{"openapi":"3.1.0","info":{"title":"SBOMVault API","version":"1.0.0","description":"Programmatic access to SBOM generation, vulnerability scanning, remediation, and exports. Authenticate with a Bearer API key created under Settings → API Keys. Keys are scoped (sbom:read, sbom:write, scan:write, vex:write) and rate-limited per key.","contact":{"name":"SBOMVault Support","email":"support@sbomvault.ai","url":"https://www.sbomvault.ai/contact"}},"servers":[{"url":"https://www.sbomvault.ai","description":"Production"}],"security":[{"ApiKeyAuth":[]}],"tags":[{"name":"Scanning","description":"Generate SBOMs from source and check scan status"},{"name":"SBOMs","description":"Upload and list SBOMs"},{"name":"Vulnerabilities","description":"Exports, remediation, diff, blast radius"},{"name":"VEX","description":"Vulnerability Exploitability eXchange"},{"name":"Quality","description":"SBOM document quality scoring"}],"paths":{"/api/sca/scan":{"post":{"tags":["Scanning"],"summary":"Generate an SBOM from source","description":"Scan uploaded lockfiles/manifests or a public/token-accessible repo URL. Synchronous by default; pass `async=true` to enqueue and poll scan-status. Requires scope `scan:write`.","security":[{"ApiKeyAuth":[]}],"requestBody":{"required":true,"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"file":{"type":"string","format":"binary","description":"Lockfile/manifest (repeatable)"},"repoUrl":{"type":"string","description":"Repo URL (instead of files)"},"ref":{"type":"string","description":"Branch/tag/commit"},"name":{"type":"string","description":"SBOM name override"},"async":{"type":"string","enum":["true","false"]},"failOnKev":{"type":"string","description":"CI gate: fail if any CISA-KEV finding"},"failOnSeverity":{"type":"string","enum":["critical","high","medium","low"]}}}}}},"responses":{"201":{"description":"Scan complete","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ScanResult"}}}},"202":{"description":"Async scan queued","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AsyncScanAccepted"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"402":{"description":"Plan SBOM limit reached"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimited"}}}},"/api/sca/scan-status/{id}":{"get":{"tags":["Scanning"],"summary":"Poll an async scan","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"Job status","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ScanStatus"}}}},"401":{"$ref":"#/components/responses/Unauthorized"}}}},"/api/sboms":{"post":{"tags":["SBOMs"],"summary":"Upload an SBOM","description":"Upload a CycloneDX or SPDX document. Requires scope `sbom:write`.","security":[{"ApiKeyAuth":[]}],"requestBody":{"required":true,"content":{"multipart/form-data":{"schema":{"type":"object","required":["file"],"properties":{"file":{"type":"string","format":"binary"},"name":{"type":"string"},"productVersionId":{"type":"string","format":"uuid"}}}}}},"responses":{"201":{"description":"Created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Sbom"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"}}}},"/api/sboms/{id}/remediation":{"get":{"tags":["Vulnerabilities"],"summary":"Prioritized upgrade plan","description":"Returns ranked fix actions. `?format=markdown` returns a paste-ready PR/ticket body. Scope `sbom:read`.","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}},{"name":"format","in":"query","schema":{"type":"string","enum":["json","markdown"]}}],"responses":{"200":{"description":"Remediation plan","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RemediationPlan"}}}},"404":{"$ref":"#/components/responses/NotFound"}}}},"/api/sboms/{id}/fix-pr":{"post":{"tags":["Vulnerabilities"],"summary":"Open a manifest fix PR","description":"Open a GitHub pull request bumping a vulnerable DIRECT dependency to its fix version. Requires a stored GitHub token and scope `scan:write`. github.com repositories.","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["package","targetVersion"],"properties":{"package":{"type":"string"},"targetVersion":{"type":"string"},"repoUrl":{"type":"string","description":"Overrides the SBOM scan source"},"baseRef":{"type":"string"}}}}}},"responses":{"200":{"description":"PR already