API Reference
API Endpoints
Available API endpoints and operations.
| Method | Endpoint | Description |
|---|
GET | /v1/tests | List all tests |
POST | /v1/tests | Create and launch a new test |
GET | /v1/tests/:id | Get test details |
DELETE | /v1/tests/:id | Cancel a running test |
GET | /v1/tests/:id/status | Get test status and progress |
curl -X POST https://api.codewall.ai/v1/tests \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"target_url": "https://app.example.com",
"target_type": "web_app",
"seed_targets": [
"app.example.com",
"api.example.com"
],
"config": {
"scope": {
"allowed_domains": ["app.example.com", "api.example.com"],
"excluded": ["/admin/delete-all"]
}
}
}'
| Field | Type | Description |
|---|
target_url | string | Primary URL for the target application |
target_type | string | One of: web_app, web_api, surface_discovery, mcp_server, llm_app |
seed_targets | string[] | Up to 10 seed domains, URLs, or IPs for reconnaissance (replaces legacy seed_target) |
seed_target | string | Legacy single seed target (use seed_targets instead) |
project_id | string | Project to associate the test with |
config | object | Full test configuration (scope, auth, safety, etc.) |
| Method | Endpoint | Description |
|---|
GET | /v1/findings | List all findings across tests |
GET | /v1/tests/:id/findings | List findings for a specific test |
GET | /v1/findings/:id | Get finding details |
PATCH | /v1/findings/:id | Update finding status |
POST | /v1/findings/import | Import findings from an external scanner |
curl "https://api.codewall.ai/v1/findings?severity=critical,high&status=open" \
-H "Authorization: Bearer YOUR_API_KEY"
Upload findings from Nessus or Qualys XML scan exports:
curl -X POST https://api.codewall.ai/v1/findings/import \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "file=@scan_results.xml" \
-F "tool=nessus" \
-F "project_id=proj_abc123"
| Field | Type | Description |
|---|
file | file | XML scan export (max 50 MB) |
tool | string | Scanner type: nessus or qualys |
project_id | string | Project to associate imported findings with |
Imported findings are deduplicated by fingerprint. A synthetic test run is created to group the imported findings.
| Method | Endpoint | Description |
|---|
GET | /v1/assets | List all assets (supports min_confidence, type, project_id filters) |
POST | /v1/assets | Create a new asset |
GET | /v1/assets/:id | Get asset details including confidence score |
PATCH | /v1/assets/:id | Update asset (confidence, notes) |
DELETE | /v1/assets/:id | Delete an asset |
| Method | Endpoint | Description |
|---|
GET | /v1/targets | List all targets |
POST | /v1/targets | Create a new target |
GET | /v1/targets/:id | Get target details |
PATCH | /v1/targets/:id | Update target configuration |
DELETE | /v1/targets/:id | Delete a target |
| Method | Endpoint | Description |
|---|
GET | /v1/schedules | List all schedules |
POST | /v1/schedules | Create a new schedule |
PATCH | /v1/schedules/:id | Update a schedule |
DELETE | /v1/schedules/:id | Delete a schedule |
POST | /v1/schedules/:id/pause | Pause a schedule |
POST | /v1/schedules/:id/resume | Resume a schedule |
| Method | Endpoint | Description |
|---|
POST | /v1/runs/:id/approve | Approve or reject a pending phase gate |
POST | /v1/runs/:id/approve-command | Approve or reject a pending command |
curl -X POST https://api.codewall.ai/v1/runs/:run_id/approve \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"decision": "approve"
}'
| Field | Type | Description |
|---|
decision | string | approve or reject |
rejection_action | string | On reject: cancel (default) or skip_to_report |
curl -X POST https://api.codewall.ai/v1/runs/:run_id/approve-command \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"decision": "approve"
}'
| Method | Endpoint | Description |
|---|
POST | /v1/reachability/check | Check whether targets are reachable from CodeWall's infrastructure |
curl -X POST https://api.codewall.ai/v1/reachability/check \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"targets": ["app.example.com", "api.example.com:8443"]
}'
Response:
{
"results": [
{
"target": "app.example.com",
"reachable": true,
"method": "http",
"latency_ms": 42
},
{
"target": "api.example.com:8443",
"reachable": false,
"method": "tcp",
"error": "connection timed out"
}
],
"all_reachable": false
}
| Field | Type | Description |
|---|
targets | string[] | Up to 20 hostnames, IPs, or host:port pairs to check |
| Method | Endpoint | Description |
|---|
GET | /v1/dashboard-views | List all saved dashboard views |
POST | /v1/dashboard-views | Create a new custom dashboard view |
GET | /v1/dashboard-views/:id | Get a dashboard view |
PATCH | /v1/dashboard-views/:id | Update a dashboard view |
DELETE | /v1/dashboard-views/:id | Delete a dashboard view |
| Method | Endpoint | Description |
|---|
GET | /v1/tests/:id/report | Download PDF report |
GET | /v1/tests/:id/report/csv | Download CSV export |
GET | /v1/tests/:id/report/json | Download JSON export |
List endpoints return paginated results:
{
"data": [...],
"pagination": {
"page": 1,
"per_page": 25,
"total": 142,
"total_pages": 6
}
}
Use ?page=2&per_page=50 query parameters to paginate.
