Public API
Build on codelake.
Automate everything.
Every feature in the codelake platform is accessible through a fully documented REST API. Trigger scans, retrieve findings, manage projects, and subscribe to events — programmatically.
OpenAPI 3.1 specification. Granular token scopes. Official SDKs for Node.js, Python, and Go. Rate-limited and versioned for stability.
# Trigger a scan via API
$ curl -X POST https://api.codelake.io/v1/scans \
-H "Authorization: Bearer cl_tok_..." \
-d '{"project_id": "p_abc123", "types": ["sast","sca"]}'
# Response
{
"id": "s_7f8a2b1c",
"status": "queued",
"types": ["sast","sca"],
"created_at": "2026-03-23T14:30:00Z"
}
Overview
Built for developers. Documented for everyone.
The codelake API follows REST conventions with JSON payloads, consistent pagination, comprehensive error codes, and full OpenAPI 3.1 documentation. Every endpoint is versioned and backward-compatible within major versions.
OpenAPI 3.1 Spec
Full specification available for code generation, testing, and documentation. Import into Postman, Insomnia, or any OpenAPI-compatible tool.
Versioned & Stable
API versions are maintained with backward compatibility. Breaking changes only in major versions with 12-month deprecation notices.
Consistent Patterns
Standard pagination, filtering, and sorting across all list endpoints. Consistent error format with machine-readable codes and human-readable messages.
Rate Limited
Clear rate limits with headers indicating remaining quota. Higher limits for Pro and Enterprise plans. Burst-friendly for automation.
Authentication
Granular tokens. Precise control.
API tokens support fine-grained scopes so you can grant exactly the permissions each integration needs. Set expiration dates, restrict to specific projects, and revoke at any time.
- ✓ Scoped permissions — read:findings, write:scans, admin:projects, and 15+ more
- ✓ Expiration dates — set auto-expiry from 1 day to 1 year
- ✓ Project scoping — limit tokens to specific projects or teams
- ✓ IP allowlisting — restrict token usage to specific IP ranges (Enterprise)
- ✓ Audit trail — every API call is logged with token, IP, and timestamp
- ✓ Instant revocation — revoke any token immediately from the dashboard
key Create API Token
Endpoints
Full platform access via API.
Every platform feature is exposed through a well-structured RESTful API. Here are the core resource groups.
Projects
Create, list, update, and delete projects. Configure scan settings, branch defaults, and team access per project.
/v1/projects
Scans
Trigger new scans, check scan status, retrieve scan results, and download scan artifacts. Supports all scan types.
/v1/scans
Findings
List, filter, and triage findings. Update status, add notes, assign to team members, and track resolution history.
/v1/findings
Compliance
Retrieve compliance posture, control status, evidence items, and framework-specific reports for all supported standards.
/v1/compliance
Webhooks
Create and manage webhook subscriptions. Configure event filters, delivery URLs, and view delivery logs with replay.
/v1/webhooks
Reports
Generate and download reports in SARIF, JSON, CSV, and PDF formats. Schedule automated report generation and delivery.
/v1/reports
Teams
Manage team members, roles, and permissions. Invite users, update roles, and configure team-level settings.
/v1/teams
SBOM
Export Software Bill of Materials in CycloneDX and SPDX formats. Track component versions, licenses, and vulnerabilities.
/v1/sbom
Policies
Create and manage security policies, scan rules, and quality gates. Configure enforcement levels and notification triggers.
/v1/policies
SDKs
Official SDKs for your language.
Type-safe SDKs generated from our OpenAPI spec. Handles authentication, pagination, retries, and error handling so you can focus on your integration logic.
Node.js / TypeScript
@codelake/sdk
// TypeScript
import
{ Codelake }
from
'@codelake/sdk'
const
cl =
new
Codelake('cl_tok_...')
const
scan =
await
cl.scans.create({
project:
'p_abc123'
,
types: [
'sast'
,
'sca'
]
})
Full TypeScript definitions. Supports Node.js 18+, Deno, and Bun.
Python
codelake-sdk
from
codelake
import
Codelake
cl = Codelake(
"cl_tok_..."
)
scan = cl.scans.create(
project=
"p_abc123"
,
types=[
"sast"
,
"sca"
]
)
Type hints and async support. Requires Python 3.9+. Available on PyPI.
Go
go-codelake
import
"github.com/codelake/go-codelake"
cl := codelake.New(
"cl_tok_..."
)
scan, err := cl.Scans.Create(ctx,
&codelake.CreateScanParams{
Project:
"p_abc123"
,
Types: []string{
"sast"
,
"sca"
},
})
Idiomatic Go with context support. Requires Go 1.21+. Available via go get.
Webhooks API
Real-time event subscriptions.
Subscribe to events programmatically through the webhooks API. Create, update, and manage webhook endpoints with fine-grained event filtering and delivery guarantees.
30+ event types
scan.completed, finding.created, finding.status_changed, compliance.updated, and more.
Signature verification
Every delivery is signed with HMAC-SHA256 using your webhook secret for tamper-proof verification.
Automatic retries & replay
Failed deliveries are retried with exponential backoff. Replay any delivery from the logs for debugging.
Granular filtering
Filter events by severity, project, scan type, or any combination. Only receive the events you care about.
# Subscribe to critical findings
$ curl -X POST https://api.codelake.io/v1/webhooks \
-H "Authorization: Bearer cl_tok_..." \
-d '{
"url": "https://your-app.com/hooks",
"events": ["finding.created"],
"filters": {
"severity": ["critical","high"]
},
"secret": "whsec_..."
}'
Start building with the codelake API.
Create your free account, generate an API token, and start integrating codelake into your workflows in minutes.