Skip to main content
REST API はバージョン化されました。 詳細については、「API のバージョン管理について」を参照してください。

REST API endpoints for security advisories

Use the REST API to create and manage innersource security alerts

Sync innersource vulnerabilities for an enterprise

Synchronize innersource vulnerability data with the Advisory Database for an enterprise. This endpoint receives vulnerability data in OSV format and creates, updates, or withdraws innersource vulnerabilities accordingly. Dependabot alerting is triggered for created and updated vulnerabilities.

The request body accepts up to 100 vulnerabilities per call. The request is validated and then queued for asynchronous processing: a successful request returns 202 Accepted with a Location header pointing to a status URL that you poll for the final result.

Syncing vulnerabilities too quickly using this endpoint may result in secondary rate limiting. For more information, see "Rate limits for the API" and "Best practices for using the REST API."

This endpoint does not support OAuth apps or personal access tokens.

"Sync innersource vulnerabilities for an enterprise" のきめ細かいアクセス トークン

このエンドポイントは、次の粒度の細かいトークンの種類で動作します:

粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:

  • "Enterprise innersource vulnerabilities" enterprise permissions (write)

"Sync innersource vulnerabilities for an enterprise" のパラメーター

ヘッダー
名前, タイプ, 説明
accept string

Setting to application/vnd.github+json is recommended.

パスパラメーター
名前, タイプ, 説明
enterprise string 必須

The slug version of the enterprise name.

ボディパラメータ
名前, タイプ, 説明
array

Array of vulnerabilities in OSV format to synchronize

名前, タイプ, 説明
id string 必須

Unique identifier for the vulnerability from the external system

schema_version string

The OSV schema version

summary string

A short summary of the vulnerability

details string

Detailed description of the vulnerability

aliases array of strings

IDs for the same vulnerability in other databases. Only CVE IDs are used (to populate the vulnerability's CVE identifier); other aliases are ignored.

severity array of objects

Severity information for the vulnerability

名前, タイプ, 説明
type string

The type of severity scoring (e.g., CVSS_V3)

score string

The severity score or vector string

affected array of objects

Packages and versions affected by the vulnerability

名前, タイプ, 説明
package object
名前, タイプ, 説明
ecosystem string

The package ecosystem (e.g., npm, pip, maven)

name string

The package name

ranges array of objects
名前, タイプ, 説明
type string
events array of objects
名前, タイプ, 説明
introduced string

The version that introduced the vulnerability

fixed string

The version that fixed the vulnerability

last_affected string

The last affected version

limit string

The upper limit of the affected range

references array of objects

URLs for more information about the vulnerability

名前, タイプ, 説明
type string

The type of reference. Supported values: PACKAGE, ADVISORY, WEB, FIX, ARTICLE, REPORT, EVIDENCE. References with other types are ignored.

url string

The reference URL

published string

When the vulnerability was first published

modified string

When the vulnerability was last modified

withdrawn string

When the vulnerability was withdrawn. If present, the vulnerability will be marked as withdrawn.

"Sync innersource vulnerabilities for an enterprise" の HTTP 応答状態コード

状態コード説明
202

Sync operation accepted for asynchronous processing. Poll the returned URL for results.

400

Bad Request

401

Requires authentication

403

Forbidden

404

Resource not found

422

Validation failed, or the endpoint has been spammed.

"Sync innersource vulnerabilities for an enterprise" のコード サンプル

GHE.com でGitHubにアクセスする場合は、api.github.com を、api.SUBDOMAIN.ghe.com にある企業の専用サブドメインに置き換えます。

要求の例

post/enterprises/{enterprise}/innersource-vulnerabilities/sync
curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/enterprises/ENTERPRISE/innersource-vulnerabilities/sync \ -d '[{"id":"MVS-2026-001","schema_version":"1.4.0","summary":"Example vulnerability summary","aliases":["GHSA-xxxx-xxxx-xxxx"],"affected":[{"package":{"ecosystem":"npm","name":"example-package"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"fixed":"1.0.1"}]}]}]}]'

Sync operation accepted for asynchronous processing. Poll the returned URL for results.

Status: 202
{ "id": "external-vulnerability-sync-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "url": "https://api.github.com/enterprises/my-enterprise/innersource-vulnerabilities/sync/status/external-vulnerability-sync-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "status": "queued" }

Get innersource vulnerability sync status for an enterprise

Get the status of an asynchronous innersource vulnerability sync operation for an enterprise. Returns 202 with a Retry-After header while the sync is still processing, or 200 with the full sync results once complete.

This endpoint does not support OAuth apps or personal access tokens.

"Get innersource vulnerability sync status for an enterprise" のきめ細かいアクセス トークン

このエンドポイントは、次の粒度の細かいトークンの種類で動作します:

粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:

  • "Enterprise innersource vulnerabilities" enterprise permissions (write)

"Get innersource vulnerability sync status for an enterprise" のパラメーター

ヘッダー
名前, タイプ, 説明
accept string

Setting to application/vnd.github+json is recommended.

パスパラメーター
名前, タイプ, 説明
enterprise string 必須

The slug version of the enterprise name.

job_id string 必須

The unique identifier of the sync job.

"Get innersource vulnerability sync status for an enterprise" の HTTP 応答状態コード

状態コード説明
200

Sync operation completed

202

Sync operation is still processing

401

Requires authentication

403

Forbidden

404

Resource not found

"Get innersource vulnerability sync status for an enterprise" のコード サンプル

GHE.com でGitHubにアクセスする場合は、api.github.com を、api.SUBDOMAIN.ghe.com にある企業の専用サブドメインに置き換えます。

リクエスト例

get/enterprises/{enterprise}/innersource-vulnerabilities/sync/status/{job_id}
curl -L \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer <YOUR-TOKEN>" \ -H "X-GitHub-Api-Version: 2026-03-10" \ https://api.github.com/enterprises/ENTERPRISE/innersource-vulnerabilities/sync/status/JOB_ID

Sync operation completed

Status: 200
{ "processed": 1, "created": 1, "updated": 0, "withdrawn": 0, "errors": 0, "results": [ { "external_id": "MVS-2026-001", "status": "created", "ghsa_id": "GHIS-xxxx-xxxx-xxxx" } ] }