> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# List code, supply chain, or AI-powered scan findings

> Request the list of code or supply chain findings in an organization, paginated in pages of 100 entries and limited by the `since` timestamp. Findings are returned by `relevant_since` descending (see `since` in the Query Parameters list). Examples: List SAST findings with pagination, List SCA findings since timestamp, List findings with filters.



## OpenAPI

````yaml get /api/v1/deployments/{deploymentSlug}/findings
openapi: 3.0.3
info:
  description: >

    Welcome to Semgrep's portal for the Semgrep AppSec Platform web API.


    # Introduction

    Semgrep is a fast, open-source, static analysis tool for finding bugs and
    enforcing code standards at editor,

    commit, and CI time. [Get started.](https://semgrep.dev/getting-started/)


    Semgrep analyzes code locally on your computer or in your build environment:
    **code is never uploaded.**


    This API is documented in the **OpenAPI format**.


    # Authentication

    The API supports authentication with an API token with the "Web API"
    permission, without limited

    scopes of access.


    You can provision an API token [from the Settings
    page](https://semgrep.dev/orgs/-/settings/tokens).


    # Terms of Use


    Please note, the materials made available herein are subject to the

    [Semgrep Terms of Use](https://semgrep.dev/resources/website-terms/), and
    your

    access or use of any of the same is your acknowledgment and acceptance of
    the

    such terms.


    <br>


    ___
  title: Semgrep Web App
  version: 1.0.0
servers:
  - url: https://semgrep.dev
security: []
tags:
  - description: >-
      Deployments encapsulate your organization's security organization, with
      multiple projects, policies, and integrations. As the root object of the
      organization, they're similarly the root object of the API.
    name: DeploymentsService
    x-displayName: Deployment
  - description: >-
      Manage and retrieve code and supply chain security findings from Semgrep
      scans
    name: FindingsService
    x-displayName: Code and Supply Chain
  - description: Utility endpoints.
    name: MiscService
    x-displayName: Other
  - description: View and manage the Policies of your organization.
    name: PoliciesService
    x-displayName: Policies
  - name: ProjectsService
    x-displayName: Projects
  - description: View details of scans associated with projects in your organization.
    name: ScansService
    x-displayName: Scans
  - description: View and manage the Secrets of your organization.
    name: SecretsService
    x-displayName: Secrets
  - description: |-
      Manage the Supply Chain findings and dependencies of your organization.

      A request body is required, but may be an empty object.
    name: SupplyChainService
    x-displayName: Supply Chain
  - description: Create and manage external tickets
    name: TicketingService
    x-displayName: Ticketing
  - description: View and manage the triage of your organization.
    name: TriageService
    x-displayName: Triage
paths:
  /api/v1/deployments/{deploymentSlug}/findings:
    get:
      tags:
        - FindingsService
      summary: List code or supply chain findings
      description: >-
        Request the list of code or supply chain findings in an organization,
        paginated in pages of 100 entries and limited by the `since` timestamp.
        Findings are returned by `relevant_since` descending (see `since` in the
        Query Parameters list). Examples: List SAST findings with pagination,
        List SCA findings since timestamp, List findings with filters.
      operationId: FindingsService_ListFindings
      parameters:
        - in: path
          name: deploymentSlug
          required: true
          schema:
            description: >-
              Slug of the deployment name. Can be found at `/deployments`, or in
              your Settings in the web UI.
            example: your-deployment
            type: string
        - in: query
          name: issue_type
          schema:
            default: sast
            description: >-
              Type of findings to return. If not specified, returns `sast`
              (Code) findings. Can either be `sast` (Code) or `sca` (Supply
              Chain). Valid values: sast, sca
            enum:
              - sast
              - sca
            example: sca
            type: string
        - in: query
          name: since
          schema:
            description: >-
              What timestamp should the results start at? If not specified,
              returns results from all timestamps. Provide epoch timestamp in
              seconds. Filters using the `relevant_since` field: the timestamp
              when this finding was detected by Semgrep (the first time, or when
              reintroduced).
