API List Queries

GET /api/v1/(api_key)/scans

New in version 1.0.

Get the list of all scans of your organisation.

Example request:

GET /api/v1/3079080045dfdc3b24966d972e890bd2/scans HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity

Example response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 448
Date: Wed, 08 May 2019 11:23:35 GMT

{
  "data": [
    {
      "name": "Cookie Jar",
      "scan_id": "6e543cfc52004489",
      "targets": [
        "http://example.com",
        "example.com"
      ],
      "user_name": "Bert"
    },
    {
      "name": "Sesame Street",
      "scan_id": "111553ac05734d25",
      "targets": [
        "http://example.com",
        "example.com"
      ],
      "user_name": "Ernie"
    }
  ],
  "message": "Scans found: 2",
  "success": true
}
Parameters:
  • api_key (string) – Your API key
Response Headers:
 
Response JSON Object:
 
  • success (boolean) – operation was successful
  • message (string) – human readable response
  • data (objects) – list of scans
Response JSON Array of Objects:
 
  • scan_id (string) – ID of the scan
  • name (string) – name of the scan
  • user_name (string) – name of the owner of the scan
  • targets (strings) – targets of the scan (URLs, host names, or IP addresses)
Status Codes:
See also:
GET /api/v1/(api_key)/scanprofiles

New in version 1.1.

Get the list of all scan profiles of your organisation.

Example request:

GET /api/v1/3079080045dfdc3b24966d972e890bd2/scanprofiles HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity

Example response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 350
Date: Wed, 08 May 2019 11:23:23 GMT

{
  "data": [
    {
      "description": "My bathtub",
      "name": "Rubber Duck",
      "profile_id": "1a5f8360cdf945ca",
      "user_name": "Ernie"
    },
    {
      "description": "Grouchy",
      "name": "Grumpy",
      "profile_id": "dc11c874c7aa46d3",
      "user_name": "Bert"
    }
  ],
  "message": "Profiles found: 2",
  "success": true
}
Parameters:
  • api_key (string) – Your API key
Response Headers:
 
Response JSON Object:
 
  • success (boolean) – operation was successful
  • message (string) – human readable response
  • data (objects) – list of scan profiles
Response JSON Array of Objects:
 
  • profile_id (string) – ID of the profile
  • name (string) – name of the profile
  • user_name (string) – name of the owner of the profile
Status Codes:
See also:
GET /api/v1/(api_key)/scan/(scan_id)/runs

New in version 1.0.

Get a list of all runs of a scan in descending chronological order, i.e. data[0] is always the latest run.

Example request:

GET /api/v1/8c283d9f0fcce2034a88c6f6a4176b01/scan/310b8e1b53ed4060/runs?status=PAUSED HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity

Example response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 201
Date: Wed, 08 May 2019 11:24:07 GMT

{
  "data": [
    {
      "completed_at": null,
      "run_id": "bd7a0dd4848f44a2",
      "started_at": 1547476729,
      "status": "PAUSED"
    }
  ],
  "message": "Runs found: 1",
  "success": true
}
Parameters:
  • api_key (string) – Your API key
  • scan_id (string) – ID of the scan
Query Parameters:
 
Response Headers:
 
Response JSON Object:
 
  • success (boolean) – operation was successful
  • message (string) – human readable response
  • data (objects) – list of runs (short form)
Response JSON Array of Objects:
 
  • run_id (string) – id of the run
  • started_at (int) – timestamp when the scan run was started
  • completed_at (int) – timestamp when the scan run was completed (or null)
  • status (string) – run status of the run
Status Codes:
See also:
GET /api/v1/(api_key)/vulnerabilities

New in version 1.0.

Get a list of all your vulnerabilities.

Example request:

GET /api/v1/44df57d3f5a479e334e622f314787dcc/vulnerabilities?status=unfixed&short=true HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity

Example response, short format:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 836
Date: Wed, 08 May 2019 11:24:57 GMT

{
  "data": [
    {
      "category": "web_app",
      "host": "example.com",
      "impact": "high",
      "parameter": "loadMovieNumVar",
      "port": 8686,
      "priority": "high",
      "probability": "high",
      "target": "/flash/vulnerable.swf [loadMovieNumVar]",
      "title": "Flash Cross Site Scripting via getURL",
      "vuln_id": "656c83c5a79197d3b5dae238016736aa335a13f9"
    },
    {
      "category": "web_app",
      "host": "example.com",
      "impact": "high",
      "parameter": "ctaUrl",
      "port": 8686,
      "priority": "high",
      "probability": "high",
      "target": "/flash/riskMeter.swf [ctaUrl]",
      "title": "Flash Cross Site Scripting via navigateToURL",
      "vuln_id": "074bcf81ecac8cdddb38cfd79eec48c7686e0038"
    }
  ],
  "message": "Vulnerabilities found: 2",
  "count": 2,
  "success": true
}
Parameters:
  • api_key (string) – Your API key
Query Parameters:
 
  • status (string) – filter by vulnerability status
  • short (string) – returns the vulnerability data in short format or long format
  • status – filter by vulnerability status
  • severity (string) – return vulnerabilities with severity or higher
  • cvss (int) – return vulnerability with CVSS score or higher
  • return_info (boolean) – include vulnerabilities with impact info
Response Headers:
 
Response JSON Object:
 
  • success (boolean) – operation was successful
  • message (string) – human readable response
  • count (number) – a count of the vulnerabilities in the response
  • data (objects) – list of vulnerabilities (short form)
Response JSON Array of Objects:
 
