Points de terminaison d’API REST pour les avis de sécurité
Utiliser l’API REST pour créer et gérer des alertes de sécurité innersource
Sync innersource vulnerabilities for an enterprise
Synchronize innersource vulnerability data with the Advisory Database for an enterprise. This endpoint receives vulnerability data in OSV format and creates, updates, or withdraws innersource vulnerabilities accordingly. Dependabot alerting is triggered for created and updated vulnerabilities.
The request body accepts up to 100 vulnerabilities per call. The request is validated and
then queued for asynchronous processing: a successful request returns 202 Accepted with a
Location header pointing to a status URL that you poll for the final result.
Syncing vulnerabilities too quickly using this endpoint may result in secondary rate limiting. For more information, see "Rate limits for the API" and "Best practices for using the REST API."
This endpoint does not support OAuth apps or personal access tokens.
Jetons d'accès granulaires pour «Sync innersource vulnerabilities for an enterprise»
Ce point de terminaison fonctionne avec les types de tokens à granularité fine suivants:
Le token à granularité fine doit disposer de l’ensemble d’autorisations suivant:
- "Enterprise innersource vulnerabilities" enterprise permissions (write)
Paramètres pour «Sync innersource vulnerabilities for an enterprise »
| Nom, Type, Description |
|---|
accept string Setting to |
| Nom, Type, Description |
|---|
enterprise string RequisThe slug version of the enterprise name. |
| Nom, Type, Description | ||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
vulnerabilities array of objects RequisArray of vulnerabilities in OSV format to synchronize | ||||||||||||||||||||||||||||||||||||||
Properties of |
| Nom, Type, Description | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
id string RequisUnique identifier for the vulnerability from the external system | |||||||||||||||||
schema_version string The OSV schema version | |||||||||||||||||
summary string A short summary of the vulnerability | |||||||||||||||||
details string Detailed description of the vulnerability | |||||||||||||||||
aliases array of strings IDs for the same vulnerability in other databases. Only CVE IDs are used (to populate the vulnerability's CVE identifier); other aliases are ignored. | |||||||||||||||||
severity array of objects Severity information for the vulnerability | |||||||||||||||||
Properties of |
| Nom, Type, Description |
|---|
type string The type of severity scoring (e.g., CVSS_V3) |
score string The severity score or vector string |
affected array of objects Packages and versions affected by the vulnerability
Properties of affected
| Nom, Type, Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|
package object | |||||||||
Properties of |
| Nom, Type, Description |
|---|
ecosystem string The package ecosystem (e.g., npm, pip, maven) |
name string The package name |
ranges array of objects Properties of ranges
| Nom, Type, Description | |||||
|---|---|---|---|---|---|
type string | |||||
events array of objects | |||||
Properties of |
| Nom, Type, Description |
|---|
introduced string The version that introduced the vulnerability |
fixed string The version that fixed the vulnerability |
last_affected string The last affected version |
limit string The upper limit of the affected range |
references array of objects URLs for more information about the vulnerability
Properties of references
| Nom, Type, Description |
|---|
type string The type of reference. Supported values: PACKAGE, ADVISORY, WEB, FIX, ARTICLE, REPORT, EVIDENCE. References with other types are ignored. |
url string The reference URL |
published string When the vulnerability was first published
modified string When the vulnerability was last modified
withdrawn string When the vulnerability was withdrawn. If present, the vulnerability will be marked as withdrawn.
Codes d’état de réponse HTTP pour «Sync innersource vulnerabilities for an enterprise »
| Code de statut | Description |
|---|---|
202 | Sync operation accepted for asynchronous processing. Poll the returned URL for results. |
400 | Bad Request |
401 | Requires authentication |
403 | Forbidden |
404 | Resource not found |
422 | Validation failed, or the endpoint has been spammed. |
Exemples de code pour «Sync innersource vulnerabilities for an enterprise »
Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.
Exemple de requête
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/innersource-vulnerabilities/sync \
-d '{"vulnerabilities":[{"id":"MVS-2026-001","schema_version":"1.4.0","summary":"Example vulnerability summary","aliases":["GHSA-xxxx-xxxx-xxxx"],"affected":[{"package":{"ecosystem":"npm","name":"example-package"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"fixed":"1.0.1"}]}]}]}]}'Sync operation accepted for asynchronous processing. Poll the returned URL for results.
Status: 202{
"id": "external-vulnerability-sync-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"url": "https://api.github.com/enterprises/my-enterprise/innersource-vulnerabilities/sync/status/external-vulnerability-sync-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"status": "queued"
}Get innersource vulnerability sync status for an enterprise
Get the status of an asynchronous innersource vulnerability sync operation for an enterprise.
Returns 202 with a Retry-After header while the sync is still processing, or 200 with
the full sync results once complete.
This endpoint does not support OAuth apps or personal access tokens.
Jetons d'accès granulaires pour «Get innersource vulnerability sync status for an enterprise»
Ce point de terminaison fonctionne avec les types de tokens à granularité fine suivants:
Le token à granularité fine doit disposer de l’ensemble d’autorisations suivant:
- "Enterprise innersource vulnerabilities" enterprise permissions (write)
Paramètres pour «Get innersource vulnerability sync status for an enterprise »
| Nom, Type, Description |
|---|
accept string Setting to |
| Nom, Type, Description |
|---|
enterprise string RequisThe slug version of the enterprise name. |
job_id string RequisThe unique identifier of the sync job. |
Codes d’état de réponse HTTP pour «Get innersource vulnerability sync status for an enterprise »
| Code de statut | Description |
|---|---|
200 | Sync operation completed |
202 | Sync operation is still processing |
401 | Requires authentication |
403 | Forbidden |
404 | Resource not found |
Exemples de code pour «Get innersource vulnerability sync status for an enterprise »
Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.
Exemples de requête
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/innersource-vulnerabilities/sync/status/JOB_IDSync operation completed
Status: 200{
"processed": 1,
"created": 1,
"updated": 0,
"withdrawn": 0,
"errors": 0,
"results": [
{
"external_id": "MVS-2026-001",
"status": "created",
"ghsa_id": "GHIS-xxxx-xxxx-xxxx"
}
]
}