Endpoints

All endpoints are relative to your RepoRisk instance base URL and require a valid API key (see Authentication).

Base path: /api/v1

Git Repositories

List Repositories

GET /api/v1/repos

Returns repositories accessible to the authenticated key's organization (or sub-org, if the key is scoped).

Query parameters

Parameter	Type	Description
`sub_org_id`	string	Filter by sub-organization ID, `"parent"` (repos with no sub-org), or `"all"`. Ignored for sub-org-scoped keys — the key's scope is enforced automatically.

Response 200 OK — array of repository status objects

[
  {
    "repo_id": 42,
    "url": "https://github.com/acme/my-repo",
    "title": "my-repo",
    "source_type": "github",
    "clone_status": "cloned",
    "phase": "Complete",
    "total_files": 120,
    "analyzed_files": 118,
    "skipped_files": 2,
    "failed_files": 0,
    "overall_risk_score": 7.4,
    "risk_grade": "B",
    "progress_percent": 100.0,
    "is_complete": true,
    "error_message": null,
    "sub_org_id": 7,
    "sub_org_name": "Acme Team A"
  }
]

Submit a Repository for Analysis

POST /api/v1/repos/analyze

Submits a Git repository URL for a new security scan.

Request body

{
  "url": "https://github.com/acme/my-repo",
  "branch": "main",
  "sub_org_id": 7
}

Field	Type	Required	Description
`url`	string	Yes	`https://` or `git://` repository URL
`branch`	string	No	Branch to analyze (default: `"main"`)
`sub_org_id`	integer	No	Sub-organization to assign the submission to. Overridden/enforced for sub-org-scoped keys.

Response 200 OK

{
  "repo_id": 42,
  "url": "https://github.com/acme/my-repo",
  "status": "queued",
  "message": "Repository submitted for analysis"
}

Get Repository / Scan Status

GET /api/v1/repos/{repo_id}/status

Returns the current analysis status for a repository.

Path parameters

Parameter	Type	Description
`repo_id`	integer	Repository ID returned from the submit endpoint

Response 200 OK

{
  "repo_id": 42,
  "url": "https://github.com/acme/my-repo",
  "title": "my-repo",
  "source_type": "github",
  "clone_status": "cloned",
  "phase": "Analyzing",
  "total_files": 120,
  "analyzed_files": 60,
  "skipped_files": 2,
  "failed_files": 0,
  "overall_risk_score": null,
  "risk_grade": null,
  "progress_percent": 51.7,
  "is_complete": false,
  "error_message": null,
  "sub_org_id": 7,
  "sub_org_name": "Acme Team A"
}

Poll this endpoint until is_complete is true. A completed scan will have a non-null risk_grade and overall_risk_score.

Get Security Report

GET /api/v1/repos/{repo_id}/report

Returns the full security analysis report for the most recent completed scan.

Path parameters

Parameter	Type	Description
`repo_id`	integer	Repository ID

Response 200 OK

{
  "repo_id": 42,
  "url": "https://github.com/acme/my-repo",
  "title": "my-repo",
  "source_type": "github",
  "overall_score": 7.4,
  "grade": "B",
  "total_findings": 14,
  "critical_findings": 0,
  "high_findings": 2,
  "medium_findings": 7,
  "low_findings": 5,
  "top_drivers": {},
  "blockers": {},
  "executive_summary": {},
  "category_scores": {},
  "licenses": [],
  "license_summary": null,
  "allows_commercial_use": null,
  "external_data_destinations": [],
  "report_type": null,
  "compliance_check": null,
  "reportDate": "2026-04-14T12:05:30Z",
  "commitSha": "abc123def456"
}

Note: the report contains finding counts by severity (total_findings, critical_findings, etc.) and structured summary objects (top_drivers, blockers, executive_summary). A flat findings list is not included; use the interactive explorer at /api/docs to inspect the full schema.

