GET
/api/v1/meGet Public Api Me
Return safe metadata for the authenticated API key connection.
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicMeResponse |
API Reference
Kolega DevSec Public API
REST API for organization-scoped automation around repositories, scans, findings, fixes, and pull request creation.
Authentication
Organization API key. Generate keys in Organization Settings -> API Keys and send them as Bearer tokens.
- Generate API keys in Organization Settings -> API Keys.
- Send the key in the
Authorizationheader as a Bearer token. - Keys are organization-scoped and intended for requests under
/api/v1.
Quickstart
Typical flow: list repositories, trigger a scan batch, poll the batch progress endpoint, read aggregated batch results, review findings, create a fix, then poll fix progress before opening pull requests.
List repositories
Trigger a scan batch and poll progress
Create a fix, poll progress, and open pull requests
scan_typeacceptssecrets_scan,semgrep_scan,deep_ai_scan, orsbom_scan.GET /repositories/{repository_id}/scans/{scan_id}now returns the scan batch detail created byPOST /scans.GET /repositories/{repository_id}/scans/{scan_id}/progressis the primary polling endpoint for live scan progress.GET /repositories/{repository_id}/scans/{scan_id}/resultsreturns findings aggregated across every repository in the batch.GET /repositories/{repository_id}/fixes/{fix_id}/progressis the primary polling endpoint for active fixes.GET /mereturns the calling key's organization, scopes, and quota period — handy for verifying credentials before automating.GET /finding-eventsis an organization-wide, reverse-chronological feed of finding lifecycle events for audit trails and webhook-style polling.POST /repositories/{repository_id}/fixes/{fix_id}/refinere-runs the agent with follow-up instructions;POST .../cancelstops a pending or running fix.
Account
Inspect the identity, organization, and scopes of the calling API key.
Repositories
Discover the repository ids and source inventory available to the calling organization.
GET
/api/v1/repositoriesList Repositories
List repositories for the calling organization.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| include_archived | boolean | No | Include archived repositories |
| limit | integer | No | query parameter. |
| skip | integer | No | query parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicPaginatedResponse_PublicRepositoryResponse_ |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}Get Repository
Get a single repository by id.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicRepositoryResponse |
| 422 | Validation Error | HTTPValidationError |
Scans
Create scan batches, poll live batch progress, inspect batch details, and fetch aggregated findings.
GET
/api/v1/repositories/{repository_id}/scansList Scans
List scan batches for the repository.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| scan_type | secrets_scan | semgrep_scan | deep_ai_scan | sbom_scan | null | No | Filter by scan type |
| status | string | null | No | Filter by status |
| limit | integer | No | query parameter. |
| skip | integer | No | query parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicPaginatedResponse_PublicScanBatchResponse_ |
| 422 | Validation Error | HTTPValidationError |
POST
/api/v1/repositories/{repository_id}/scansCreate Scan
Trigger a security scan for the repository.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
Request body
| Name | Type | Required | Description |
|---|---|---|---|
| scan_type | secrets_scan | semgrep_scan | deep_ai_scan | sbom_scan | Yes | Available scan types for repository security scanning. |
Responses
| Status | Description | Schema |
|---|---|---|
| 202 | Successful Response | PublicScanBatchResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/scans/{scan_id}Get Scan
Get the scan batch you created. scan_id is the batch id.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| scan_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicScanBatchResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/scans/{scan_id}/progressGet Scan Progress
Fine-grained progress for a scan batch.
Returns the batch's aggregate counters plus a per-repository breakdown (including placeholder entries for repos that haven't been materialized as scans yet when the batch is still QUEUED/CREATING_SCANS). A CLI can poll this and render a progress bar from percent_complete.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| scan_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicScanProgressResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/scans/{scan_id}/resultsGet Scan Results
Aggregate findings from every repository in the batch.
scan_id is the batch id from POST /scans. Returns every finding attributed to this batch across all repositories. For per-repository slicing, use /progress to see the breakdown and then filter findings by scan_batch_id if needed.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| scan_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicScanResultsResponse |
| 422 | Validation Error | HTTPValidationError |
Findings
List findings for a repository, inspect one finding, or update its lifecycle status.
GET
/api/v1/repositories/{repository_id}/findingsList Findings
List findings for the repository.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| scan_batch_id | string | null | No | Filter by scan batch id |
| severity | string | null | No | Filter by severity |
| status | string | null | No | Filter by status |
| scan_type | string | null | No | Filter by scan type |
| limit | integer | No | query parameter. |
| skip | integer | No | query parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicPaginatedResponse_PublicFindingResponse_ |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/findings/{finding_id}Get Finding
Get a single finding by id.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| finding_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFindingResponse |
| 422 | Validation Error | HTTPValidationError |
PATCH
/api/v1/repositories/{repository_id}/findings/{finding_id}Update Finding Status
Update the status of a finding (open / resolved / ignored / etc).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| finding_id | string | Yes | path parameter. |
Request body
| Name | Type | Required | Description |
|---|---|---|---|
| status | open | resolved | ignored | false_positive | needs_manual_review | Yes | Status of a security finding. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFindingResponse |
| 422 | Validation Error | HTTPValidationError |
Finding Events
Stream organization-wide finding lifecycle events for audit trails and webhook-style polling.
