Security Journey Aspen Adapt API
Use the Aspen Adapt API to report code scanning findings to Security Journey for centralized tracking and analysis.
Security Journey Aspen Adapt API
Overview
Requirements
- You must be a Security Journey tenant admin to have access to the API key generator.
Generating an API Key
To generate a new API Key go to More > Admin > Connections > Aspen Integrations. Follow the steps below:
- Name your key
- Select the permission for your key: read or write. Use write for the POST request (recording CWEs), and read for the GET requests (retrieving or exporting CWE records)
- Click Create Aspen Key
- Copy the key and store it in a safe place
Authentication
Authorization header as a Bearer token.Authorization: Bearer {YOUR_API_TOKEN}API Documentation
The Aspen Adapt API route to record CWEs is:
POST
https://api.securityjourney.com/integrations/cwes
Headers
Method: POST
Content-Type: application/json
Requires: API Key with Write permissions
Request Body
Required Fields
| Field | Type | Required | Description |
|---|---|---|---|
cwes |
array of strings | Yes | CWE identifiers (e.g., "CWE-79") |
gitCommitterEmail |
string | Yes | Email of the committer |
gitHeadSha |
string | Yes |
Full commit SHA at time of scan |
gitRepo |
string | No | Name of the repository where the scan was run |
username |
string | No | SCM username of the committer |
prNumber |
integer | No | Pull or merge request number, if the scan was triggered by one |
Note: Whether gitRepo, username, and prNumber are stored depends on your tenant's Aspen Adapt settings.
Response Body
| Field | Type | Description |
recorded |
boolean | true if all findings were recorded successfully |
cwes |
array of integers | CWE numbers that were processed (as normalized integers) |
Examples Successful Request and Responses
Request
{
"cwes": ["CWE-79", "CWE-89", "CWE-22"],
"gitCommitterEmail": "jane.doe@example.com",
"gitHeadSha": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
"gitRepo": "my-org/my-service",
"username": "janedoe",
"prNumber": 42
}
Response – 200 OK
{
"recorded": true,
"cwes": [79, 89, 22]
}
Error Responses
| Status Code | Description |
|---|---|
400 Bad Request |
Returned when required fields are missing or a CWE identifier cannot be parsed. |
401 Unauthorized |
Returned when the API key is missing or invalid. |
403 Forbidden |
Returned when the API key does not have the required role. |
409 Conflict |
Returned when Aspen Adapt is not enabled for your tenant. |
Example Error (400)
Returned when required fields are missing or a CWE identifier cannot be parsed.
{
"code": 3,
"message": "committer email and git sha are required"
}
Response — 401 Unauthorized
Returned when the API key is missing or invalid.
{
"code": 16,
"message": "unauthorized"
}
Response — 403 Forbidden
Returned when the API key does not have the required role.
Response — 409 Conflict
Returned when Aspen Adapt is not enabled for your tenant.
CWE Formatting
json
["CWE-79", "cwe-89", "CWE_22", "200"]
Example cURL Request
bash
curl -X POST https://api.securityjourney.com/integrations/cwes \
-H "Authorization: Bearer {your_api_token}" \
-H "Content-Type: application/json" \
-d '{
"cwes": ["CWE-79", "CWE-89"],
"gitCommitterEmail": "jane.doe@example.com",
"gitHeadSha": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
"gitRepo": "my-org/my-service",
"username": "janedoe",
"prNumber": 42
}'
Retrieving CWE Records
Authenticate with your Aspen API key, as described above.