            example: 1636942398.45
            format: double
            type: number
        - in: query
          name: page
          schema:
            default: '0'
            description: >-
              Which page of the results do you require? If not specified,
              returns first page. Pages are numbered from zero (0).
            example: 1
            format: uint32
            type: integer
        - in: query
          name: dedup
          schema:
            default: false
            description: >-
              Deduplicates findings across all your refs/branches if true. If
              not specified, returns all findings across all refs/branches
              without deduplicating them. Set this to `true` if you are not
              filtering for a particular set of refs/branches in order to match
              the counts listed in the Semgrep UI.
            example: true
            type: boolean
        - in: query
          name: page_size
          schema:
            default: '100'
            description: >-
              Maximum number of records per returned page. If not specified,
              defaults to 100 records. Minimum: 100, Maximum: 3000
            example: 100
            format: uint32
            maximum: 3000
            minimum: 100
            type: integer
        - in: query
          name: repos
          schema:
            description: >-
              Which repositories (by name) do you want to include? If not
              specified, includes all.
            example:
              - myorg/repo1
              - myorg/repo2
            items:
              type: string
            type: array
        - in: query
          name: repository_ids
          schema:
            description: >-
              Which repositories (by ID) do you want to include? If not
              specified, includes all.
            example:
              - 1
              - 2
              - 3
            items:
              format: uint32
              type: integer
            type: array
        - in: query
          name: status
          schema:
            description: >-
              Which status do you want to include? If not specified, includes
              all. Valid values: open, fixed, ignored, reviewing, fixing
            enum:
              - open
              - fixed
              - ignored
              - reviewing
              - fixing
            example: open
            type: string
        - in: query
          name: triage_reasons
          schema:
            description: >-
              Which triage reasons do you want to include? If not specified,
              includes all. This filter is applicable when `status` is
              `ignored`. Valid values: acceptable_risk, false_positive, no_time,
              no_triage_reason
            enum:
              - acceptable_risk
              - false_positive
              - no_time
              - no_triage_reason
            example:
              - acceptable_risk
              - false_positive
            items:
              type: string
            type: array
        - in: query
          name: severities
          schema:
            description: >-
              What severities of issues do you want to include? If not
              specified, returns all. Valid values: low, medium, high, critical
            enum:
              - low
              - medium
              - high
              - critical
            example:
              - low
              - high
            items:
              type: string
            type: array
        - in: query
          name: ref
          schema:
            description: Which ref (branch) do you want to filter for?
            example: refs/pull/1234/merge
            type: string
        - in: query
          name: policies
          schema:
            description: >-
              Which policy modes do you want to include? If not specified,
              includes all. Monitor: `rule-board-audit`, Comment:
              `rule-board-pr-comments`, Block: `rule-board-block`. This filter
              is applicable when `issue_type` is `sast` or unspecified.
            example:
              - rule-board-block
              - rule-board-pr-comments
              - rule-board-audit
            items:
              type: string
            type: array
        - in: query
          name: rules
          schema:
            description: >-
              Which rule names do you want to include? If not specified,
              includes all. This filter is applicable when `issue_type` is
              `sast` or unspecified.
            example:
              - typescript.react.security.audit.react-no-refs.react-no-refs
              - ajinabraham.njsscan.hardcoded_secrets.node_username
            items:
              type: string
            type: array
        - in: query
          name: categories
          schema:
            description: >-
              Which categories of findings do you want to include? If not
              specified, includes all. This filter is applicable when
              `issue_type` is `sast` or unspecified.
            example:
              - security
              - correctness
              - caching
            items:
              type: string
            type: array
        - in: query
          name: confidence
          schema:
            description: >-
              Which rule confidence level do you want to include? If not
              specified, includes all. This filter is applicable when
              `issue_type` is `sast` or unspecified. Valid values: low, medium,
              high
            enum:
              - low
              - medium
              - high
            example: high
            type: string
        - in: query
          name: autotriage_verdict
          schema:
            description: >-
              Which autotriage verdict do you want to include? If not specified,
              includes all. This filter is applicable when `issue_type` is
              `sast` or unspecified. Valid values: true_positive, false_positive
            enum:
              - true_positive
              - false_positive
            example: true_positive
            type: string
        - in: query
          name: component_tags
          schema:
            description: >-
              Which component tags do you want to include? If not specified,
              includes all.
