Use the API to Return Scan-Related Information

The following article shows how you can use the ShiftLeft APIv4 to view information about your applications, their scan results, and any vulnerabilities, secrets, or insights identified by ShiftLeft. The API is an alternative to seeing such information using the Dashboard.

Viewing Information for a Specific Application Scan

Whenever you run sl analyze, your results in the terminal will include a Scan ID:

Uploading...
132.51 KB / 132.51 KB [=================================] 100.00% 57.27 KB/s 2s
... Done. Submitted for analysis
Wait for 5-10 minutes and load the following URL in your browser:
https://www.shiftleft.io/apps/tarpijs-3sh?organizationId=d64...399
The Scan ID for application SampleApp is: 33

With this information, you can call the API to get additional information for the scan.

You can get details about the application in this scan using the /orgs/{orgID}/apps/{appID}/scans/{scanId} endpoint (in this case, you'd call /orgs/{orgID}/apps/{appID}/scans/33).

The response from the API will be similar to the following:

{
"ok": true,
"response": {
"id": "33",
"app": "SampleApp",
"version": "00a7036a3030a769f45aee0343391d89ba2dd5af27e4c50713a7aa65a2ec21b2",
"successful": true,
"started_at": "2020-04-22T16:57:40.843159Z",
"completed_at": "2020-04-22T16:58:06.22345Z",
"language": "javascript",
"number_of_expressions": 200
}
}

If you want a list of the secrets found in that scan, use the orgs/{orgID}/apps/{appID}/findings?type={type}&scan={scanID} endpoint.

For example, you can find the secrets in the application with Scan ID of 50 by calling orgs/{orgID}/apps/{appID}/findings?type=secret&scan=33. You can find the app's insights by calling orgs/{orgID}/apps/{appID}/findings?type=insight&scan=33

The response from the API will be similar to the following:

{
"ok": true,
"response": {
"scan": {
"id": "33",
"app": "SampleApp",
"version": "00a...b2",
"successful": true,
"started_at": "2020-04-22T16:57:40.843159Z",
"completed_at": "2020-04-22T16:58:06.22345Z",
"language": "javascript",
"number_of_expressions": 200
},
"findings": [
{
"id": "33",
"app": "SampleApp",
"type": "secret",
"title": "Hardcoded Sensitive Secrets/Credentials",
"description": "\n Every application that connects to the Internet utilizes a data, key (or secret) for identification\n of their customers and authorization to third-party services...",
"internal_id": "Secrets/473...6b",
"severity": "critical",
"owasp_category": "a3-sensitive-data-exposure",
"category": "Secret",
"version_first_seen": "21d1...ddb",
"details": {
"Link": "none",
"name": "Secrets",
"tags": "Infra,URI",
"secret": "http://example.com?CLIENT_ID=",
"entropy": "0.6018234203875522",
"insight": "Secrets/Credentials Leak",
"fileName": "src/Controllers/Order.js",
"lineNumber": "60"
}
}
]
}
}

You can determine when a particular secret or insight was first introduced using the version_first_seen property for each finding. The version_first_seen value is the version for the scan in which the secret/insight was first identified by ShiftLeft.