API reference
Base URL: https://www.getcertus.cloud
Authentication
The API supports two authentication methods. All authenticated requests are scoped to a single organization.
Secure HTTP-only cookie set after Auth0 login. Automatically included by the browser. SameSite=Lax for callback compatibility.
Pass via Authorization: Bearer <key> header. Keys are org-scoped, SHA-256 hashed at rest, and compared using timing-safe equality.
# Example: CLI scan submission
curl -X POST https://www.getcertus.cloud/api/scans \
-H "Authorization: Bearer ck_live_..." \
-H "Content-Type: application/json" \
-d @evidence-pack.json
/api/scansAPI keySubmit CLI scan results to the platform. Creates repository, PR record, and evidence pack if they do not exist.
repo_slugstringRepository identifier (e.g. "org/repo-name")commit_hashstringFull commit SHAbranchstringBranch namefindingsFinding[]Array of scanner findingscontrol_resultsControlMapping[]Framework control mappingsgradestringComposite letter grade (A-F)scorenumberNumeric score (0-100)evidence_pack_idstringUnique evidence pack identifiersigned_hashstringSHA-256 HMAC signature{ scan_id: string, stored_timestamp: string }/api/evidenceSession or API keyRetrieve evidence packs for the authenticated organization. Supports filtering by repository, date range, and framework.
{ evidence_packs: EvidencePack[] }/api/statusNoneHealth check endpoint. Returns platform status and version.
{ status: "ok", version: string }/api/webhooks/githubGitHub webhook signatureReceives GitHub App webhook events (push, pull_request, check_suite). Triggers scan pipeline for configured repositories.
{ received: true }