            example:
              - user authentication
              - user data
            items:
              type: string
            type: array
        - in: query
          name: exposures
          schema:
            description: >-
              List of exposures or reachability types to filter by. If not
              specified, returns findings across all exposures. This filter is
              applicable when `issue_type=sca` is specified. Valid values:
              reachable, always_reachable, conditionally_reachable, unreachable,
              unknown
            enum:
              - reachable
              - always_reachable
              - conditionally_reachable
              - unreachable
              - unknown
            example:
              - reachable
              - always_reachable
            items:
              type: string
            type: array
        - in: query
          name: transitivities
          schema:
            description: >-
              List of transitivities to filter by. If not specified, returns all
              transitivities. This filter is applicable when `issue_type=sca` is
              specified. Valid values: direct, transitive, unknown
            enum:
              - direct
              - transitive
              - unknown
            example:
              - transitive
            items:
              type: string
            type: array
        - in: query
          name: is_malicious
          schema:
            description: >-
              Filter SCA findings by whether they are from malicious
              dependencies. If not specified, returns all SCA findings. This
              filter is only applicable when `issue_type=sca` is specified.

              - true: Returns only findings from malicious dependencies

              - false: Returns only findings from all other reachabilities
              (reachable in code, always reachable, conditionally reachable,
              etc.)
            example: true
            type: boolean
        - in: query
          name: click_to_fix_pr_state
          schema:
            description: >-
              Filter findings by Click-to-Fix PR state. If not specified,
              returns all findings regardless of autofix PR status. This filter
              applies to both sast and sca issue types. Valid values: open,
              merged
            enum:
              - open
              - merged
            example:
              - open
              - merged
            items:
              type: string
            type: array
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/protos.openapi.v1.ListFindingsResponse'
          description: OK
        default:
          content:
            application/json:
              schema:
                properties:
                  findings:
                    items:
                      oneOf:
                        - title: Sast Finding
                          allOf:
                            - $ref: >-
                                #/components/schemas/protos.openapi.v1.SastFinding
                        - title: Sca Finding
                          allOf:
                            - $ref: >-
                                #/components/schemas/protos.openapi.v1.ScaFinding
                    type: array
                type: object
          description: OK
      security:
        - SemgrepWebToken: []
components:
  schemas:
    protos.openapi.v1.ListFindingsResponse:
      description: >-
        Response containing a paginated list of findings (either Code or Supply
        Chain findings) with optional filtering applied
      properties:
        sastFindings:
          $ref: >-
            #/components/schemas/protos.openapi.v1.ListFindingsResponse_SastFindings
        scaFindings:
          $ref: >-
            #/components/schemas/protos.openapi.v1.ListFindingsResponse_ScaFindings
      title: List Findings Response
      type: object
    protos.openapi.v1.SastFinding:
      description: A Code finding that Semgrep has identified in your organization
      properties:
        assistant:
          $ref: '#/components/schemas/protos.openapi.v1.SastFinding_Assistant'
        categories:
          description: >-
            The categories of the finding as classified by the associated rule
            metadata
          example:
            - security
          items:
            type: string
          type: array
        click_to_fix_failures:
          description: >-
            Failed PR creation attempts by Semgrep's autofix feature (Click to
            Fix) for this finding
          items:
            $ref: >-
              #/components/schemas/protos.openapi.v1.SastFinding_ClickToFixFailure
          type: array
        click_to_fix_prs:
          description: >-
            Pull requests created by Semgrep's autofix feature (Click to Fix)
            for this finding
          items:
            $ref: '#/components/schemas/protos.openapi.v1.SastFinding_ClickToFixPr'
          type: array
        confidence:
