Authorization: Bearer 2991e2fb4b540fe75b8f90677b0b892b6314e4961cb001fe6eb452eee248a628

The token can be provisioned from the Tokens section in your Settings, and requires explicitly enabling Web API access.

Path Parameters

deploymentSlug
string
required

Slug of the deployment name. Can be found at /deployments, or in your Settings in the web UI.

Example:

"your-deployment"

Query Parameters

issue_type
enum<string>
default:sast

Type of findings to return. If not specified, returns sast (Code) findings. Can either be sast (Code) or sca (Supply Chain). Valid values: sast, sca

Available options:
sast,
sca
Example:

"sca"

since
number<double>

What timestamp should the results start at? If not specified, returns results from all timestamps. Provide epoch timestamp in seconds. Filters using the relevant_since field: the timestamp when this finding was detected by Semgrep (the first time, or when reintroduced).

Example:

1636942398.45

page
integer<uint32>
default:0

Which page of the results do you require? If not specified, returns first page. Pages are numbered from zero (0).

Example:

1

dedup
boolean
default:false

Deduplicates findings across all your refs/branches if true. If not specified, returns all findings across all refs/branches without deduplicating them. Set this to true if you are not filtering for a particular set of refs/branches in order to match the counts listed in the Semgrep UI.

Example:

true

page_size
integer<uint32>
default:100

Maximum number of records per returned page. If not specified, defaults to 100 records. Minimum: 100, Maximum: 3000

Required range: 100 <= x <= 3000
Example:

100

repos
string[]

Which repositories (by name) do you want to include? If not specified, includes all.

Example:
["myorg/repo1", "myorg/repo2"]
repository_ids
integer<uint32>[]

Which repositories (by ID) do you want to include? If not specified, includes all.

Example:
[1, 2, 3]
status
enum<string>

Which status do you want to include? If not specified, includes all. Valid values: open, fixed, ignored, reviewing, fixing

Available options:
open,
fixed,
ignored,
reviewing,
fixing
Example:

"open"

triage_reasons
string[]

Which triage reasons do you want to include? If not specified, includes all. This filter is applicable when status is ignored. Valid values: acceptable_risk, false_positive, no_time, no_triage_reason

Example:
["acceptable_risk", "false_positive"]
severities
string[]

What severities of issues do you want to include? If not specified, returns all. Valid values: low, medium, high, critical

Example:
["low", "high"]
ref
string

Which ref (branch) do you want to filter for?

Example:

"refs/pull/1234/merge"

policies
string[]

Which policy modes do you want to include? If not specified, includes all. Monitor: rule-board-audit, Comment: rule-board-pr-comments, Block: rule-board-block. This filter is applicable when issue_type is sast or unspecified.

Example:
[
  "rule-board-block",
  "rule-board-pr-comments",
  "rule-board-audit"
]
rules
string[]

Which rule names do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified.

Example:
[
  "typescript.react.security.audit.react-no-refs.react-no-refs",
  "ajinabraham.njsscan.hardcoded_secrets.node_username"
]
categories
string[]

Which categories of findings do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified.

Example:
["security", "correctness", "caching"]
confidence
enum<string>

Which rule confidence level do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified. Valid values: low, medium, high

Available options:
low,
medium,
high
Example:

"high"

autotriage_verdict
enum<string>

Which autotriage verdict do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified. Valid values: true_positive, false_positive

Available options:
true_positive,
false_positive
Example:

"true_positive"

component_tags
string[]

Which component tags do you want to include? If not specified, includes all.

Example:
["user authentication", "user data"]
exposures
string[]

List of exposures or reachability types to filter by. If not specified, returns findings across all exposures. This filter is applicable when issue_type=sca is specified. Valid values: reachable, always_reachable, conditionally_reachable, unreachable, unknown

Example:
["reachable", "always_reachable"]
transitivities
string[]

List of transitivities to filter by. If not specified, returns all transitivities. This filter is applicable when issue_type=sca is specified. Valid values: direct, transitive, unknown

Example:
["transitive"]
is_malicious
boolean

Filter SCA findings by whether they are from malicious dependencies. If not specified, returns all SCA findings. This filter is only applicable when issue_type=sca is specified.

  • true: Returns only findings from malicious dependencies
  • false: Returns only findings from all other reachabilities (reachable in code, always reachable, conditionally reachable, etc.)
Example:

true

click_to_fix_pr_state
string[]

Filter findings by Click-to-Fix PR state. If not specified, returns all findings regardless of autofix PR status. This filter applies to both sast and sca issue types. Valid values: open, merged

Example:
["open", "merged"]

Response

OK

Response containing a paginated list of findings (either Code or Supply Chain findings) with optional filtering applied

sastFindings
Sast Findings · object

A list of Code findings that Semgrep has identified in your organization

scaFindings
Sca Findings · object

A list of Supply Chain findings that Semgrep has identified in your organization