API
Public REST API (v1)
Read-only access to your catalog, SBOMs, and vulnerability data.
The /v1 API gives programmatic, read-only access to everything you're licensed for. Authenticate with a scoped API key. The machine-readable spec is at /v1/openapi.json, and the in-portal Developer page has live examples.
Base URL: https://<your-subdomain>.app.podarmor.dev
Endpoints
| Method & path | Scope | Returns |
|---|---|---|
GET /v1/images | read:catalog | Every licensed image + its latest version |
GET /v1/images/{id} | read:catalog | Image detail: base OS, size, latest-version severity counts |
GET /v1/images/{id}/sbom?format=cyclonedx|spdx | read:sbom | The signed SBOM, verbatim |
GET /v1/images/{id}/vulnerabilities | read:vulns | Vulnerabilities on the latest version, with fix state |
GET /v1/cve/{cveId} | read:vulns | Which of your images carry a given CVE |
GET /v1/openapi.json | — (public) | The OpenAPI 3.0 spec |
Example: gate CI on critical CVEs
IMG=$(curl -s -H "Authorization: Bearer $PODARMOR_KEY" \
$BASE/v1/images | jq -r '.images[] | select(.name=="nginx") | .id')
CRIT=$(curl -s -H "Authorization: Bearer $PODARMOR_KEY" \
$BASE/v1/images/$IMG | jq '.vulnerabilityCounts.critical')
[ "$CRIT" -gt 0 ] && { echo "blocked: $CRIT critical CVEs"; exit 1; } || echo "clear"Cross-tenant access is impossible — every response is scoped to the key's tenant, and an unknown image id returns 404. Requests are rate-limited per key.