          description: Confidence of the finding, derived from the rule that triggered it
          enum:
            - low
            - medium
            - high
          example: medium
          type: string
        created_at:
          description: The timestamp when this finding was created
          example: '2020-11-18T23:28:12.391Z'
          type: string
        external_ticket:
          $ref: '#/components/schemas/protos.openapi.v1.ExternalTicket'
        first_seen_scan_id:
          description: Unique ID of the Semgrep scan that first identified this finding
          example: 1234
          format: uint32
          type: integer
        id:
          description: Unique ID of this finding
          example: 1234567
          format: uint32
          type: integer
        line_of_code_url:
          description: The source URL including file and line number
          example: >-
            https://github.com/semgrep/semgrep/blob/39f95450a7d4d70e54c9edbd109bed8210a36889/src/core_cli/Core_CLI.ml#L1
          type: string
        location:
          $ref: '#/components/schemas/protos.openapi.v1.FindingLocation'
        match_based_id:
          description: >-
            ID calculated based on a finding's file path, rule identifier and
            pattern, and index
          example: >-
            0f8c79a6f7e0ff2f908ff5bc366ae1548465069bae8892088051e1c3b4b12c6b8df37d5bcbb181eb868aa79f81f239d14bf2336d552786ab8ccdc7279adf07a6_1
          type: string
        ref:
          description: External reference to the source of this finding (e.g. PR)
          example: refs/pull/1234/merge
          type: string
        relevant_since:
          description: >-
            The timestamp when this finding was detected by Semgrep (the first
            time, or when reintroduced)
          example: '2020-11-18T23:28:12.391Z'
          type: string
        repository:
          $ref: '#/components/schemas/protos.openapi.v1.FindingRepository'
        review_comments:
          description: >-
            List of external review comment information associated with a
            finding
          items:
            $ref: '#/components/schemas/protos.openapi.v1.ReviewComment'
          type: array
        rule:
          $ref: '#/components/schemas/protos.openapi.v1.FindingRule'
        rule_message:
          description: >-
            Deprecated in favor of rule.message. Rule message at the time of
            finding identification. Older findings may not have a value for this
            field
          example: null
          type: string
        rule_name:
          description: Deprecated in favor of rule.name
          example: typescript.react.security.audit.react-no-refs.react-no-refs
          type: string
        severity:
          description: >-
            Severity of the finding, derived from the rule that triggered it.
            Low is equivalent to INFO, Medium to WARNING, and High to ERROR
          enum:
            - low
            - medium
            - high
            - critical
          example: medium
          type: string
        sourcing_policy:
          $ref: '#/components/schemas/protos.openapi.v1.SastFinding_PolicyReference'
        state:
          description: >-
            The finding's resolution state. Managed only by changes detected at
            scan time, the `state` is combined with `triage_state` to ultimately
            determine a final `status` which is exposed in the UI and API
          enum:
            - fixed
            - muted
            - removed
            - unresolved
          example: unresolved
          type: string
        state_updated_at:
          description: >-
            When this issue's `state` (resolution state) was last updated, as
            distinct from when the issue was triaged (`triaged_at`)
          example: '2020-11-19T23:28:12.391Z'
          type: string
        status:
          description: >-
            The finding's status as exposed in the UI. Status is a derived
            property combining information from the finding `state` and
            `triage_state`. The `triage_state` can be used to override the scan
            state if the finding is still detected
          enum:
            - open
            - fixed
            - ignored
            - reviewing
            - fixing
            - provisionally_ignored
          example: open
          type: string
        syntactic_id:
          description: >-
            ID calculated based on a finding's file path, rule identifier and
            matched code, and index. Prefer `match_based_id`
          example: 440eeface888e78afceac3dc7d4cc2cf
          type: string
        triage_comment:
          description: The detailed comment provided during triage
          example: This finding is from the test repo
          type: string
        triage_reason:
          description: Reason provided when this issue was triaged
          enum:
            - acceptable_risk
            - false_positive
            - no_time
          example: acceptable_risk
          type: string
        triage_state:
          description: >-
