Managing Assets via API
This guide explains how to manage assets in DevGuard using the REST API. Assets represent applications, services, or components that you want to scan and monitor for vulnerabilities.
Authentication
All endpoints require authentication using either:
- Cookie Authentication: Session-based (
ory_kratos_sessioncookie) - Personal Access Token (PAT): HTTP request signing via
X-SignatureandX-Fingerprintheaders
Use the devguard-scanner CLI for PAT authentication:
Base URL
All endpoints use the base path: https://api.devguard.org/api/v1
Core Asset Operations
List Assets
Returns all assets within a project you have access to.
Create Asset
Request Body:
Get Asset Details
Returns detailed information including versions, artifacts, and vulnerability statistics.
Update Asset
Request Body:
Delete Asset
Permanently deletes the asset and all associated data (versions, artifacts, vulnerabilities, VEX rules).
Lookup Asset by Repository
Finds an asset by its external repository ID. Returns organization, project, and asset slugs.
Security Configuration
CIA Requirements
Configure Confidentiality, Integrity, and Availability requirements (low, medium, high). These affect vulnerability risk scoring and prioritization.
Importance Levels
low: Supporting or non-critical assetsmedium: Standard production assetshigh: Critical infrastructure
Automatic Ticket Creation
Enable automatic issue creation for vulnerabilities exceeding thresholds:
Asset Versions & Artifacts
Assets contain versions (branches/tags) and artifacts (SBOM files):
SBOM & VEX Reports
Generate and retrieve compliance reports:
CSAF Reports
Common Security Advisory Framework reports:
Access Control
Asset access is controlled via role-based permissions on the parent project. Users need appropriate project-level permissions to view or modify assets.