exists"},"201":{"description":"PR opened","content":{"application/json":{"schema":{"$ref":"#/components/schemas/FixPrResult"}}}},"412":{"description":"No GitHub token configured"},"422":{"description":"Not a direct dep / unsupported ecosystem / package not in any manifest"}}}},"/api/sboms/{id}/vulnerabilities/export":{"get":{"tags":["Vulnerabilities"],"summary":"Export findings (SARIF or CSV)","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}},{"name":"format","in":"query","required":true,"schema":{"type":"string","enum":["sarif","csv"]}}],"responses":{"200":{"description":"Export","content":{"application/json":{},"text/csv":{}}}}}},"/api/sboms/{id}/vuln-diff":{"get":{"tags":["Vulnerabilities"],"summary":"Diff findings vs a baseline","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}},{"name":"against","in":"query","schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"New / fixed / still-open findings"}}}},"/api/sboms/{id}/blast-radius":{"get":{"tags":["Vulnerabilities"],"summary":"Dependency blast radius","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"Impact graph stats"}}}},"/api/sboms/{id}/quality":{"get":{"tags":["Quality"],"summary":"SBOM quality score","description":"Document completeness grade (0–100, A–F) with per-category breakdown. Scope `sbom:read`.","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"Quality score","content":{"application/json":{"schema":{"$ref":"#/components/schemas/QualityResult"}}}},"404":{"$ref":"#/components/responses/NotFound"}}}},"/api/sboms/{id}/vex":{"get":{"tags":["VEX"],"summary":"Export VEX (CycloneDX)","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"CycloneDX VEX document"}}},"post":{"tags":["VEX"],"summary":"Import VEX statements","description":"Bulk-apply VEX analysis states from a CycloneDX document. Scope `vex:write`.","security":[{"ApiKeyAuth":[]}],"parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string","format":"uuid"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object"}}}},"responses":{"200":{"description":"Applied count"}}}}},"components":{"securitySchemes":{"ApiKeyAuth":{"type":"http","scheme":"bearer","description":"A Bearer API key (sv_live_…) created under Settings → API Keys."}},"responses":{"Unauthorized":{"description":"Missing or invalid API key"},"Forbidden":{"description":"Key lacks the required scope, or role is viewer"},"NotFound":{"description":"Resource not found in your organization"},"RateLimited":{"description":"Per-key rate limit exceeded"}},"schemas":{"ScanResult":{"type":"object","properties":{"id":{"type":"string","format":"uuid"},"componentCount":{"type":"integer"},"ecosystems":{"type":"array","items":{"type":"string"}},"matched":{"type":"integer"},"newVulns":{"type":"integer"},"ntiaCompliant":{"type":"boolean"},"supplyChain":{"type":"object","properties":{"malicious":{"type":"integer"},"typosquat":{"type":"integer"}}},"warnings":{"type":"array","items":{"type":"string"}}}},"AsyncScanAccepted":{"type":"object","properties":{"scanId":{"type":"string","format":"uuid"},"status":{"type":"string"},"statusUrl":{"type":"string"}}},"ScanStatus":{"type":"object","properties":{"scanId":{"type":"string"},"status":{"type":"string","enum":["queued","running","completed","failed"]},"sbomId":{"type":"string","nullable":true}}},"Sbom":{"type":"object","properties":{"id":{"type":"string","format":"uuid"},"name":{"type":"string"},"format":{"type":"string"},"componentCount":{"type":"integer"},"ntiaCompliant":{"type":"boolean"}}},"RemediationPlan":{"type":"object","properties":{"actions":{"type":"array","items":{"type":"object"}},"summary":{"type":"object","properties":{"totalFindings":{"type":"integer"},"fixable":{"type":"integer"},"criticalFixable":{"type":"integer"},"kevFixable":{"type":"integer"}}}}},"FixPrResult":{"type":"object","properties":{"prUrl":{"type":"string"},"prNumber":{"type":"integer"},"branch":{"type":"string"},"base":{"type":"string"},"filesChanged":{"type":"array","items":{"type":"string"}}}},"QualityResult":{"type":"object","properties":{"score":{"type":"integer"},"grade":{"type":"string","enum":["A","B","C","D","F"]},"categories":{"type":"array","items":{"type":"object"}},"recommendations":{"type":"array","items":{"type":"string"}}}}}}}