            The finding's triage state. Note: "reviewing" and "fixing" are only
            in private beta. Set by the user and used along with state to
            generate the final "status" viewable in the UI
          enum:
            - untriaged
            - ignored
            - reopened
            - reviewing
            - fixing
            - provisionally_ignored
          example: untriaged
          type: string
        triaged_at:
          description: When the finding was triaged
          example: '2020-11-19T23:28:12.391Z'
          type: string
      title: Sast Finding
      type: object
    protos.openapi.v1.ScaFinding:
      description: A Supply Chain finding that Semgrep has identified in your organization
      properties:
        categories:
          description: >-
            The categories of the finding as classified by the associated rule
            metadata
          example:
            - security
          items:
            type: string
          type: array
        confidence:
          description: Confidence of the finding, derived from the rule that triggered it
          enum:
            - low
            - medium
            - high
          example: medium
          type: string
        created_at:
          description: The timestamp when this finding was created
          example: '2020-11-18T23:28:12.391Z'
          type: string
        epss_score:
          $ref: '#/components/schemas/protos.openapi.v1.ScaFinding_EpssScore'
        external_ticket:
          $ref: '#/components/schemas/protos.openapi.v1.ExternalTicket'
        first_seen_scan_id:
          description: Unique ID of the Semgrep scan that first identified this finding
          example: 1234
          format: uint32
          type: integer
        fix_recommendations:
          description: Recommendations for fixing the vulnerability
          items:
            $ref: >-
              #/components/schemas/protos.openapi.v1.ScaFinding_FixRecommendation
          type: array
        found_dependency:
          $ref: '#/components/schemas/protos.openapi.v1.ScaFinding_FoundDependency'
        id:
          description: Unique ID of this finding
          example: 1234567
          format: uint32
          type: integer
        is_malicious:
          description: True if the finding is from a malicious dependency
          example: true
          type: boolean
        line_of_code_url:
          description: The source URL including file and line number
          example: >-
            https://github.com/semgrep/semgrep/blob/39f95450a7d4d70e54c9edbd109bed8210a36889/src/core_cli/Core_CLI.ml#L1
          type: string
        location:
          $ref: '#/components/schemas/protos.openapi.v1.FindingLocation'
        match_based_id:
          description: >-
            ID calculated based on a finding's file path, rule identifier and
            pattern, and index
          example: >-
            0f8c79a6f7e0ff2f908ff5bc366ae1548465069bae8892088051e1c3b4b12c6b8df37d5bcbb181eb868aa79f81f239d14bf2336d552786ab8ccdc7279adf07a6_1
          type: string
        reachability:
          description: Indicates whether the vulnerable code is reachable
          enum:
            - no reachability analysis
            - reachable
            - always reachable
            - conditionally reachable
            - unreachable
          example: reachable
          type: string
        reachable_condition:
          description: >-
            Description of the condition under which the vulnerability becomes
            reachable. Applies to conditionally reachable findings
          example: you use the package on a host running Linux or MacOS
          type: string
        ref:
          description: External reference to the source of this finding (e.g. PR)
          example: refs/pull/1234/merge
          type: string
        relevant_since:
          description: >-
            The timestamp when this finding was detected by Semgrep (the first
            time, or when reintroduced)
          example: '2020-11-18T23:28:12.391Z'
          type: string
        repository:
          $ref: '#/components/schemas/protos.openapi.v1.FindingRepository'
        review_comments:
          description: >-
            List of external review comment information associated with a
            finding
          items:
            $ref: '#/components/schemas/protos.openapi.v1.ReviewComment'
          type: array
        rule:
          $ref: '#/components/schemas/protos.openapi.v1.FindingRule'
        rule_message:
          description: >-
            Deprecated in favor of rule.message. Rule message at the time of
            finding identification. Older findings may not have a value for this
            field
          example: null
          type: string
        rule_name:
          description: Deprecated in favor of rule.name
          example: typescript.react.security.audit.react-no-refs.react-no-refs
          type: string
        severity:
          description: >-
            Severity of the finding, derived from the rule that triggered it.