GET
/api/v1/finding-eventsList Finding Events
List finding lifecycle events for the calling organization.
Events are returned reverse-chronologically so polling consumers such as Zapier can use the event id as a stable dedupe key.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | null | No | Filter by repository id |
| finding_id | string | null | No | Filter by finding id |
| scan_type | string | null | No | Filter by scan type |
| severity | string | null | No | Filter by severity |
| event_type | string | null | No | Filter by event type |
| start | string (date-time) | null | No | Start time filter |
| end | string (date-time) | null | No | End time filter |
| limit | integer | No | query parameter. |
| skip | integer | No | query parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicPaginatedResponse_PublicFindingEventResponse_ |
| 422 | Validation Error | HTTPValidationError |
Fixes
Create remediation runs, poll fix progress, inspect diffs, and create pull requests.
GET
/api/v1/repositories/{repository_id}/fixesList Fixes
List fixes for the repository.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| finding_id | string | null | No | Filter by finding id |
| limit | integer | No | query parameter. |
| skip | integer | No | query parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicPaginatedResponse_PublicFixResponse_ |
| 422 | Validation Error | HTTPValidationError |
POST
/api/v1/repositories/{repository_id}/fixesCreate Fix
Trigger an autofix run for one or more findings in this repository.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
Request body
| Name | Type | Required | Description |
|---|---|---|---|
| finding_ids | string[] | No | No description provided. |
| title | string | Yes | No description provided. |
| instructions | string | Yes | No description provided. |
| source_repo | string | Yes | Repository full_name (owner/repo) |
| source_repo_provider | github | gitlab | azure_devops | No | No description provided. |
| source_scan_branch | string | null | No | Branch the finding was detected on |
Responses
| Status | Description | Schema |
|---|---|---|
| 201 | Successful Response | PublicFixResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/fixes/{fix_id}Get Fix
Get a single fix by id.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFixResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/fixes/{fix_id}/diffGet Fix Diff
Get the diff for a fix. Returns diff=null while the fix is still running — clients should poll until status is completed.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFixDiffResponse |
| 422 | Validation Error | HTTPValidationError |
GET
/api/v1/repositories/{repository_id}/fixes/{fix_id}/progressGet Fix Progress
Minimal heartbeat for a running fix.
Returns status, timings, agent step count, and a last-activity timestamp so a CLI can show something like "Running... (42s, 12 steps, last update 3s ago)". Deliberately does not expose message content or tool-call details.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFixProgressResponse |
| 422 | Validation Error | HTTPValidationError |
POST
/api/v1/repositories/{repository_id}/fixes/{fix_id}/refineRefine Fix
Refine a completed autofix run with follow-up instructions.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Request body
| Name | Type | Required | Description |
|---|---|---|---|
| instructions | string | Yes | Follow-up instructions for refining the generated fix |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFixResponse |
| 422 | Validation Error | HTTPValidationError |
POST
/api/v1/repositories/{repository_id}/fixes/{fix_id}/cancelCancel Fix
Cancel a pending or running autofix run.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicFixResponse |
| 422 | Validation Error | HTTPValidationError |
POST
/api/v1/repositories/{repository_id}/fixes/{fix_id}/pull-requestsCreate Pull Requests
Open pull requests for a completed fix.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| repository_id | string | Yes | path parameter. |
| fix_id | string | Yes | path parameter. |
Request body
| Name | Type | Required | Description |
|---|---|---|---|
| title | string | null | No | PR title; auto-generated if omitted |
| body | string | null | No | PR body in markdown; auto-generated if omitted |
| branch_name | string | null | No | Custom branch name; auto-generated if omitted |
Responses
| Status | Description | Schema |
|---|---|---|
| 201 | Successful Response | PublicPullRequestsCreatedResponse |
| 422 | Validation Error | HTTPValidationError |
Quotas
Check current organization quota balances exposed by the public API.
GET
/api/v1/quotas/balanceGet Quota Balance
Return the current-period quota balance for the calling organization.
Check this before triggering a scan or fix — if a counter's remaining is zero, the POST will 403 OPERATION_FAILED with the offending quota_type in the detail.
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | Successful Response | PublicQuotaBalanceResponse |