REST API

Everything in the UI is also a tenant-scoped REST API. Submit SBOMs and read findings, change history, and license data from any pipeline.

Download OpenAPI spec

Authentication

Every /v1 endpoint requires an API token minted in Tokens & settings. Send it as a bearer token:

curl -sS "https://devradar.thingz.io/v1/images" \
  -H "Authorization: Bearer dr_xxxxxxxxxxxxxxxxxxxxxxxx"

New to DevRadar? Start with the submission guide — it walks through generating and posting an SBOM.

Conventions

SBOMs

POST/v1/sboms — submit an SBOM

Body fields (JSON): sbom (required, base64 bytes), image_ref, version (image tag), labels (grouping), generated_at. Idempotent per digest; returns 202 with existing:true if already stored. See the guide for a full example.

GET/v1/sboms/{id} — SBOM metadata

Metadata + severity breakdown. Params: min_severity.

DELETE/v1/sboms/{id} — archive

Stops tracking (drops from scans + image list; history kept). Idempotent, returns 204.

Images

GET/v1/images — list tracked images

Grouped by repository, risk-ranked. Params: min_severity, q (name filter), label, sort, dir, cursor, limit.

curl -sS "https://devradar.thingz.io/v1/images?min_severity=high&label=prod" \
  -H "Authorization: Bearer $DR_TOKEN"

GET/v1/images/sboms — SBOMs for one image

Params: repo (required), sort, dir, cursor, limit.

GET/v1/images/timeline — change history across all digests

The change log for one image over time. Params: repo (or legacy ref), min_severity, sort, dir, cursor, limit.

Findings & changes

GET/v1/sboms/{id}/findings — current findings

Params: min_severity, fixable=true, suppressed=true, sort, dir, cursor, limit. Each finding carries EPSS/KEV risk overlays when available.

GET/v1/sboms/{id}/events — change log

Added / resolved / re-rated / fixed events, newest first, each labeled with its cause (image | db | tooling). Params: min_severity, cursor, limit.

GET/v1/sboms/{id}/failures — scan issues

Recent scan failures (a scanner errored or returned nothing) for one SBOM. Params: limit.

Licenses

GET/v1/sboms/{id}/licenses — package licenses

Per-package licenses, obligation category, and compliance-policy verdict (violations first).

GET/v1/licenses — fleet license rollup

Distribution by license family and category, plus unlicensed and violation counts.

VEX

POST/v1/vex — submit an OpenVEX document

Raw OpenVEX JSON body. Matched not_affected/fixed statements suppress those findings (read-time overlay, digest-scoped). Response reports matched/unmatched/skipped counts.

GET/v1/vex — list VEX documents

The tenant's submitted VEX documents (metadata only).

Machine-readable spec

The full contract — every parameter, schema, and response — is published as an OpenAPI 3.1 document. Use it with Postman, code generators, or the CLI.

curl -sS https://devradar.thingz.io/openapi.yaml -o devradar-openapi.yaml

Download OpenAPI spec →