API Reference
Integrate TigerGate programmatically with our REST API
Authentication
API keys and authentication
Scans
Trigger and manage security scans
Findings
Query and manage findings
Webhooks
Real-time event notifications
Base URL
https://api.tigergate.devAuthentication
All API requests require authentication using an API key. Include your API key in the Authorization header.
Getting Your API Key
- Log in to your TigerGate dashboard
- Navigate to Settings → API Keys
- Click "Create API Key"
- Copy and securely store your key (it won't be shown again)
Using Your API Key
curl -X GET https://api.tigergate.dev/api/scans \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json"
Security Best Practices
- • Never commit API keys to version control
- • Use environment variables to store keys
- • Rotate keys periodically
- • Use separate keys for different environments
Scans API
POST
/api/scansCreate a new security scan
Request Body
{
"organization_id": "org-uuid",
"scan_type": "code",
"provider": "github",
"owner": "your-org",
"repo_name": "your-repo",
"branch": "main",
"scan_config": {
"enable_sast": true,
"enable_sca": true,
"enable_secrets": true,
"enable_iac": true
}
}Response
{
"scan_id": "scan-uuid",
"status": "queued",
"created_at": "2025-01-15T10:00:00Z"
}GET
/api/scans/{scan_id}Get scan status and results
Response
{
"scan_id": "scan-uuid",
"status": "completed",
"findings": [...],
"summary": {
"total_findings": 42,
"critical_count": 2,
"high_count": 8,
"medium_count": 20,
"low_count": 12
},
"started_at": "2025-01-15T10:00:00Z",
"completed_at": "2025-01-15T10:05:00Z"
}GET
/api/scansList all scans for your organization
Query Parameters
| Parameter | Type | Description |
|---|---|---|
| organization_id | string | Filter by organization (required) |
| status | string | Filter by status (queued, running, completed, failed) |
| limit | integer | Max results (default: 20, max: 100) |
| offset | integer | Pagination offset |
Findings API
GET
/api/findingsQuery findings across all scans
Query Parameters
| Parameter | Type | Description |
|---|---|---|
| severity | string | Filter by severity (critical, high, medium, low) |
| scan_type | string | Filter by scan type (sast, sca, secrets, iac, cspm) |
| status | string | Filter by status (open, resolved, ignored) |
Example Response
{
"findings": [
{
"id": "finding-uuid",
"title": "SQL Injection in user query",
"severity": "critical",
"scan_type": "sast",
"file_path": "src/api/users.ts",
"line_number": 45,
"description": "User input is directly concatenated into SQL query",
"remediation": "Use parameterized queries or prepared statements",
"cwe_id": "CWE-89",
"status": "open",
"created_at": "2025-01-15T10:05:00Z"
}
],
"total": 42,
"limit": 20,
"offset": 0
}PATCH
/api/findings/{finding_id}Update finding status
Request Body
{
"status": "resolved",
"resolution_note": "Fixed in commit abc123"
}Webhooks
Receive real-time notifications for scan events via HTTP webhooks.
Webhook Events
scan.started- Scan has begunscan.completed- Scan finished successfullyscan.failed- Scan encountered an errorfinding.new- New critical/high finding detectedWebhook Payload
{
"event": "scan.completed",
"scan_id": "scan-uuid",
"organization_id": "org-uuid",
"timestamp": "2025-01-15T10:05:00Z",
"data": {
"findings": {
"critical": 2,
"high": 8,
"medium": 20,
"low": 12
},
"duration_seconds": 300
}
}Rate Limits
| Plan | Requests/minute | Concurrent scans |
|---|---|---|
| Free | 60 | 1 |
| Pro | 300 | 5 |
| Enterprise | 1000+ | Unlimited |