Skip to main content

Source Control REST API

Source Control REST API can be used to:

  1. Create, update, and delete source control entries for the root organization, sub-organizations, and applications. This is implemented with two separate endpoints one for all organizations (including the root), and a second one for applications. The API signatures between the two are similar and differences will be noted below.

  2. Automatically assign the developer role to all contributors of the associated repository, who are registered IQ users, for a given application. See Automatic Role Assignment.

 

Warning

The enablePullRequests and enableStatusChecks fields in the JSON payload were deprecated in IQ Server Release 124:

- enablePullRequests was replaced with pullRequestCommentingEnabled

- enableStatusChecks was replaced with statusChecksEnabled

If you use an IQ Server version prior to 124, you'll have to replace the deprecated field names in the examples below.

Create a source control entry

To create a source control entry use the following endpoint. To create one for an organization use organization in the path, and for an application use application in the path.

POST /api/v2/sourceControl/{organization|application}/{ownerId}

With the following JSON body

{
    "token": "{scm access token}",
    "provider": "github",
    "repositoryUrl": "https://example.com/my-org/my-repo", 
    "baseBranch": "master",
    "remediationPullRequestsEnabled": true,
    "pullRequestCommentingEnabled": true,
    "sourceControlEvaluationsEnabled": true
}

  • The ownerId parameter is required. For the /api/v2/sourceControl/organization/ endpoint it must be a valid organization ID (use "ROOT_ORGANIZATION_ID" for the root organization). For the /api/v2/sourceControl/application/ endpoint it must be a valid application ID.

  • The repositoryUrl can only be specified for applications. Valid HTTP(S) and SSH URLs are accepted.

  • The token field is optional. It must be defined at one of the root organization, organization or application level. Each level inherits from the parent level and when present, will override any values set in the parents. See the Sonatype for SCM feature documentation for information on what permissions or scopes are required on the token.

  • The username field is optional and only allowed to be set on SCMs that require it. Currently, this is required for Bitbucket Server, Bitbucket Cloud and Azure DevOps.

  • The provider field is required for the root organization and cannot be specified for other organizations or applications. Allowed values are azure, github, gitlab, and bitbucket.

  • The baseBranch field is required for the root organization. Organizations and applications inherit from the root unless overridden.

  • The remediationPullRequestsEnabled field is optional. Set to true to enable the Automated Pull Requests feature.

  • The pullRequestCommentingEnabled field is optional. Set to true to enable the Pull Request Commenting feature.

  • The sourceControlEvaluationsEnabled field is optional. Set to true to enable Nexus IQ triggered source control evaluations, which are the foundation of the Continuous Risk Profile feature.

Note

Two formats are supported for SSH URLs: ssh://user@server/project-path.git and user@server:project-path.git.

On save all SSH URLs are converted to the HTTPS format. If an SSH URL is provided, subsequent retrievals will return the converted URL.

Get a source control entry

To get a source control entry use the following endpoint. To get for an organization use organization in the path, and for an application use application in the path.

GET /api/v2/sourceControl/{organization|application}/{ownerId}

  • The ownerId parameter is required. For the /api/v2/sourceControl/organization/ endpoint it must be a valid organization ID (use "ROOT_ORGANIZATION_ID" for the root organization). For the /api/v2/sourceControl/application/ endpoint it must be a valid application ID.

The response can contain the following fields

{
    "id": "83af9dafc06946f9a82833eceb8425ed",
    "ownerId": "7e68069cbb228a05bbf89a2c2992a8bce45b1027",
    "repositoryUrl": null,
    "token": "#~FAKE~SECRET~KEY~#",
    "provider": null,
    "baseBranch": "master",
    "remediationPullRequestsEnabled": null,
    "pullRequestCommentingEnabled": null,
    "sourceControlEvaluationsEnabled": null,
    "statusChecksEnabled": null
}

  • Fields that do not contain a value are null . For organizations and applications, this indicates inheriting the configuration from the parent. Applications will inherit values from the parent organization and organizations will inherit from the root organization.

  • The ownerId field is required. For the /api/v2/sourceControl/organization/ endpoint it will be an organization ID. For the /api/v2/sourceControl/application/ endpoint it will be an application ID.

  • The repositoryUrl will only show for applications and will always be null for organizations.

  • The token field is obfuscated if populated.

  • The id and statusChecksEnabled fields are internal fields.

Replace a source control entry

To replace a source control entry use the following endpoint. To replace one for an organization use organization in the path, and for an application use application in the path.

PUT /api/v2/sourceControl/{organization|application}/{ownerId}

  • The ownerId parameter is required. For the /api/v2/sourceControl/organization/ endpoint it will be an organization ID. For the /api/v2/sourceControl/application/ endpoint it will be an application ID.

With the same JSON body as for POST.

Delete a source control entry

To delete a source control entry use the following endpoint. To delete one for an organization use organization in the path, and for an application use application in the path.

DELETE /api/v2/sourceControl/{organization|application}/{ownerId}

  • The ownerId parameter is required. For the /api/v2/sourceControl/organization/ endpoint it will be an organization ID. For the /api/v2/sourceControl/application/ endpoint it will be an application ID.

The response is an empty payload with a 204 (Success - no content) status.

Automatic Role Assignment

You can grant the developer role to all contributors of the associated repository, on a given application, automatically, if the following conditions are met:

  1. The source control should be configured for the application and it should have an authentication token.

  2. The contributors to the repository should have a corresponding user account in IQ that matches the username in the SCM (GitHub).

  3. The user calling the API should have edit access control permission over the given application.

The developer role will be automatically assigned to all contributors of the repository, who have a matching username configured in IQ Server.

Note

This capability is currently offered only for GitHub repositories.

Example

curl -u admin:admin123 \
  -X POST 'http://localhost:8070/api/v2/sourceControl/automaticRoleAssignment/my-public-app-id'

Response

The response is an array of all users that were found in GitHub and were successfully granted the developer role on the application.

Example

[
  "githubUser1",
  "githubUser2",
  "githubUser3",
  "githubUser4",
  "githubUser5",
  "githubUser6",
  "githubUser7"
]