Vulnerabilities API
List vulnerabilities
GET /v1/repo-vulnerabilities
Returns a paginated list of security findings for your tenant, ordered by severity (critical first).
Query parameters
| Parameter | Description |
|---|---|
severity[] | Filter by severity: critical, high, medium, low, info |
status[] | Filter by state: open, in_backlog, in_progress, resolved, accepted, false_positive |
scan_type | Filter by scanner: sca, iac, secrets |
project_id | Filter by project UUID |
assigned_to_user_id | Filter by assignee user ID |
search | Full-text search in rule ID, description, and location |
limit | Results per page (default: 20, max: 100) |
cursor | Pagination cursor from the previous response |
Example
# Get all critical and high open findings
curl "https://api.mushasec.com/v1/repo-vulnerabilities?severity[]=critical&severity[]=high&status[]=open" \
-H "Authorization: Bearer msk_live_..."
Response
{
"data": [
{
"id": "01960000-...",
"fingerprint": "fp_v1:sha256...",
"project_id": "...",
"project_name": "backend-api",
"rule_id": "CVE-2024-12345",
"severity": "critical",
"status": "open",
"scan_type": "sca",
"location": "go.mod:42",
"description": "Remote code execution in package foo v1.2.3",
"fix_available": "go get foo@1.2.4",
"is_breaking": false,
"is_direct": true,
"cwe": "CWE-94",
"assigned_to": "user@company.com",
"sla_deadline": "2026-05-22T00:00:00Z",
"sla_breached": false,
"first_seen": "2026-05-15T10:00:00Z",
"last_seen": "2026-05-15T10:00:00Z"
}
],
"has_more": false,
"next_cursor": null
}
Export findings
GET /v1/repo-vulnerabilities/export
Exports findings as CSV or JSON. Requires Admin or Owner role.
Query parameters
Same filters as GET /v1/repo-vulnerabilities, plus:
| Parameter | Description |
|---|---|
format | csv (default) or json |
Limits
- Maximum 10,000 rows per export. If your tenant exceeds this, apply filters to narrow the scope.
- CSV uses UTF-8 BOM for Excel compatibility.
CSV columns
id, fingerprint, project_name, rule_id, severity, status, scan_type, location, description, fix_available, is_breaking, is_direct, cwe, assigned_to, accepted_by, accepted_reason, accepted_until, sla_deadline, sla_breached, first_seen, last_seen
Example
# Export all findings for SOC 2 audit evidence
curl "https://api.mushasec.com/v1/repo-vulnerabilities/export?format=csv" \
-H "Authorization: Bearer msk_live_..." \
-o musha-findings-$(date +%Y-%m-%d).csv
Update vulnerability status
POST /v1/repo-vulnerabilities/:id/status
Transitions a vulnerability to a new state.
Request body
{
"action": "accept",
"reason": "Dependency not reachable from production code paths",
"accepted_until": "2026-08-15"
}
Actions
| Action | Target state | Required fields | Roles |
|---|---|---|---|
in_progress | in_progress | — | Member, Admin, Owner |
backlog | in_backlog | — | Admin, Owner |
resolve | resolved | — | Admin, Owner |
accept | accepted | reason, accepted_until | Admin, Owner |
false_positive | false_positive | reason | Admin, Owner |
reopen | open | — | Admin, Owner |