Access denied
The access to the API functionality is denied if either the used API key is invalid, the configured API user is no longer valid (the account was disabled or deleted), or client’s IP address is not in the allowed range of API access
API access
To reduce the damage caused by a revealed API key, access to the API is only granted if the client’s IP address is whitelisted. To use the API, all client’s IP addresses have to be added to the configured list, either as hostname, IP address, or CIDR network.
API key
A secret, 32 characters long hex string belonging to your Organisation. Ask AppCheck support to get your API key.
API user
The user with whom API calls are executed. It is recommended to use a dedicated user account solely for API use.
A user in your organisation that is responsible for resolving the found vulnerability.
CVSS score
Base score of the Common Vulnerability Scoring System, version 2.
CVSS vector
Vector of the different metrics that are aggregated into the single numerical CVSS score; https://nvd.nist.gov/vuln-metrics/cvss/vector-v2.
Failure condition

One of the following values:

  • LOW: At least one LOW vulnerability was found
  • MEDIUM: At least one MEDIUM vulnerability was found
  • HIGH: At least one HIGH vulnerability was found
  • BAD_STATUS: The scan finished with the status ABORTED or FAILED
One of high, medium, and low.
One of high, medium, and low. Can be changed.
One of high, medium, and low.
The severity level indicates how serious the vulnerability is. The severity level is a translation from CVSS Score. The severity cam be one of high, medium, low and info.
Run status
The status of a scan run is one of RUNNING, PAUSED, ABORTED, DETACHED (scanning backend temporarily lost connection), COMPLETED (run finished without discovering vulnerabilities), and FAILED (run finished, but vulnerabilities were discovered).
A scan definition and it’s associated scan runs.
Scan definition
Configuration of a scan. Including targets, scheduling, scanning methods.
Scan run
Actual scanning process. Uses the lates version of a scan definition.
Scan status
The status of the last (or explicitly specified) scan run of a scan definition.
Seconds since 1970-01-01 00:00:00 UTC (the Epoch).
Discovered attack possibility. A vulnerability is discovered by a scan run, but is not bound to it. If two scans have overlapping scope, and therefore discover the same vulnerability, there is still only one vulnerability (with only one ID).
Vulnerability status
One of unfixed (the initial value), fixed, false_positive, and acceptable_risk. The status can be changed by the user. Once a vulnerability is changed to fixed, false_positive, or acceptable_risk, it is hidden in the AppCheck NG Webinterface. However, once a fixed vulnerability is discovered a second time, it’s status is changed back to unfixed and it is visible again.
Name of one of the Top ten most critical security risks to web application.