API Reference

Kolega.dev Public API

REST API for organization-scoped automation around applications, scans, findings, fixes, and pull request creation.

Base URL
https://api.kolega.dev
Base path
/api/v1
Schema
https://api.kolega.dev/api/v1/openapi.json

Authentication

Organization API key. Generate keys in Organization Settings -> API Keys and send them as Bearer tokens.

  • Generate API keys in Organization Settings -> API Keys.
  • Send the key in the Authorization header as a Bearer token.
  • Keys are organization-scoped and intended for requests under /api/v1.

Quickstart

Typical flow: list applications, trigger a scan batch, poll the batch progress endpoint, read aggregated batch results, review findings, create a fix, then poll fix progress before opening pull requests.

List applications

curl -s "https://api.kolega.dev/api/v1/applications?limit=10" \
  -H "Authorization: Bearer kcp_live_your_api_key_here" \
  -H "Accept: application/json"

Trigger a scan batch and poll progress

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/scans" \
  -X POST \
  -H "Authorization: Bearer kcp_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "scan_type": "deep_ai_scan"
  }'

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/scans/$SCAN_ID/progress" \
  -H "Authorization: Bearer kcp_live_your_api_key_here"

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/scans/$SCAN_ID/results" \
  -H "Authorization: Bearer kcp_live_your_api_key_here"

Create a fix, poll progress, and open pull requests

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/fixes" \
  -X POST \
  -H "Authorization: Bearer kcp_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "finding_ids": ["'$FINDING_ID'"],
    "title": "Remediate SQL injection in auth flow",
    "instructions": "Preserve current API behavior and add regression coverage.",
    "source_repo": "acme/auth-service",
    "source_repo_provider": "github",
    "source_scan_branch": "main"
  }'

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/fixes/$FIX_ID/progress" \
  -H "Authorization: Bearer kcp_live_your_api_key_here"

curl -s "https://api.kolega.dev/api/v1/applications/$APPLICATION_ID/fixes/$FIX_ID/pull-requests" \
  -X POST \
  -H "Authorization: Bearer kcp_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{}'
  • GET /applications/{application_id}/scans/{scan_id} now returns the scan batch detail created by POST /scans.
  • GET /applications/{application_id}/scans/{scan_id}/progress is the primary polling endpoint for live scan progress.
  • GET /applications/{application_id}/scans/{scan_id}/results returns findings aggregated across every repository in the batch.
  • GET /applications/{application_id}/fixes/{fix_id}/progress is the primary polling endpoint for active fixes.

Applications

Discover the application ids and repository inventory available to the calling organization.

GET/api/v1/applications

List Applications

List applications for the calling organization.

Parameters
NameTypeRequiredDescription
include_archivedbooleanNo

Include archived applications

Default: false
limitintegerNo

query parameter.

Default: 50
skipintegerNo

query parameter.

Default: 0
Responses
StatusDescriptionSchema
200

Successful Response

PublicPaginatedResponse_PublicApplicationResponse_
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}

Get Application

Get a single application by id.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicApplicationResponse
422

Validation Error

HTTPValidationError

Scans

Create scan batches, poll live batch progress, inspect batch details, and fetch aggregated findings.

GET/api/v1/applications/{application_id}/scans

List Scans

List scan batches for the application.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

scan_typesecrets_scan | semgrep_scan | deep_ai_scan | nullNo

Filter by scan type

statusstring | nullNo

Filter by status

limitintegerNo

query parameter.

Default: 20
skipintegerNo

query parameter.

Default: 0
Responses
StatusDescriptionSchema
200

Successful Response

PublicPaginatedResponse_PublicScanBatchResponse_
422

Validation Error

HTTPValidationError
POST/api/v1/applications/{application_id}/scans

Create Scan

Trigger a security scan across all repositories in the application.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

Request body
NameTypeRequiredDescription
scan_typesecrets_scan | semgrep_scan | deep_ai_scanYes

Available scan types for repository security scanning.

Responses
StatusDescriptionSchema
202

Successful Response

PublicScanBatchResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/scans/{scan_id}

Get Scan

Get the scan batch you created. scan_id is the batch id.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

scan_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicScanBatchResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/scans/{scan_id}/progress

Get Scan Progress

Fine-grained progress for a scan batch.