            Low is equivalent to INFO, Medium to WARNING, and High to ERROR
          enum:
            - low
            - medium
            - high
            - critical
          example: medium
          type: string
        state:
          description: >-
            The finding's resolution state. Managed only by changes detected at
            scan time, the `state` is combined with `triage_state` to ultimately
            determine a final `status` which is exposed in the UI and API
          enum:
            - fixed
            - muted
            - removed
            - unresolved
          example: unresolved
          type: string
        state_updated_at:
          description: >-
            When this issue's `state` (resolution state) was last updated, as
            distinct from when the issue was triaged (`triaged_at`)
          example: '2020-11-19T23:28:12.391Z'
          type: string
        status:
          description: >-
            The finding's status as exposed in the UI. Status is a derived
            property combining information from the finding `state` and
            `triage_state`. The `triage_state` can be used to override the scan
            state if the finding is still detected
          enum:
            - open
            - fixed
            - ignored
            - reviewing
            - fixing
            - provisionally_ignored
          example: open
          type: string
        syntactic_id:
          description: >-
            ID calculated based on a finding's file path, rule identifier and
            matched code, and index. Prefer `match_based_id`
          example: 440eeface888e78afceac3dc7d4cc2cf
          type: string
        triage_comment:
          description: The detailed comment provided during triage
          example: This finding is from the test repo
          type: string
        triage_reason:
          description: Reason provided when this issue was triaged
          enum:
            - acceptable_risk
            - false_positive
            - no_time
          example: acceptable_risk
          type: string
        triage_state:
          description: >-
            The finding's triage state. Note: "reviewing" and "fixing" are only
            in private beta. Set by the user and used along with state to
            generate the final "status" viewable in the UI
          enum:
            - untriaged
            - ignored
            - reopened
            - reviewing
            - fixing
            - provisionally_ignored
          example: untriaged
          type: string
        triaged_at:
          description: When the finding was triaged
          example: '2020-11-19T23:28:12.391Z'
          type: string
        usage:
          $ref: '#/components/schemas/protos.openapi.v1.ScaFinding_Usage'
        vulnerability_identifier:
          description: Identifier of the vulnerability in the vulnerability database
          example: CVE-2021-24112
          type: string
      title: Sca Finding
      type: object
    protos.openapi.v1.ListFindingsResponse_SastFindings:
      description: A list of Code findings that Semgrep has identified in your organization
      properties:
        findings:
          description: A list of Code findings.
          items:
            $ref: '#/components/schemas/protos.openapi.v1.SastFinding'
          type: array
      title: Sast Findings
      type: object
    protos.openapi.v1.ListFindingsResponse_ScaFindings:
      description: >-
        A list of Supply Chain findings that Semgrep has identified in your
        organization
      properties:
        findings:
          description: A list of Supply Chain findings.
          items:
            $ref: '#/components/schemas/protos.openapi.v1.ScaFinding'
          type: array
      title: Sca Findings
      type: object
    protos.openapi.v1.SastFinding_Assistant:
      description: Semgrep Assistant data. Only present if Assistant is enabled
      properties:
        autofix:
          $ref: '#/components/schemas/protos.openapi.v1.Assistant_Autofix'
        autotriage:
          $ref: '#/components/schemas/protos.openapi.v1.Assistant_Autotriage'
        component:
          $ref: '#/components/schemas/protos.openapi.v1.Assistant_Component'
        guidance:
          $ref: '#/components/schemas/protos.openapi.v1.Assistant_Guidance'
        rule_explanation:
          $ref: '#/components/schemas/protos.openapi.v1.Assistant_RuleExplanation'
      title: Assistant
      type: object
    protos.openapi.v1.SastFinding_ClickToFixFailure:
      description: A failed PR creation attempt by Semgrep's Click to Fix feature
      properties:
        created_at:
          description: When this failure occurred
          example: '2024-01-15T10:30:00.000Z'
          type: string
        reason:
          description: Reason for the PR creation failure
          example: merge conflict in target branch
          type: string
      title: Click To Fix Failure
      type: object
    protos.openapi.v1.SastFinding_ClickToFixPr:
      description: A pull request created by Semgrep's Click to Fix feature
      properties:
        created_at:
          description: When this PR was created
          example: '2024-01-15T10:30:00.000Z'
          type: string
        url:
          description: URL of the pull request
          example: https://github.com/myorg/myrepo/pull/123
          type: string
      title: Click To Fix Pr
      type: object
    protos.openapi.v1.ExternalTicket:
      description: External ticket associated with finding
      properties:
        externalSlug:
          description: Identifier of the external ticket
          example: OPS-158
          type: string
        id:
          description: External ticket id
          format: uint32
          type: integer
        linkedIssueIds:
          description: Semgrep issue ids that are linked to this external ticket
