Skip to content

Document retrieving vulnerability scan results via the Vendor API#4224

Open
osc135 wants to merge 2 commits into
mainfrom
oa/document-scan-results-api
Open

Document retrieving vulnerability scan results via the Vendor API#4224
osc135 wants to merge 2 commits into
mainfrom
oa/document-scan-results-api

Conversation

@osc135

@osc135 osc135 commented Jul 2, 2026

Copy link
Copy Markdown
Member

What

Adds a Retrieve scan results with the Vendor API how-to section to the bottom of the Security Center topic (docs/vendor/security-center-about.mdx). It documents how to retrieve Grype vulnerability scan results and SBOMs programmatically through the Replicated Vendor API, so vendors can gate CI/CD promotions on vulnerabilities.

The section covers:

  • Prerequisites (API token + RBAC, app/channel IDs) and the required Authorization header format.
  • Promoting a release and getting the channelSequence.
  • The three SecureBuild endpoints: scan-raw (full Grype output), scan (summarized counts incl. fixed_counts), and sbom (SPDX 2.3).
  • Evaluating results with null-safe jq filters and saving a CVE report.
  • An example GitHub Actions workflow that waits for scans, fails on fixable Critical/High CVEs, and promotes on pass.

Validation

The flow was validated end-to-end against the production Vendor API. Key corrections baked into the doc versus the original draft:

  • Auth uses the raw token in the Authorization header (no Bearer prefix) — a Bearer prefix returns 401.
  • scan_status terminal value is succeeded (not complete); non-terminal states leave result null.
  • channelSequence comes from the API promote response (the CLI promote does not print it).
  • jq filters are null-safe (.result?.matches[]?) so a pending scan doesn't error and silently skip the gate.
  • Documents the actual /scan (fixed_counts) and /sbom ({sboms:{"image:tag":{sbom:"<SPDX string>"}}}) response shapes.

Placed at the bottom of the existing Security Center page for now; it can be split into its own topic as the feature matures.

sc-134722

Add a how-to section to the Security Center topic covering how to
retrieve Grype scan results and SBOMs programmatically through the
Replicated Vendor API, for use in CI/CD pipelines that gate promotion
on vulnerabilities.

Covers the scan-raw, scan, and sbom SecureBuild endpoints, evaluating
results with jq, and an example GitHub Actions gating workflow. All
examples use the raw token in the Authorization header (no Bearer
prefix), which is what the Vendor API expects.

sc-134722
@osc135 osc135 requested a review from a team as a code owner July 2, 2026 18:16
@netlify

netlify Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploy Preview for replicated-docs ready!

Name Link
🔨 Latest commit 45d90f7
🔍 Latest deploy log https://app.netlify.com/projects/replicated-docs/deploys/6a46acd132b7400008167a38
😎 Deploy Preview https://deploy-preview-4224--replicated-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploy Preview for replicated-docs-upgrade ready!

Name Link
🔨 Latest commit 45d90f7
🔍 Latest deploy log https://app.netlify.com/projects/replicated-docs-upgrade/deploys/6a46acd1704ef20008259bfc
😎 Deploy Preview https://deploy-preview-4224--replicated-docs-upgrade.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@replicated-ci replicated-ci added type::docs Improvements or additions to documentation type::feature labels Jul 2, 2026
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx
Comment thread docs/vendor/security-center-about.mdx Outdated
Comment thread docs/vendor/security-center-about.mdx Outdated
Split long sentences to stay under 26 words, replace passive
'are addressed', avoid the flagged word 'severities', spell out SPDX
on first use, and rename the workflow heading to sentence case.

sc-134722
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type::docs Improvements or additions to documentation type::feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants