You can use the SCA Annotations API to annotate findings, including adding comments and proposing, accepting, and rejecting mitigations. This API applies to findings from SCA upload scans. It uses the values for component ID, CVE name, and license ID, which you can retrieve from the Findings API.
To annotate findings from a Static Analysis or Dynamic Analysis, use the Annotations REST API.
Permissions and authentication
Before you can use this API, you must have one of these accounts with the required roles:
A human user account with the following roles:
- Reviewer or Security Lead: to propose mitigations.
- Mitigation Approver: to approve or reject mitigation proposals.
An API service account with the following roles:
- Results API: to propose mitigations.
- Mitigation API: to approve or reject mitigation proposals.
All of these roles have permission to add comments, and all of these roles can retrieve mitigation information from the API.
This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:
Ensure you access the APIs with the domain for your region.
SCA Annotations API specification
The SCA Annotations API specification is available on SwaggerHub.