          items:
            format: uint32
            type: integer
          type: array
        url:
          description: URL of the external ticket
          type: string
      title: External Ticket
      type: object
    protos.openapi.v1.FindingLocation:
      description: >-
        Location of the record in a file, as reported by Semgrep. If null, then
        the information does not exist or lacks integrity (older or broken
        scans)
      properties:
        column:
          description: Column at which the target starts
          example: 8
          format: uint32
          type: integer
        endColumn:
          description: Column at which the target ends
          example: 16
          format: uint32
          type: integer
        endLine:
          description: Line at which the target ends
          example: 124
          format: uint32
          type: integer
        filePath:
          description: File path of the relevant line and column numbers
          example: frontend/src/corpComponents/Code.tsx
          type: string
        line:
          description: Line at which the target starts
          example: 120
          format: uint32
          type: integer
      title: Finding Location
      type: object
    protos.openapi.v1.FindingRepository:
      description: Which repository this finding was identified in
      properties:
        name:
          description: The repository or named project that the finding is associated with
          example: semgrep
          type: string
        url:
          description: The source URL from which this repository last scanned
          example: https://github.com/semgrep/semgrep
          type: string
      title: Finding Repository
      type: object
    protos.openapi.v1.ReviewComment:
      description: External review comment information associated with a finding
      properties:
        externalDiscussionId:
          description: External ID of the review comment or discussion thread
          example: af04762b69acfb74c8f9
          type: string
        externalNoteId:
          description: >-
            External ID of the specific note in the review comment discussion
            thread. Only applicable for GitLab.com, GitLab Self-Managed and
            Azure DevOps
          example: 123523
          type: string
      title: Review Comment
      type: object
    protos.openapi.v1.FindingRule:
      description: Rule that applies to this finding
      properties:
        category:
          description: Category the rule is associated with
          example: security
          type: string
        confidence:
          description: Confidence level of the rule
          enum:
            - low
            - medium
            - high
          example: high
          type: string
        cweNames:
          description: CWE names associated with the rule
          example:
            - 'CWE-319: Cleartext Transmission of Sensitive Information'
          items:
            type: string
          type: array
        message:
          description: Rule message
          example: >-
            This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS
            URL if possible.
          type: string
        name:
          description: Name of the rule
          example: html.security.plaintext-http-link.plaintext-http-link
          type: string
        owaspNames:
          description: OWASP names associated with the rule
          example:
            - A03:2017 - Sensitive Data Exposure
            - A02:2021 - Cryptographic Failures
          items:
            type: string
          type: array
        subcategories:
          description: Subcategories of the rule
          example:
            - vuln
          items:
            type: string
          type: array
        vulnerabilityClasses:
          description: Vulnerability classes the rule is associated with
          example:
            - Mishandled Sensitive Information
          items:
            type: string
          type: array
      title: Finding Rule
      type: object
    protos.openapi.v1.SastFinding_PolicyReference:
      description: >-
        Reference to a policy, with some basic information. If null, then the
        information does not exist or lacks integrity (older or broken scans)
      properties:
        id:
          description: Unique numerical identifier of the policy
          example: 120
          format: uint32
          type: integer
        name:
          description: Human readable name
          example: Default Policy
          type: string
        slug:
          description: Sanitized machine-readable name
          example: default-policy
          type: string
      title: Policy Reference
      type: object
    protos.openapi.v1.ScaFinding_EpssScore:
      description: >-
        The score assigned by FIRST.org's Exploitation Probability Scoring
        System
      properties:
        percentile:
          description: This EPSS score's percentile among all EPSS scores, from 0 to 1
          example: 0.994
          format: float
          type: number
        score:
          description: The explotation probability, from 0 to 1
          example: 0.97
          format: float
          type: number
      title: Epss Score
      type: object
    protos.openapi.v1.ScaFinding_FixRecommendation:
      description: Recommendation for fixing the vulnerability
      properties:
        package:
          description: The package for which a fix is recommended
          example: System.Drawing.Common
          type: string
        version:
          description: The recommended version of the package
          example: 5.0.3
          type: string
      title: Fix Recommendation
      type: object
    protos.openapi.v1.ScaFinding_FoundDependency:
