Skip to content
API ReferenceEndpoints

Vulnerabilities

Vulnerabilities are findings produced by the scanner pipeline. Each vulnerability links a CVE to a specific scan, package, and image tag. Triage state (status, assignee, attestation linkage, SLA deadline) is stored alongside the finding.

Base path: /api/vulnerabilities

MethodPathMin role
GET/api/vulnerabilitiesviewer (any)
GET/api/vulnerabilities/distinct?field=...viewer (any)
PUT | POST/api/vulnerabilities/{vulnId}/triagedeveloper

The {vulnId} path parameter accepts either an internal vulnerability ID or a CVE ID. PK matches take precedence. POST is an alias for PUT provided as a convenience for clients that cannot send PUT requests.

GET
/vulnerabilities
/vulnerabilities?severity=CRITICAL%2CHIGH&sort=cvss%3Adesc

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Query Parameters

pageinteger

Page number (1-indexed)

Default: 1Minimum: 1

limitinteger

Page size (1–200)

Default: 50Minimum: 1Maximum: 200

severitystring

Comma-separated severities (OR)

statusstring

Value in: "OPEN" | "ACKNOWLEDGED" | "IN_PROGRESS" | "FIXED" | "WONT_FIX"

scannerstring

Value in: "trivy" | "grype" | "syft" | "dive" | "dockle" | "osv"

imagestring

packagestring

cveIdstring

searchstring

sortstring

Sortable: severity, cveId, detectedAt, cvss, triageStatus.

curl -X GET "https://harborguard.co/api/vulnerabilities?page=1&limit=50&severity=CRITICAL%2CHIGH&status=OPEN&scanner=trivy&image=string&package=string&cveId=string&search=string&sort=cvss%3Adesc" \
  -H "X-API-Key: <token>"

OK

{
  "data": [
    {
      "id": "string",
      "scanId": "string",
      "cveId": "CVE-2024-12345",
      "severity": "CRITICAL",
      "cvss": 0,
      "package": "string",
      "version": "string",
      "fixedVersion": "string",
      "scanner": "trivy",
      "triage": {
        "status": "OPEN",
        "assignee": "string",
        "slaDeadline": "2019-08-24T14:15:22Z",
        "note": "string",
        "updatedBy": "string",
        "updatedAt": "2019-08-24T14:15:22Z"
      },
      "timeline": {
        "detectedAt": "2019-08-24T14:15:22Z",
        "firstSeenAt": "2019-08-24T14:15:22Z",
        "resolvedAt": "2019-08-24T14:15:22Z"
      }
    }
  ],
  "meta": {
    "page": 1,
    "pageSize": 50,
    "total": 312,
    "totalPages": 7,
    "hasNext": true,
    "hasPrev": true
  },
  "links": {
    "self": "/api/scans?page=1&limit=50",
    "next": "string",
    "prev": "string"
  }
}

GET
/vulnerabilities/distinct
/vulnerabilities/distinct

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Query Parameters

field
Required
string

Value in: "cveId" | "package" | "image" | "registry"

qstring

curl -X GET "https://harborguard.co/api/vulnerabilities/distinct?field=cveId&q=string" \
  -H "X-API-Key: <token>"

OK

PUT
/vulnerabilities/{vulnId}/triage
/vulnerabilities/{vulnId}/triage

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Request Body

application/jsonRequired

status
Required
string

Value in: "OPEN" | "ACKNOWLEDGED" | "IN_PROGRESS" | "FIXED" | "WONT_FIX"

assigneestring

User ID, or null to unassign.

notestring

Path Parameters

vulnId
Required
string

Internal vulnerability ID or a CVE ID. PK matches take precedence.

curl -X PUT "https://harborguard.co/api/vulnerabilities/string/triage" \
  -H "X-API-Key: <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "WONT_FIX",
    "assignee": "user-7",
    "note": "Suppressed via attestation ATT-2026-04 (compensating control)"
  }'

OK

POST
/vulnerabilities/{vulnId}/triage
/vulnerabilities/{vulnId}/triage

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Request Body

application/jsonRequired

status
Required
string

Value in: "OPEN" | "ACKNOWLEDGED" | "IN_PROGRESS" | "FIXED" | "WONT_FIX"

assigneestring

User ID, or null to unassign.

notestring

Path Parameters

vulnId
Required
string

Internal vulnerability ID or a CVE ID. PK matches take precedence.

curl -X POST "https://harborguard.co/api/vulnerabilities/string/triage" \
  -H "X-API-Key: <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "status": "OPEN",
    "assignee": "string",
    "note": "string"
  }'

OK

Previous

Images

Next

Reports