https://api.securityjourney.com/integrations/cwes
| Method | GET |
| Requires | API Key with Read permissions |
Query Parameters
|
Field |
Type |
Required |
Description |
pageSize |
integer | No | Number of items per page (default: 100, max: 1000) |
page |
integer | No | Page number (default: 1) |
sortBy |
string | No | createdAt, cwe, username, gitRepo, or gitCommitterEmail (default: createdAt) |
sortOrder |
string | No | asc or desc (default: desc) |
emails |
array of strings | No | Limit results to these committer emails |
cwes |
array of integers | No | Limit results to these pull/merge request numbers |
dateFrom |
timestamp | No | Inclusive lower bound on createdAt (e.g. `2025-01-01T00:00:00Z`) |
dateTo |
timestamp | No | Inclusive upper bound on createdAt (e.g. `2025-12-31T23:59:59Z`) |
dedupeBy |
array of strings | No | Collapses results to one row per dedup group. Each element names a grouping field. Recognized values: gitCommitterEmail, gitRepo. Must always include gitCommitterEmail. Examples: dedupeBy=gitCommitterEmail (group by cwe + email) or dedupeBy=gitCommitterEmail&dedupeBy=gitRepo (group by cwe + email + repo). Omit for raw undeduplicated results. |
Note: Query parameters and POST body fields also accept snake_case (e.g. page_size, git_repos) — both casings work. Response fields are always camelCase.
Response Body
| Field | Type | Description |
cwes |
array of CWE |
Matching CWE records for the page requested |
totalCount |
integer | Total number of records matching the filters |
page |
integer | Page number returned |
pageSize |
integer | Page size used |
totalPages |
integer | Total number of pages available |
filters |
object | emails, cwes, gitRepos, and prNumbers distinct values available for this tenant |
Each CWE record contains: username, cwe, gitRepo, gitCommitterEmail, directoryUuid, gitHeadSha, prNumber, createdAt, firstSeen, lastSeen, occurrenceCount.
Note on deduplication: When dedupeBy is set, totalCount and totalPages reflect the number of distinct groups matching the filters, not the total raw findings. The firstSeen and lastSeen fields show the time range of all findings collapsed into each group, and occurrenceCount shows how many raw findings were collapsed. When dedupeBy is omitted, occurrenceCount is always `1` and firstSeen/lastSeen equal createdAt.
Example cURL Request
bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?page=1&pageSize=100&sortBy=createdAt&sortOrder=desc" \
-H "Authorization: Bearer {API token}"
Filtering by repository and PR number (repeat the parameter for multiple values):
bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?gitRepos=my-org/my-service&prNumbers=42" \
-H "Authorization: Bearer {API token}"
Deduplicating by committer email (one row per CWE + email):
bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?dedupeBy=gitCommitterEmail" \
-H "Authorization: Bearer {API token}"
Deduplicating by committer email and repository (repeat the parameter):
bash
curl -X GET "https://api.securityjourney.com/integrations/cwes?dedupeBy=gitCommitterEmail&dedupeBy=gitRepo" \
-H "Authorization: Bearer {API token}"```
Exporting CWE Records
Authenticate with your Aspen API key, as described above.
https://api.securityjourney.com/integrations/cwes/export
| Method | GET |
| Requires | API Key with Read permissions |
Returns all CWE records for the tenant as a gzip-compressed CSV. The response body is the raw gzip-compressed CSV data — not a JSON object.
Note: Requests must include an Accept-Encoding header containing gzip, or the API returns 406 Not Acceptable.
Response Headers
| Header |
Value |
Content-Type |
text/csv |
Content-Encoding |
gzip |
Content-Disposition |
attachment; filename=cwes.csv |
Example cURL Request
bash
curl -X GET "https://api.securityjourney.com/integrations/cwes/export" \
-H "Authorization: Bearer {API token}" \
-H "Accept-Encoding: gzip" \
-o cwes.csv.gz
The CSV header row is: cwe, username, gitCommitterEmail, gitRepo, prNumber, gitHeadSha, createdAt.
Summary
By integrating with the Aspen Adapt API, you can automatically send CWE findings from your scanning tools into Security Journey, enabling:
- Centralized vulnerability tracking
- Developer-specific insights
- Data-driven training recommendations