Description: Retrieve the scan results data associated with a specific commit in a branch of a repository.
Note: This API endpoint allows you to obtain detailed scan results for a particular commit identified by commit_hash, within a specified branch (branch_name) of a given repository (repo_id). The scan results provide insights into any vulnerabilities or issues detected in the code at the time of the commit. If the same commit hash was scanned multiple times—for example, by different jobs building different parts of the code or by rerunning the scan—the API will return findings from all those scans. It does not identify or eliminate duplicate issues across scans.
Since: Xray version 3.122
Security: A user with READ permissions is required.
Usage: GET /xray/api/v1/git/git-public/repositories/{repo_id}/commits/{commit_hash}/scan-results
Produces: application/json
Path Parameters
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | Required | The unique identifier of the repository |
| string | Required | The hash of the commit for which you want to retrieve the scan results |
Query Parameters
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | Required | The name of the branch that contains the commit |
Response Codes
Name | Description |
|---|---|
| OK |
| Bad request: invalid parameters |
| Unauthorized |
| Forbidden |
| Internal error |
Response Body
Name | Type | Description |
|---|---|---|
| integer | The unique identifier of the repository |
| string | The URL of the repository |
| string | The name of the repository |
| string | The name of the branch for which commits are being retrieved |
| string | The hash of the commit for which scan results are provided |
| Object | The detailed scan results associated with the commit |
scan_results
Name | Type | Description |
|---|---|---|
| array[CveObj] | An array of CVEs related to the commit |
| array[SbomObj] | An array of components related to the commit |
| array[OpRiskObj] | An array of operational risks identified during the scan |
| array[SecretObj] | An array of secrets detected in the code |
| array[IacObj] | An array of Infrastructure as Code issues identified |
| array[SastObj] | An array of Static Application Security Testing results |
CveObj
Name | Type | Description |
|---|---|---|
| string | A unique identifier for the CVE wrapper (e.g., "XRAY-XXXX") |
| string | The severity level of the vulnerability (e.g., "Critical", "High", "Medium", "Low") |
| string | The source of the severity rating (e.g., "CVSS V3 from NVD") |
| string | JFrog Research severity level (e.g., "Critical", "High", "Medium", "Low") |
| string | A brief description of the vulnerability |
| CveObj | A reference to the CVE object detailing the vulnerability information |
| array[ComponentObj] | A list of components affected by the CVE |
| ContextualAnalysisObj | A reference to the contextual analysis object providing additional insights |
| JfrogResearchInformationObj | A reference to the JFrog research information object containing detailed analysis |
CveObj
Name | Type | Description |
|---|---|---|
| string | The unique identifier for the CVE (e.g., "CVE-2022-2911") |
| string | The CVSS v2 score (e.g., "7.5") |
| string | The CVSS v3 score (e.g., "9.8") |
| array[CweObj] | A list of CWE objects associated with this CVE |
ComponentObj
Name | Type | Description |
|---|---|---|
| string | The identifier for the component (e.g., "pypi://werkzeug:1.0.1") |
| string | The type of the component |
| string | The name of the component |
| string | The version of the component |
| array[string] | A list of fixed versions that resolve the vulnerability (e.g., ["1.0.2"]) |
ContextualAnalysisObj
Name | Type | Description |
|---|---|---|
| string | The applicability result |
| string | The associated CVE identifier (e.g., "CVE-2022-2911") |
| string | Description of the scanner's findings |
| ApplicabilityEvidenceObj | Reference to the applicability evidence object |
JfrogResearchInformationObj
Name | Type | Description |
|---|---|---|
| string | Severity level from JFrog's research |
| string | Summary of the research findings |
| string | Detailed explanation of the vulnerability research |
| array[SeverityReasonObj] | List of reasons for the assigned severity |
| string | Suggestions for mitigation and remediation of the vulnerability |
CweObj
Name | Type | Description |
|---|---|---|
| string | The unique identifier for the CWE (e.g., "CWE-22") |
| string | The name of the CWE |
| string | A brief description of the CWE |
ApplicabilityEvidenceObj
Name | Type | Description |
|---|---|---|
| string | The path to the file where the applicability evidence was found |
| integer | The line number where the evidence starts |
| integer | The column number where the evidence starts |
| integer | The line number where the evidence ends |
| integer | The column number where the evidence ends |
SeverityReasonsObj
Name | Type | Description |
|---|---|---|
| string | The name or title of the severity reason |
| string | A detailed description explaining the severity reason |
| boolean | A flag indicating whether the severity reason is considered positive or negative |
SbomObj
Name | Type | Description |
|---|---|---|
| string | The identifier for the component |
| string | The name of the component |
| string | The version of the component |
| string | The type of package for the component |
| array[LicenseObj] | An array of license objects related to the component |
LicenseObj
Name | Type | Descritpion |
|---|---|---|
| string | The name of the license |
| string | A URL link to the license details |
OpRiskObj
Name | Type | Description |
|---|---|---|
| string | The identifier for the component |
| string | The name of the component |
| string | The version of the component |
| string | The level of risk associated with the component (e.g., High, Medium, Low) |
| string | The reason for the risk assessment (e.g., End of Life, known vulnerabilities) |
| boolean | Indicates if the component is end-of-life (EOL) |
| string | The release date of the component in ISO 8601 format |
| string | The latest available version of the component |
| integer | The number of newer versions available for the component |
| integer | The update frequency of the component |
| integer | The number of commits associated with the component |
| integer | The number of individuals who contributed to the component |
SecretObj
Name | Type | Description |
|---|---|---|
| string | The severity level assigned to the secret (e.g., "High", "Medium", "Low") |
| string | The unique identifier for the secret |
| string | A description of the secret detected in the code |
| string | A unique identifier for the rule that found the secret |
| CweObj | A reference to the Common Weakness Enumeration associated with the secret |
| array[string] | An array of outcomes related to the secret detection |
| string | The estimated cost to fix the secret issue (e.g., Low, Medium, High) |
| string | The path to the file where the secret was found |
| integer | The line number where the secret starts |
| integer | The column number where the secret starts |
| integer | The line number where the secret ends |
| integer | The column number where the secret ends |
IacObj
Name | Type | Description |
|---|---|---|
| string | The severity level assigned to the IaC issue (e.g., High, Medium, Low) |
| string | The unique identifier for the IaC issue |
| string | A detailed description of the IaC issue that was found |
| string | A unique identifier for the rule that found the IaC issue |
| string | The path to the file where the IaC issue was found |
| integer | The line number where the IaC issue starts |
| integer | The column number where the IaC issue starts |
| integer | The line number where the IaC issue ends |
| integer | The column number where the IaC issue ends |
SastObj
Name | Type | Description |
|---|---|---|
| string | The severity level assigned to the SAST finding (e.g., High, Medium, Low) |
| string | The unique identifier for the SAST finding |
| string | A detailed description of the SAST finding, providing context and information |
| string | A unique identifier for the rule that found the SAST finding |
| string | A unique fingerprint for the finding, used for tracking |
| string | The path to the file where the SAST finding was found |
| integer | The line number where the SAST finding starts |
| integer | The column number where the SAST finding starts |
| integer | The line number where the SAST finding ends |
| integer | The column number where the SAST finding ends |
Successful Response Example
{
"repository_id": 12,
"repository_url": "https://git.jfrog.info/projects/XSC/repos/xsc-service",
"repository_name": "xsc-service",
"branch_name": "main",
"commit_hash": "8ba779e5",
"scan_results": {
"cves": [
{
"id": "XRAY-XXXX",
"severity": "High",
"severity_source": "CVSS V3 from NVD",
"jfrog_severity": "High",
"summary": "Improper parsing of HTTP ...",
"cve": {
"id": "CVE-2022-2911",
"cvss_v2": "7.5",
"cvss_v3": "9.8",
"cwes": [
{
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to...",
"description": "The product uses external..."
}
]
},
"components": [
{
"id": "pypi://werkzeug:1.0.1",
"type": "python",
"name": "werkzeug",
"version": "1.0.1",
"fixed_versions": [
"1.0.2"
]
}
],
"contextual_analysis": {
"applicability_result": "Applicable",
"cve": "CVE-2022-2911",
"scanner_description": "The scanner checks for any of the following vulnerable conditions...",
"applicability_evidence": {
"file": "/path/to/file",
"start_line": 60,
"start_column": 33,
"end_line": 60,
"end_column": 37
}
},
"jfrog_research_information": {
"severity": "High",
"summary": "Persistent session cookies in Flask can lead to data leakage or...",
"details": "[Flask](https://flask.palletsprojects.com/) is a lightweight web framework for...",
"severity_reasons": [
{
"name": "The impact of exploiting the issue...",
"description": "This issue may lead to data...",
"is_positive": true
}
],
"remediation": "##### Development mitigations\n\nAdd a `Cache-Control` in...```"
}
}
],
"sbom": [
{
"component_id": "gav://com.beust:jcommander:1.82",
"component_name": "com.beust:jcommander",
"component_version": "4.3.0",
"package_type": "maven",
"licenses": [
{
"key": "Apache-2.0",
"link": "https://opensource.org/licenses/Apache-2.0"
}
]
}
],
"operational_risks": [
{
"component_id": "gav://com.beust:jcommander:1.82",
"component_name": "com.beust:jcommander",
"component_version": "4.3.0",
"risk": "High",
"risk_reason": "Health",
"is_eol": false,
"released": "2024-08-10T10:13:48Z",
"latest_version": "4.3.0",
"cadence": 0,
"committers": [
0
],
"commits": [
0
]
}
],
"secrets": [
{
"jfrog_severity": "High",
"id": "EXP-1681-00001",
"description": "Hardcoded secrets were found",
"abbreviation": "REQ.SECRET.GENERIC.TEXT",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to...",
"description": "The product uses external..."
},
"outcomes": [
"Hardcoded secrets were found"
],
"fix_cost": "medium",
"file": "/path/to/file",
"start_line": 60,
"start_column": 33,
"end_line": 60,
"end_column": 37
}
],
"iac": [
{
"jfrog_severity": "High",
"id": "EXP-1681-00001",
"file": "/path/to/file",
"start_line": 60,
"start_column": 33,
"end_line": 60,
"end_column": 37,
"abbreviation": "AWS Load balancer using insecure communications",
"description": "Resources `aws_lb_listener` and..."
}
],
"sast": [
{
"jfrog_severity": "High",
"id": "SAST-123-0001",
"file": "/path/to/file",
"start_line": 60,
"start_column": 33,
"end_line": 60,
"end_column": 37,
"abbreviation": "Deserializing untrusted data without validation",
"fingerprint": "01ab3cae2936e395ca49391274335b66",
"description": "\n### Overview\nUnsafe deserialization is a security vulnerability that occurs when a program... 'Data processed'\n```\n"
}
]
}
}