  • vuln_id (string) – ID of the vulnerability
  • title (string) – title of the vulnerability
  • host (string) – host of the vulnerability
  • port (int) – port of the vulnerability
  • target (string) – target of the vulnerability
  • parameter (string) – parameter of the vulnerability
  • category (string) – category of the vulnerability
  • impact (string) – impact of the vulnerability
  • priority (string) – priority of the vulnerability
  • probability (string) – probability of the vulnerability
Status Codes:

Example response, long format:

Parameters:
  • api_key (string) – Your API key
Query Parameters:
 
  • short (string) – returns the vulnerability data in short format or long format
  • data.severity (string) – return vulnerabilities with severity or higher
Response Headers:
 
Response JSON Object:
 
  • success (boolean) – operation was successful
  • message (string) – human readable response
  • count (number) – a count of the vulnerabilities in the response
  • data (object) – list of vulnerabilities (long form)
Response JSON Array of Objects:
 
  • data.vuln_id (string) – ID of the vulnerability
  • data.title (string) – title of the vulnerability
  • data.synopsis (string) – synopsis of the vulnerability
  • data.description (string) – description of the vulnerability
  • data.details (object) – details of the vulnerability
  • data.solution (string) – solution of the vulnerability
  • data.host (string) – host of the vulnerability
  • data.port (int) – port of the vulnerability
  • data.target (string) – target of the vulnerability
  • data.parameter (string) – parameter of the vulnerability
  • data.category (string) – category of the vulnerability
  • data.cvss_score (float) – CVSS score of the vulnerability
  • data.cvss_vector (string) – CVSS vector of the vulnerability
  • data.first_detected_at (int) – timestamp when the vulnerability was first detected
  • data.last_detected_at (int) – timestamp when the vulnerability was last detected
  • data.assignee (string) – assignee of the vulnerability
  • data.status (string) – vulnerability status of the vulnerability
  • data.notes (string) – user provided notes of the vulnerability
  • data.impact (string) – impact of the vulnerability
  • data.priority (string) – priority of the vulnerability, can be changed by the user
  • data.probability (string) – probability of the vulnerability
  • data.mss_confirmed (boolean) – confirmed vulnerability
  • data.manually_altered (boolean) – vulnerability edited by hand
  • data.disabled (boolean) – vulnerability disabled are still visible, but restricted
  • data.scan_definition_id (strings) – list of scan definition ids where detected
  • data.results_set_id (strings) – list of result set ids related to the vulnerability
  • data.trashed (boolean) – if true the vulnerability was trashed, trashed objects behave as if deleted from the system, but can be restored to the old status.
  • data.tags (strings) – lists of tags
  • data.ipv4_address (string) – ipv4 address where the vulnerability was detected
  • data.last_detected_in (string) – result set id where the vulnerability was last detected
  • data.last_detected_by_scan_signature (string) – scan signature where the vulnerability was last detected at
  • data.OWASP (dict) – OWASP top ten name
  • data.created (string) – timestamp date when the vulnerability was modified
  • data.url (string) – URL address where the vulnerability was detected
  • data.modified (string) – timestamp date when the vulnerability was modified
  • data.suppression_days (int) – amount of days a vulnerability remains suppressed
  • data.protected (boolean) – if true the vulnerability is protected and can not be trashed
  • data.assigned_to (string) – user’s id to which this vulnerability was assigned
  • data.suppressed_at (string) – date in which the vulnerability was suppressed (false positive or acceptable risk)
  • data.fixed (boolean) – was the vulnerability fixed?
Status Codes:

New in version 1.4.2: The severity parameter

See also:
GET /api/v1/(api_key)/scan/(scan_id)/vulnerabilities

New in version 1.0.

Get a list of all vulnerabilities discovered by a scan.

Example request:

GET /api/v1/44df57d3f5a479e334e622f314787dcc/scan/b4ab4a50c3474b7d/vulnerabilities?status=unfixed&short=true HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity
Parameters:
  • api_key (string) – Your API key
  • scan_id (string) – ID of the scan
Query Parameters:
 
  • status (string) – filter by vulnerability status
  • severity (string) – return vulnerabilities with severity or higher
  • priority (string) – return vulnerabilities with priority or higher
  • cvss (int) – return vulnerability with CVSS score or higher
  • return_info (boolean) – include vulnerabilities with impact info

New in version 1.4.2: The severity parameter

See GET /api/v1/(api_key)/vulnerabilities for details of the response

See also:
GET /api/v1/(api_key)/scan/(scan_id)/run/(run_id)/vulnerabilities

New in version 1.0.

Get a list of all vulnerabilities discovered by a particular run of a scan.

Example request:

GET /api/v1/44df57d3f5a479e334e622f314787dcc/scan/b4ab4a50c3474b7d/run/e385fa8ff6774215/vulnerabilities?status=unfixed&short=true HTTP/1.1
Host: api.appcheck-ng.com
Accept-Encoding: identity
Parameters:
  • api_key (string) – Your API key
  • scan_id (string) – ID of the scan
  • run_id (string) – ID of the run of this scan
Query Parameters:
 
  • limit (int) – The number of vulns to show per page
  • page (int) – The page of results to show
  • status (string) – filter by vulnerability status
  • severity (string) – return vulnerabilities with severity or higher
  • priority (string) – return vulnerabilities with priority or higher
  • cvss (int) – return vulnerability with CVSS score or higher
  • return_info (boolean) – include vulnerabilities with impact info
  • status – filter by vulnerability status

New in version 1.4.2: The severity parameter

See GET /api/v1/(api_key)/vulnerabilities for details of the response.

See also: