REST API
Everything in the UI is also a tenant-scoped REST API. Submit SBOMs and read findings, change history, and license data from any pipeline.
Authentication
Every /v1 endpoint requires an API token minted in Tokens & settings. Send it as a bearer token:
curl -sS "https://devradar.thingz.io/v1/images" \ -H "Authorization: Bearer dr_xxxxxxxxxxxxxxxxxxxxxxxx"
New to DevRadar? Start with the submission guide — it walks through generating and posting an SBOM.
Conventions
- Base URL —
https://devradar.thingz.io - Responses — JSON objects. Errors are
{"error":"…"}with a 4xx/5xx status. - Pagination — list endpoints return at most
?limitrows (default 100, max 1000) and anext_cursorwhen more exist; pass it back as?cursor=. Cursors are opaque and keyset-based (stable under concurrent writes). - Severity filter — read endpoints accept
?min_severity=(critical|high|medium|low|negligible; default is your account setting).unknownis always included. Each endpoint resolves it independently.
SBOMs
POST/v1/sboms — submit an SBOM
Body fields (JSON): sbom (required, base64 bytes), image_ref, version (image tag), labels (grouping), generated_at. Idempotent per digest; returns 202 with existing:true if already stored. See the guide for a full example.
GET/v1/sboms/{id} — SBOM metadata
Metadata + severity breakdown. Params: min_severity.
DELETE/v1/sboms/{id} — archive
Stops tracking (drops from scans + image list; history kept). Idempotent, returns 204.
Images
GET/v1/images — list tracked images
Grouped by repository, risk-ranked. Params: min_severity, q (name filter), label, sort, dir, cursor, limit.
curl -sS "https://devradar.thingz.io/v1/images?min_severity=high&label=prod" \ -H "Authorization: Bearer $DR_TOKEN"
GET/v1/images/sboms — SBOMs for one image
Params: repo (required), sort, dir, cursor, limit.
GET/v1/images/timeline — change history across all digests
The change log for one image over time. Params: repo (or legacy ref), min_severity, sort, dir, cursor, limit.
Findings & changes
GET/v1/sboms/{id}/findings — current findings
Params: min_severity, fixable=true, suppressed=true, sort, dir, cursor, limit. Each finding carries EPSS/KEV risk overlays when available.
GET/v1/sboms/{id}/events — change log
Added / resolved / re-rated / fixed events, newest first, each labeled with its cause (image | db | tooling). Params: min_severity, cursor, limit.
GET/v1/sboms/{id}/failures — scan issues
Recent scan failures (a scanner errored or returned nothing) for one SBOM. Params: limit.
Licenses
GET/v1/sboms/{id}/licenses — package licenses
Per-package licenses, obligation category, and compliance-policy verdict (violations first).
GET/v1/licenses — fleet license rollup
Distribution by license family and category, plus unlicensed and violation counts.
VEX
POST/v1/vex — submit an OpenVEX document
Raw OpenVEX JSON body. Matched not_affected/fixed statements suppress those findings (read-time overlay, digest-scoped). Response reports matched/unmatched/skipped counts.
GET/v1/vex — list VEX documents
The tenant's submitted VEX documents (metadata only).
Machine-readable spec
The full contract — every parameter, schema, and response — is published as an OpenAPI 3.1 document. Use it with Postman, code generators, or the CLI.
curl -sS https://devradar.thingz.io/openapi.yaml -o devradar-openapi.yaml