API Usage Guide

DryRun Simple API

This page provides a practical guide for using the DryRun Simple API.

For the full OpenAPI specification (Swagger), use:

Swagger UI: https://simple-api.dryrun.security/api-docs/index.html
OpenAPI (v3.0) spec: https://simple-api.dryrun.security/api-docs/v1/swagger.yaml

Base URLs

Base URL: https://simple-api.dryrun.security/v1

Authentication

All API requests require an API key, which can be generated from within the DryRun Security dashboard.

Getting an API key

API keys are issued in the DryRun Security product environment. The feature may need to be enabled by your Custom Success Manager.

Create and Manage Access Keys https://app.dryrun.security/settings/access-keys (opens in a new tab)

The API key must be scoped to at least one account. One API key can be used to access more than one if selected.

The account list is based on the rights of the current user's access.

After creating the key, be sure to copy the key to a safe place. It will not be shown again.

Using your API key

Send your API key in the Authorization header using the Bearer scheme:

Authorization: Bearer dryrunsec_**********************

Example (masked token):

curl \
  -H "Authorization: Bearer dryrunsec_abcd1234****************" \
  "https://simple-api.dryrun.security/v1/accounts/<ACCOUNT_ID>/custom_policies"

Quick Start

Most endpoints are scoped to an account. You’ll need:

account_id - provided by the DryRun Security platform. (e.g. 12345678-1234-1234-1234-1234567890ab)
repository_id - a UUID for a repository.

Typical workflow:

List your accessible accounts.
Pick an account, then list repositories in that account.
Use repository IDs to fetch scans and findings.

Example:

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts"

Results

{
  "data": [
    {
      "account_id": "22222222-2222-2222-2222-222222222222",
      "org_name": "SampleOrg",
  		...
    }
  ]
}

Get the repositories

curl -X 'GET' \
  -H 'Authorization: Bearer $DRYRUN_API_KEY' \
  'https://simple-api.dryrun.security/v1/accounts/22222222-2222-2222-2222-222222222222/repositories'

Results

{
  "data": [
    {
      "id": "11111111-1111-1111-1111-111111111111",
      "name": "some-demo-repo-name",
     ...
    },

Get findings for the repository

curl -X 'GET' \
  -H 'Authorization: Bearer $DRYRUN_API_KEY' \
  'https://simple-api.dryrun.security/v1/accounts/22222222-2222-2222-2222-222222222222/repositories/11111111-1111-1111-1111-111111111111/findings' \

Results

{
  "data": [
    {
	  "id": "00000000-0000-0000-0000-000000000000",
      "dashboard_url": "https://app.dryrun.security/risk-register/44444444-4444-4444-4444-444444444444",
      "severity": "error",
      "type": "Missing Authorization and IDOR in User Deletion",
      "description": "The new DELETE /users/{id} endpoint is registered without any authentication or authorization middleware. The handler takes the user ID directly from the URL path and executes a database DELETE query against the 'users' table without verifying the requestor's identity or permissions. This allows any unauthenticated attacker to delete any user account by supplying a valid user ID.",
      "filename": "backend/main.go",
      "line_start": 516,
      "line_end": 553,
      "created_at": "2026-03-03T00:00:00Z"
    },
    ...
  ]
}

Conventions

IDs and scoping

account_id is required for most endpoints.
repository_id is required for repository-scoped endpoints.

Response shape

Most list endpoints return a top-level data array.

Errors

If an item is not found, some endpoints return 404 with a JSON body shaped like:

{
  "error": "string"
}

Endpoint Reference

This section is generated from swagger/v1/swagger.yaml.

See the live online documentation at: https://simple-api.dryrun.security/api-docs/index.html (opens in a new tab)

Accounts

List accounts accessible by the API key

GET /v1/accounts

Retrieve all accounts that the authenticated API key has access to, including organization information

Responses

200 - accounts listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts"

Analyzers

List available analyzers

GET /v1/accounts/{account_id}/analyzers

Retrieve all enabled and visible analyzers. Use the 'slug' field as the key in configuration analyzers object.

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Responses

200 - analyzers listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/analyzers"

Configurations

List configurations for an account

GET /v1/accounts/{account_id}/configurations

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Responses

200 - configurations listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations"

Create a new configuration

POST /v1/accounts/{account_id}/configurations

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Request body

{
  "configuration": {
    "name": "string",
    "configuration": {
      "comment": "disabled",
      "show_scan_confirmation": false,
      "risk_threshold": 0,
      "analyzers": {},
      "code_policies": [
        {
          "id": null,
          "enabled": null,
          "silent": null,
          "blocking": null
        }
      ],
      "notifications": {
        "enabled": false,
        "deduplicate": false,
        "integrationNames": [
          null
        ]
      }
    }
  },
  "repositories": [
    "00000000-0000-0000-0000-000000000000"
  ]
}

Responses

201 - configuration created

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations"

Assign a configuration to multiple repositories

POST /v1/accounts/{account_id}/configurations/assign_repositories

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Request body

{
  "configuration_id": "00000000-0000-0000-0000-000000000000",
  "repository_ids": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "repository_names": [
    "string"
  ],
  "repository_pattern": "string"
}

Responses

200 - repositories assigned

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/assign_repositories"

Bulk update multiple configurations

POST /v1/accounts/{account_id}/configurations/bulk_update

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Request body

{
  "configuration_ids": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "updates": {
    "comment": "disabled",
    "show_scan_confirmation": false,
    "risk_threshold": 0,
    "analyzers": {},
    "code_policies": [
      {
        "id": "00000000-0000-0000-0000-000000000000",
        "enabled": false,
        "silent": false,
        "blocking": false
      }
    ],
    "notifications": {
      "enabled": false,
      "deduplicate": false,
      "integrationNames": [
        "string"
      ]
    }
  }
}