      description: Information about the vulnerable package that was found in the codebase
      properties:
        ecosystem:
          default: no_package_manager
          description: Ecosystem of the package
          enum:
            - no_package_manager
            - npm
            - pypi
            - gomod
            - cargo
            - maven
            - gem
            - composer
            - nuget
            - pub
            - swiftpm
            - hex
          example: npm
          type: string
        lockfile_line_url:
          description: >-
            URL to the specific line in the lockfile where the dependency is
            listed
          example: https://github.com/yourorg/yourrepo/blob/main/package-lock.json#L25
          type: string
        package:
          description: Name of the package that contains the vulnerability
          example: System.Drawing.Common
          type: string
        transitivity:
          description: Indicates whether the dependency is direct or transitive
          enum:
            - direct
            - transitive
            - unknown
          example: direct
          type: string
        version:
          description: Version of the package that was found to be vulnerable
          example: 5.0.0
          type: string
      title: Found Dependency
      type: object
    protos.openapi.v1.ScaFinding_Usage:
      description: >-
        Usage of the vulnerable package in the codebase. Applies to reachable
        findings
      properties:
        external_ticket:
          $ref: '#/components/schemas/protos.openapi.v1.ExternalTicket'
        location:
          $ref: '#/components/schemas/protos.openapi.v1.FindingLocation'
      title: Usage
      type: object
    protos.openapi.v1.Assistant_Autofix:
      description: Fix data generated by Semgrep Assistant
      properties:
        explanation:
          description: >-
            DEPRECATED: This field is deprecated and will always be an empty
            string. Find a description of how this fix works under
            `assistant.guidance`
          example: null
          type: string
        fix_code:
          description: >-
            Source code that replaces all matched lines to fix this finding. AI
            generated content, review carefully
          example: cookie.setHttpOnly(true);\nresponse.addCookie(cookie);
          type: string
      title: Autofix
      type: object
    protos.openapi.v1.Assistant_Autotriage:
      description: Triage recommendation generated by Semgrep Assistant
      properties:
        reason:
          description: >-
            The reasoning for a `false_positive` verdict; this explains why you
            might want to ignore the finding. Empty string if verdict is
            `true_positive`
          example: The matched code is used for a non-security related feature.
          type: string
        verdict:
          description: >-
            The verdict is `true_positive` if Assistant recommends fixing,
            `false_positive` if Assistant recommends ignoring this finding. AI
            generated decision, review carefully
          enum:
            - false_positive
            - true_positive
          example: false_positive
          type: string
      title: Autotriage
      type: object
    protos.openapi.v1.Assistant_Component:
      description: >-
        Semgrep Assistant's guess as for what the matched source code's purpose
        is
      properties:
        risk:
          description: Component risk level
          enum:
            - high
            - low
            - neutral
          example: high
          type: string
        tag:
          description: Component tag
          example: user data
          type: string
      title: Component
      type: object
    protos.openapi.v1.Assistant_Guidance:
      description: Remediation guidance generated by Semgrep Assistant
      properties:
        instructions:
          description: >-
            Step-by-step instructions explaining to a developer how to fix the
            finding. AI generated content, review carefully
          example: null
          type: string
        summary:
          description: >-
            Short title explaining to a developer how to fix the finding. AI
            generated content, review carefully
          example: >-
            Use a template rendering engine such as EJS instead of string
            concatenation.
          type: string
      title: Guidance
      type: object
    protos.openapi.v1.Assistant_RuleExplanation:
      description: AI-generated explanation of why a rule flagged this specific code
      properties:
        explanation:
          description: >-
            Detailed explanation of why this rule flagged the code, including
            context about the security issue and why it applies to this specific
            code. AI generated content, review carefully
          example: >-
            This code is vulnerable to SQL injection because user input from the
            `username` parameter is directly concatenated into the SQL query
            string without sanitization or parameterization.
          type: string
        summary:
          description: >-
            A concise summary of the rule explanation. May not be present for
            all findings
          example: User input directly concatenated into SQL query
          type: string
      title: Rule Explanation
      type: object
  securitySchemes:
    SemgrepWebToken:
      bearerFormat: string
      description: >-
        Get access to data with your API token. Example header:


        `Authorization: Bearer
        2991e2fb4b540fe75b8f90677b0b892b6314e4961cb001fe6eb452eee248a628`


        The token can be provisioned from the Tokens section in your Settings,
        and requires explicitly enabling `Web API` access.
      scheme: bearer
      type: http

````