Skip to main content
GET
List code, supply chain, or AI-powered scan findings

Authorizations

Authorization
string
header
required

Get access to data with your API token. Example header:

Authorization: Bearer 2991e2fb4b540fe75b8f90677b0b892b6314e4961cb001fe6eb452eee248a628

The token can be provisioned from the Tokens section in your Settings, and requires explicitly enabling Web API access.

Path Parameters

deploymentSlug
string
required

Slug of the deployment name. Can be found at /deployments, or in your Settings in the web UI.

Example:

"your-deployment"

Query Parameters

issue_type
enum<string>
default:sast

Type of findings to return. If not specified, returns sast (Code) findings. Can be sast (Code), sca (Supply Chain), or ai_sast (AI-powered scan). Valid values: sast, sca, ai_sast

Available options:
sast,
sca,
ai_sast
Example:

"sca"

since
number<double>

What timestamp should the results start at? If not specified, returns results from all timestamps. Provide epoch timestamp in seconds. Filters using the relevant_since field: the timestamp when this finding was detected by Semgrep (the first time, or when reintroduced).

Example:

1636942398.45

page
integer<int64>
default:0

Which page of the results do you require? If not specified, returns first page. Pages are numbered from zero (0).

Example:

1

dedup
boolean
default:false

Deduplicates findings across all your refs/branches if true. If not specified, returns all findings across all refs/branches without deduplicating them. Set this to true if you are not filtering for a particular set of refs/branches in order to match the counts listed in the Semgrep UI.

Example:

true

page_size
integer<int64>
default:100

Maximum number of records per returned page. If not specified, defaults to 100 records. Minimum: 100, Maximum: 3000

Required range: 100 <= x <= 3000
Example:

100

repos
string[]

Which repositories (by name) do you want to include? If not specified, includes all.

Example:
repository_ids
integer<int64>[]

Which repositories (by ID) do you want to include? If not specified, includes all.

Example:
status
enum<string>

Which status do you want to include? If not specified, includes all statuses. Findings in the removed state are always excluded from this endpoint. Valid values: open, fixed, ignored, reviewing, fixing, provisionally_ignored

Available options:
open,
fixed,
ignored,
reviewing,
fixing,
provisionally_ignored
Example:

"open"

triage_reasons
string[]

Which triage reasons do you want to include? If not specified, includes all. This filter is applicable when status is ignored. Valid values: acceptable_risk, false_positive, no_time, no_triage_reason, duplicate

Example:
severities
string[]

What severities of issues do you want to include? If not specified, returns all. Valid values: low, medium, high, critical

Example:
ref
string

Which ref (branch) do you want to filter for?

Example:

"refs/pull/1234/merge"

policies
string[]

Which policy modes do you want to include? If not specified, includes all. Monitor: rule-board-audit, Comment: rule-board-pr-comments, Block: rule-board-block. This filter is applicable when issue_type is sast or unspecified.

Example:
rules
string[]

Which rule names do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified.

Example:
categories
string[]

Which categories of findings do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified.

Example:
confidence
enum<string>

Which rule confidence level do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified. Valid values: low, medium, high

Available options:
low,
medium,
high
Example:

"high"

autotriage_verdict
enum<string>

Which autotriage verdict do you want to include? If not specified, includes all. This filter is applicable when issue_type is sast or unspecified. Valid values: true_positive, false_positive

Available options:
true_positive,
false_positive
Example:

"true_positive"

component_tags
string[]

Which component tags do you want to include? If not specified, includes all.

Example:
exposures
string[]

List of exposures or reachability types to filter by. If not specified, returns findings across all exposures. This filter is applicable when issue_type=sca is specified. Valid values: reachable, always_reachable, conditionally_reachable, unreachable, unknown

Example:
transitivities
string[]

List of transitivities to filter by. If not specified, returns all transitivities. This filter is applicable when issue_type=sca is specified. Valid values: direct, transitive, unknown

Example:
is_malicious
boolean

Filter SCA findings by whether they are from malicious dependencies. If not specified, returns all SCA findings. This filter is only applicable when issue_type=sca is specified.

  • true: Returns only findings from malicious dependencies
  • false: Returns only findings from all other reachabilities (reachable in code, always reachable, conditionally reachable, etc.)
Example:

true

click_to_fix_pr_state
string[]

Filter findings by Click-to-Fix PR state. If not specified, returns all findings regardless of autofix PR status. This filter applies to both sast and sca issue types. Valid values: open, merged

Example:

Response

200 - application/json

OK

findings
(Sast Finding · object | Sca Finding · object | AI-Powered Scan Finding · object)[]

A Code finding that Semgrep has identified in your organization