Responses

200 - configurations updated

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/bulk_update"

Get a single configuration

GET /v1/accounts/{account_id}/configurations/{id}

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
id	path	yes	string	Configuration ID

Responses

200 - configuration found

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/{id}"

Update a configuration

PUT /v1/accounts/{account_id}/configurations/{id}

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
id	path	yes	string	Configuration ID

Request body

{
  "configuration": {
    "name": "string",
    "configuration": {
      "comment": "disabled",
      "show_scan_confirmation": false,
      "risk_threshold": 0,
      "analyzers": {},
      "code_policies": [
        {
          "id": null,
          "enabled": null,
          "silent": null,
          "blocking": null
        }
      ],
      "notifications": {
        "enabled": false,
        "deduplicate": false,
        "integrationNames": [
          null
        ]
      }
    }
  },
  "repositories": [
    "00000000-0000-0000-0000-000000000000"
  ]
}

Responses

200 - configuration updated

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/{id}"

Update a configuration

PATCH /v1/accounts/{account_id}/configurations/{id}

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
id	path	yes	string	Configuration ID

Request body

{
  "configuration": {
    "name": "string",
    "configuration": {
      "comment": "disabled",
      "show_scan_confirmation": false,
      "risk_threshold": 0,
      "analyzers": {},
      "code_policies": [
        {
          "id": null,
          "enabled": null,
          "silent": null,
          "blocking": null
        }
      ],
      "notifications": {
        "enabled": false,
        "deduplicate": false,
        "integrationNames": [
          null
        ]
      }
    }
  },
  "repositories": [
    "00000000-0000-0000-0000-000000000000"
  ]
}

Responses

200 - configuration updated

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/{id}"

Delete a configuration

DELETE /v1/accounts/{account_id}/configurations/{id}

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
id	path	yes	string	Configuration ID

Responses

204 - configuration deleted

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/configurations/{id}"

Custom Policies

List custom code policies for an account

GET /v1/accounts/{account_id}/custom_policies

Retrieve all custom code policies (NLCPs) for an account. These policies can be referenced in configurations using their ID.

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Responses

200 - custom policies listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/custom_policies"

Deepscan Results

List findings for a deepscan

GET /v1/accounts/{account_id}/repositories/{repository_id}/deepscans/{deepscan_id}/results

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
repository_id	path	yes	string	Repository ID
deepscan_id	path	yes	string	Deepscan ID

Responses

200 - findings listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories/{repository_id}/deepscans/{deepscan_id}/results"

Deepscans

List all deepscans for an account

GET /v1/accounts/{account_id}/deepscans

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Responses

200 - deepscans listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/deepscans"

List deepscans for a repository

GET /v1/accounts/{account_id}/repositories/{repository_id}/deepscans

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
repository_id	path	yes	string	Repository ID

Responses

200 - deepscans listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories/{repository_id}/deepscans"

Findings

List pull-request findings for a repository

GET /v1/accounts/{account_id}/repositories/{repository_id}/findings

Retrieve all findings for a repository. Each finding includes a dashboard_url to view it in the DryRun Security risk register.

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
repository_id	path	yes	string	Repository ID

Responses

200 - findings listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories/{repository_id}/findings"

Insights

Get insights for an account

GET /v1/accounts/{account_id}/insights

Retrieve the daily insights digest for an account. Insights are generated daily and highlight important security-related changes from analyzed pull requests that deserve attention. Returns the latest insights by default, or insights for a specific date if provided.

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
date	query	no	string	Filter by date (YYYY-MM-DD format). If omitted, returns the latest available insights.

Responses

200 - insights retrieved

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/insights"

Repositories

List repositories for an account

GET /v1/accounts/{account_id}/repositories

Retrieve all repositories for an account. Use the 'id' field when assigning configurations to repositories.

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID

Responses

200 - repositories listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories"

Scans

List PR scans for a repository

GET /v1/accounts/{account_id}/repositories/{repository_id}/scans

Retrieve all PR scan results for a repository with optional filtering

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
repository_id	path	yes	string	Repository ID
date_from	query	no	string	Filter scans from this date (ISO 8601 format)
date_to	query	no	string	Filter scans to this date (ISO 8601 format)
initiated_by	query	no	string	Filter by user ID who initiated the scan
result	query	no	string	Filter by risk level (comma-separated: failing, risky, info)

Responses

200 - scans listed

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories/{repository_id}/scans"

Get detailed PR scan results

GET /v1/accounts/{account_id}/repositories/{repository_id}/scans/{id}

Retrieve detailed scan results including findings/vulnerabilities for a specific PR scan

Parameters

Name	In	Required	Type	Description
account_id	path	yes	string	Account ID
repository_id	path	yes	string	Repository ID
id	path	yes	string	Scan ID
findings_result	query	no	string	Filter findings by severity (comma-separated: failing, risky, info)

Responses

200 - scan found

Example (curl)

curl \
  -H "Authorization: Bearer $DRYRUN_API_KEY" \
  "https://simple-api.dryrun.security/v1/accounts/{account_id}/repositories/{repository_id}/scans/{id}"

Support

If you have questions about authentication, account access, or expected responses, contact DryRun Security Customer Success and include:

the endpoint URL you called
the HTTP status code
the request_id header (if present)

Version History

v1.0.0

Initial release

Coverage Matrix - Vulnerability Categories