List Scan History

GET /api/v1/repos/{repo_id}/scans

Returns a paginated list of all scan runs for a repository, ordered by scan number descending (newest first).

Path parameters

Parameter	Type	Description
`repo_id`	integer	Repository ID

Query parameters

Parameter	Type	Description
`limit`	integer	Maximum number of records to return (default: 20, max: 100)
`offset`	integer	Number of records to skip for pagination (default: 0)

Response 200 OK

{
  "repo_id": 42,
  "total": 5,
  "limit": 20,
  "offset": 0,
  "scans": [
    {
      "scan_run_id": 101,
      "scan_number": 5,
      "triggered_by": "manual",
      "status": "completed",
      "overall_score": 7.4,
      "grade": "B",
      "score_delta": 0.3,
      "total_files": 120,
      "new_files": 3,
      "changed_files": 1,
      "removed_files": 0,
      "reused_files": 116,
      "commit_sha": "abc123def456",
      "started_at": "2026-04-14T12:01:00Z",
      "completed_at": "2026-04-14T12:05:30Z",
      "created_at": "2026-04-14T12:00:55Z"
    }
  ]
}

Browser Extensions

Submit Extension by Store URL

POST /api/v1/extensions/submit-url

Submits a browser extension from a store URL for security analysis. Supports Chrome Web Store, Firefox Add-ons, and Microsoft Edge Add-ons.

Request body

{
  "store_url": "https://chromewebstore.google.com/detail/extension-name/abcdefghijklmnop",
  "sub_org_id": 7
}

Field	Type	Required	Description
`store_url`	string	Yes	Chrome Web Store, Firefox Add-ons, or Edge Add-ons URL
`sub_org_id`	integer	No	Sub-organization to assign the submission to. Overridden/enforced for sub-org-scoped keys.

Response 200 OK

{
  "repo_id": 88,
  "source_type": "extension_chrome",
  "status": "pending",
  "message": "Chrome extension analysis has been queued"
}

Field	Type	Description
`repo_id`	integer	ID used for status and report lookups
`source_type`	string	`extension_chrome`, `extension_firefox`, or `extension_edge`
`status`	string	`pending` (new submission), `cloning`, or `cloned` (existing extension reused)
`message`	string	Human-readable status message

Use the returned repo_id with the Get Repository / Scan Status and Get Security Report endpoints to poll for results.

Upload Extension File

POST /api/v1/extensions/upload

Uploads a local browser extension file (.xpi, .crx, or .zip) for analysis. This endpoint accepts multipart/form-data.

Form fields

Field	Type	Required	Description
`file`	file	Yes	Extension file (`.xpi`, `.crx`, or `.zip`)
`sub_org_id`	integer	No	Sub-organization to assign the submission to. Overridden/enforced for sub-org-scoped keys.

curl example

curl -X POST https://api.canirunthat.com/api/v1/extensions/upload \
  -H "Authorization: Bearer $REPORISK_API_KEY" \
  -F "file=@my-extension.zip" \
  -F "sub_org_id=7"

Response 200 OK

{
  "repo_id": 89,
  "source_type": "extension_upload",
  "status": "pending",
  "message": "Extension analysis has been queued"
}

Use the returned repo_id with the Get Repository / Scan Status and Get Security Report endpoints to poll for results.

Interactive Explorer

You can browse and execute all endpoints interactively in the Swagger UI at https://api.canirunthat.com/api/docs. Paste your API key into the Authorize dialog (Bearer token) to authenticate directly in the browser.

Git Repositories​

List Repositories​

Submit a Repository for Analysis​

Get Repository / Scan Status​

Get Security Report​

List Scan History​

Browser Extensions​

Submit Extension by Store URL​

Upload Extension File​

Interactive Explorer​

Git Repositories

List Repositories

Submit a Repository for Analysis

Get Repository / Scan Status

Get Security Report

List Scan History

Browser Extensions

Submit Extension by Store URL

Upload Extension File

Interactive Explorer