Returns the batch's aggregate counters plus a per-repository breakdown (including placeholder entries for repos that haven't been materialized as scans yet when the batch is still QUEUED/CREATING_SCANS). A CLI can poll this and render a progress bar from percent_complete.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

scan_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicScanProgressResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/scans/{scan_id}/results

Get Scan Results

Aggregate findings from every repository in the batch.

scan_id is the batch id from POST /scans. Returns every finding attributed to this batch across all repositories. For per-repository slicing, use /progress to see the breakdown and then filter findings by scan_batch_id if needed.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

scan_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicScanResultsResponse
422

Validation Error

HTTPValidationError

Findings

List findings for an application, inspect one finding, or update its lifecycle status.

GET/api/v1/applications/{application_id}/findings

List Findings

List findings for the application.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

scan_batch_idstring | nullNo

Filter by scan batch id

severitystring | nullNo

Filter by severity

statusstring | nullNo

Filter by status

scan_typestring | nullNo

Filter by scan type

limitintegerNo

query parameter.

Default: 50
skipintegerNo

query parameter.

Default: 0
Responses
StatusDescriptionSchema
200

Successful Response

PublicPaginatedResponse_PublicFindingResponse_
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/findings/{finding_id}

Get Finding

Get a single finding by id.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

finding_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicFindingResponse
422

Validation Error

HTTPValidationError
PATCH/api/v1/applications/{application_id}/findings/{finding_id}

Update Finding Status

Update the status of a finding (open / resolved / ignored / etc).

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

finding_idstringYes

path parameter.

Request body
NameTypeRequiredDescription
statusopen | resolved | ignored | false_positive | needs_manual_reviewYes

Status of a security finding.

Responses
StatusDescriptionSchema
200

Successful Response

PublicFindingResponse
422

Validation Error

HTTPValidationError

Fixes

Create remediation runs, poll fix progress, inspect diffs, and create pull requests.

GET/api/v1/applications/{application_id}/fixes

List Fixes

List fixes for the application.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

finding_idstring | nullNo

Filter by finding id

limitintegerNo

query parameter.

Default: 50
skipintegerNo

query parameter.

Default: 0
Responses
StatusDescriptionSchema
200

Successful Response

PublicPaginatedResponse_PublicFixResponse_
422

Validation Error

HTTPValidationError
POST/api/v1/applications/{application_id}/fixes

Create Fix

Trigger an autofix run for one or more findings in this application.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

Request body
NameTypeRequiredDescription
finding_idsstring[]No

No description provided.

titlestringYes

No description provided.

instructionsstringYes

No description provided.

source_repostringYes

Repository full_name (owner/repo)

source_repo_providergithub | gitlab | azure_devopsNo

No description provided.

Default: github
source_scan_branchstring | nullNo

Branch the finding was detected on

Responses
StatusDescriptionSchema
201

Successful Response

PublicFixResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/fixes/{fix_id}

Get Fix

Get a single fix by id.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

fix_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicFixResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/fixes/{fix_id}/diff

Get Fix Diff

Get the diff for a fix. Returns diff=null while the fix is still running — clients should poll until status is completed.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

fix_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicFixDiffResponse
422

Validation Error

HTTPValidationError
GET/api/v1/applications/{application_id}/fixes/{fix_id}/progress

Get Fix Progress

Minimal heartbeat for a running fix.

Returns status, timings, agent step count, and a last-activity timestamp so a CLI can show something like "Running... (42s, 12 steps, last update 3s ago)". Deliberately does not expose message content or tool-call details.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

fix_idstringYes

path parameter.

Responses
StatusDescriptionSchema
200

Successful Response

PublicFixProgressResponse
422

Validation Error

HTTPValidationError
POST/api/v1/applications/{application_id}/fixes/{fix_id}/pull-requests

Create Pull Requests

Open pull requests for a completed fix.

Parameters
NameTypeRequiredDescription
application_idstringYes

path parameter.

fix_idstringYes

path parameter.

Request body
NameTypeRequiredDescription
titlestring | nullNo

PR title; auto-generated if omitted

bodystring | nullNo

PR body in markdown; auto-generated if omitted

branch_namestring | nullNo

Custom branch name; auto-generated if omitted

Responses
StatusDescriptionSchema
201

Successful Response

PublicPullRequestsCreatedResponse
422

Validation Error

HTTPValidationError

Quotas

Check current organization quota balances exposed by the public API.

GET/api/v1/quotas/balance

Get Quota Balance

Return the current-period quota balance for the calling organization.

Check this before triggering a scan or fix — if a counter's remaining is zero, the POST will 403 OPERATION_FAILED with the offending quota_type in the detail.

Responses
StatusDescriptionSchema
200

Successful Response

PublicQuotaBalanceResponse