Skip to content
  • There are no suggestions because the search field is empty.

Security Journey Aspen Adapt API

Use the Aspen Adapt API to report code scanning findings to Security Journey for centralized tracking and analysis.

Security Journey Aspen Adapt API

Overview

Security Journey provides a REST API endpoint for reporting Common Weakness Enumeration (CWE) findings detected by your code scanning tools. This allows teams to surface vulnerability data directly in Security Journey for tracking, trend analysis, and targeted training recommendations.
 

Requirements

  • You must be a Security Journey tenant admin to have access to the API key generator.


Generating an API Key

To generate a new API Key go to More > Admin > Connections > Aspen Integrations. Follow the steps below:

  1. Name your key
  2. Select the permission for your key: read or write. Use write for the POST request (recording CWEs), and read for the GET requests (retrieving or exporting CWE records)
  3. Click Create Aspen Key
  4. Copy the key and store it in a safe place

Authentication

Use this API key to authenticate against the adapt API by providing it in the Authorization header as a Bearer token.
 
For example: Authorization: Bearer {YOUR_API_TOKEN}
 

API Documentation

The Aspen Adapt API route to record CWEs is: 

POST
https://api.securityjourney.com/integrations/cwes
Headers
Method: POST
Content-Type: application/json
Requires: API Key with Write permissions

Request Body

All fields should be sent as a JSON object in the request body.
 
Required Fields
Field Type Required Description
cwes array of strings Yes CWE identifiers (e.g., "CWE-79")
gitCommitterEmail string Yes Email of the committer
gitHeadSha string Yes

Full commit SHA at time of scan

gitRepo string No Name of the repository where the scan was run
username string No SCM username of the committer 
prNumber integer No Pull or merge request number, if the scan was triggered by one
 

Note: Whether gitRepo, username, and prNumber are stored depends on your tenant's Aspen Adapt settings. 

Response Body
Field Type Description
recorded boolean true if all findings were recorded successfully 
cwes array of integers CWE numbers that were processed (as normalized integers)
Examples Successful Request and Responses

Request

{

"cwes": ["CWE-79", "CWE-89", "CWE-22"],

"gitCommitterEmail": "jane.doe@example.com",

"gitHeadSha": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",

"gitRepo": "my-org/my-service",

"username": "janedoe",

"prNumber": 42

}
Response – 200 OK
{

"recorded": true,

"cwes": [79, 89, 22]

}

Error Responses

Status Code Description
400 Bad Request Returned when required fields are missing or a CWE identifier cannot be parsed.
401 Unauthorized Returned when the API key is missing or invalid.
403 Forbidden Returned when the API key does not have the required role.
409 Conflict Returned when Aspen Adapt is not enabled for your tenant.
Example Error (400)

Returned when required fields are missing or a CWE identifier cannot be parsed.

{
  "code": 3,
  "message": "committer email and git sha are required"
}
Response — 401 Unauthorized

Returned when the API key is missing or invalid.

{
 "code": 16,
 "message": "unauthorized"
}
Response — 403 Forbidden

Returned when the API key does not have the required role.

Response — 409 Conflict

Returned when Aspen Adapt is not enabled for your tenant.

CWE Formatting

The cwes array accepts CWE identifiers in several formats — the prefix and casing are normalized automatically:
  json
["CWE-79", "cwe-89", "CWE_22", "200"]


Example cURL Request

   bash
curl -X POST https://api.securityjourney.com/integrations/cwes \
  -H "Authorization: Bearer {your_api_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "cwes": ["CWE-79", "CWE-89"],
    "gitCommitterEmail": "jane.doe@example.com",
    "gitHeadSha": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
    "gitRepo": "my-org/my-service",
    "username": "janedoe",
    "prNumber": 42
  }'

Retrieving CWE Records

Authenticate with your Aspen API key, as described above.

