Back to the articles

Product Update #6

picture of the author
Bálint Jánvári
September 5, 2023 4 mins read
Product Update #6

Our public API was originally created for the sole purpose of helping organizations integrate BugProve with their CI/CD pipelines. Users on paid plans had long been able to generate API keys and use them to start new scans - but that's all they could do with those keys. With our latest update, this API will become significantly more useful for a variety of different use cases, with the added benefit of better documentation and a way for users in our Free Plan to try it.

Managing API keys

Reminder: to list, create or revoke active API keys, navigate to the API keys page in the profile menu.

You should use a better naming convention for your keys
You should use a better naming convention for your keys

Newly created API keys are valid for 1 year, and can be revoked anytime. They are bound to the workspace, not a particular user, and you need to be at least an Administrator to create or revoke them. (For Individual users, there is no distinction - since you are the only user in your workspace, and you have Owner-level permissions.)

For paid plans, this option has always been there. For free users, this page is just a teaser, since you can't actually create API keys. So what's the point, then?


If you have seen the API keys page before, you might have noticed that it has gotten a facelift, and now has a new tab - the Playground is our developer portal and API documentation, built on Swagger UI and tightly integrated into our product. You can also download the machine-readable OpenAPI specification for our entire public API that you can use to generate client libraries in a variety of languages.

The API itself has been extended with several new endpoints. These are all read-only for now, but you can query scans, products and projects, as well as retrieve the findings and download the SBOM in a standard format for all scans you have started.

For the full list of endpoints, visit the Playground
For the full list of endpoints, visit the Playground

Even if you are on our Free Plan, you can use the Playground to browse the available public API endpoints and to make test requests. (These use your session token, so you don't need an actual API key. For Enterprise users, you need to be at least a Contributor to make test requests.)

We worked hard on making this documentation useful - it includes examples for all requests and responses, including error responses.

Ample examples
Ample examples

A new upload flow

We have had a 256 MiB upload limit for firmware images for a while now. For paid plans, we are now raising this to 1 GiB, with the option to raise it even higher in custom plans (up to 5 GiB). With the option to upload larger files comes a brand new upload flow that is now available in our public API. This is a bit more complex, as it requires you to make 3 requests:

  1. Ask for a signed URL
  2. Upload your file to the signed URL
  3. Start the scan by referencing your upload

We will update our documentation to reflect this new option soon, but the API is available now (and the larger uploads also work through the browser).

What's next

We consider our public API beta for now. We will stabilize it it the coming months, but I don't expect there to be any significant changes. The upload API is the only exception, as that part is stable and we will not make any breaking changes without giving advance notice. We don't yet have a real deprecation policy, but that is something that I intend to have added to our Terms of Use once the feature leaves beta. As mentioned in the last Product Update, we will continue to work on improving our onboarding experience and documentation in the coming weeks.

Was it worth your time?

Sign up for our newsletter to receive articles like this in your inbox 1-2 times per month.