https://api.securityjourney.com/integrations/cwes

Method GET 
Requires API Key with Read permissions

Query Parameters

Field

Type

Required

Description

pageSize integer No Number of items per page (default: 100, max: 1000) 
page integer No Page number (default: 1) 
sortBy string No createdAt, cwe, username, gitRepo, or gitCommitterEmail (default: createdAt
sortOrder string No asc or desc (default: desc
emails array of strings No Limit results to these committer emails 
cwes array of integers No Limit results to these pull/merge request numbers 
dateFrom timestamp No Inclusive lower bound on createdAt (e.g. `2025-01-01T00:00:00Z`) 
dateTo timestamp No Inclusive upper bound on createdAt (e.g. `2025-12-31T23:59:59Z`)
dedupeBy array of strings No Collapses results to one row per dedup group. Each element names a grouping field. Recognized values: gitCommitterEmail, gitRepo. Must always include gitCommitterEmail. Examples: dedupeBy=gitCommitterEmail (group by cwe + email) or dedupeBy=gitCommitterEmail&dedupeBy=gitRepo (group by cwe + email + repo). Omit for raw undeduplicated results.

Note: Query parameters and POST body fields also accept snake_case (e.g. page_size, git_repos) — both casings work. Response fields are always camelCase.

Response Body

Field Type Description
cwes array of CWE Matching CWE records for the page requested
totalCount integer Total number of records matching the filters
page integer Page number returned 
pageSize integer Page size used
totalPages integer Total number of pages available
filters object emails, cwes, gitRepos, and prNumbers distinct values available for this tenant

Each CWE record contains: username, cwe, gitRepo, gitCommitterEmail, directoryUuid, gitHeadSha, prNumber, createdAt, firstSeen, lastSeen, occurrenceCount.

Note on deduplication: When dedupeBy is set, totalCount and totalPages reflect the number of distinct groups matching the filters, not the total raw findings. The firstSeen and lastSeen fields show the time range of all findings collapsed into each group, and occurrenceCount shows how many raw findings were collapsed. When dedupeBy is omitted, occurrenceCount is always `1` and firstSeen/lastSeen equal createdAt.

Example cURL Request

   bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?page=1&pageSize=100&sortBy=createdAt&sortOrder=desc" \
-H "Authorization: Bearer {API token}"

Filtering by repository and PR number (repeat the parameter for multiple values):

   bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?gitRepos=my-org/my-service&prNumbers=42" \
-H "Authorization: Bearer {API token}"

Deduplicating by committer email (one row per CWE + email):

   bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?dedupeBy=gitCommitterEmail" \

-H "Authorization: Bearer {API token}"

Deduplicating by committer email and repository (repeat the parameter):

   bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?dedupeBy=gitCommitterEmail&dedupeBy=gitRepo" \
-H "Authorization: Bearer {API token}"```

Exporting CWE Records

Authenticate with your Aspen API key, as described above.

https://api.securityjourney.com/integrations/cwes/export

Method GET 
Requires API Key with Read permissions

Returns all CWE records for the tenant as a gzip-compressed CSV. The response body is the raw gzip-compressed CSV data — not a JSON object.

Note: Requests must include an Accept-Encoding header containing gzip, or the API returns 406 Not Acceptable.

Response Headers
Header

Value

Content-Type text/csv
Content-Encoding gzip
Content-Disposition attachment; filename=cwes.csv
Example cURL Request
   bash
curl -X GET "https://api.securityjourney.com/integrations/cwes/export" \
-H "Authorization: Bearer {API token}" \
-H "Accept-Encoding: gzip" \
-o cwes.csv.gz

The CSV header row is: cwe, username, gitCommitterEmail, gitRepo, prNumber, gitHeadSha, createdAt.


Summary

By integrating with the Aspen Adapt API, you can automatically send CWE findings from your scanning tools into Security Journey, enabling:

  • Centralized vulnerability tracking
  • Developer-specific insights
  • Data-driven training recommendations