Authentication

• The Nightfall API uses API keys to authenticate requests. You can view your API key on your Settings page.
• Your API keys carry many privileges, so be sure to keep them secure. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
• Authentication to the API is performed via HTTP Basic Auth. Provide your API key as the basic auth username value. You do not need to provide a password.
• All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

Terminology

• A Scan is a historical scan of a single GitHub repository. A Scan can be run on its own, or can belong to a Workflow Run, detailed below. A Scan has many Results.
• A Result is a single violation or sensitive finding of sensitive data. A Result belongs to a Scan.
• A Workflow represents an automatic bulk scan all repos in a GitHub organization, either on-demand or on a scheduled basis. Each time a Workflow is run, this generates a Workflow Run. Thus, a Workflow has many Workflow Runs.
• A Run, or a Workflow Run, is an instance of a Workflow being run or performed. A Run performs a full historical scan of all repos in its corresponding Workflow's GitHub organization. Thus, a Run belongs to a Workflow, and a Run has many Scans, corresponding to all repos in the GitHub organization being scanned at the time of the Run.

Start a New Scan

Scan a GitHub repository for sensitive credentials or secrets. The repo can be public or private. If this repo is private, you must have access to it via the GitHub account that you've logged in to Nightfall with. By default, users are limited to 100 completed scans per month. You can check your current scan usage on your Settings page. The full commit history of the repository will be scanned, irrespective of its size.

Note that scans are run asynchronously. This means that this endpoint will respond immediately upon starting the scan with a Scan ID. You can use this Scan ID to retrieve the results when ready via the API call below, Get Scan Results. You will be notified via email, and optionally at your Webhook endpoint explained below, when the scan is complete and results are ready for your retrieval.

Arguments:

• github_url - Required. URL to a GitHub repository to scan with 1000 or fewer commits, for example: https://github.com/nightfalldlp/sample

Returns:

• status - The status of the scan. One of Running, Error, Scan Limit Exceeded, or Usage Error.
• message - Message regarding status of the scan.
• scan_id - Identifier for the scan. You can use this identifier to get scan results, see Get Scan Results below.

POST /api/v1/scans/new

Sample Usage — Login to auto-fill values below curl https://radar.nightfall.ai/api/v1/scans/new \ -u API_KEY: \ -d 'github_url=https://github.com/nightfalldlp/sample'

Sample Response { "status": "Running", "message": "Scan is running. You will be notified via email (youremail@example.com) when scan is complete. You can view the scan results via the provided Scan ID when complete. You can also configure a Webhook endpoint to be programatically notified when the scan is complete. See API Docs: https://radar.nightfall.ai/docs#get-results", "scan_id": "374b41aa-2567-4b58-828f-ea72684ca17c" }

Get List of Scans

Returns a list of most recent scans, ordered by creation date. The scan results are not included. To get scan results, refer to the /api/v1/scans/:scan_id endpoint below.

Arguments:

• limit - Optional, default is 5. A limit on the number of objects to be returned, between 1 and 100. Max is 100.
• page - Optional, default (index) is 1. Page of results to fetch. The number of results per page is defined by the limit parameter above.

Returns:

• status - The status of the scan. One of Completed, Running, or Failed.
• limit - The number of results to return. Default is 5. Max is 100.
• page - The page number of the paginated results.
• scans - An array of Scan objects. Each Scan object has the following attributes:
  • id - Identifier of the scan.
  • url - URL of the GitHub repo that was scanned.
  • duration - Duration of scan in seconds.
  • created_at - Date/time of when the scan was initiated.

GET /api/v1/scans

Sample Usage — Login to auto-fill values below curl -X GET https://radar.nightfall.ai/api/v1/scans \ -u API_KEY:

Sample Response { "status": "Success", "limit": 5, "page": 1, "scans": [ { "id": "2ed12efe-1fbd-4d09-aad9-1e6867c1c80f", "url": "https://github.com/nightfalldlp/sample", "duration": "1.706554794", "created_at": "2019-04-23T23:39:58.282Z" }, { "id": "f5edec8b-a215-4537-90db-8d02289e11e4", "url": "https://github.com/nightfalldlp/sample", "duration": "1.670032915", "created_at": "2019-04-23T23:38:14.560Z" } ] }

Get Scan Results

Returns the results for a specific scan.

Arguments:

• scan_id - Required. The identifier of the scan for which results are being retrieved.

Returns:

• scan_id - Identifier of the scan.
• url - URL of GitHub that was scanned.
• duration - Duration of scan in seconds.
• created_at - Date/time of when scan was initiated.
• scanned_files - Number of files scanned in repo.
• status_code - Status of the scan. Conventional HTTP response code. Codes in the 2xx indicate success. Codes in the 4xx range indicate a failure given the information provided. Codes in the 5xx range indicate an error with Nightfall's servers (these are rare).
• results_count - Number of scan results.
• results - An array of Result objects. There is one Result object for each sensitive token string (API key, credential, etc.) that is found. Each Result object has the following attributes:
  • result_id - Identifier of the result.
  • repo_path - Path of the repository in which the result was found.
  • file_path - Path of the file in which the result was found.
  • branch - Branch name in which the result was found.
  • commit_hash - Commit hash in GitHub repo.
  • author_email - Author of the commit.
  • context - The preceding characters before the sensitive token.
  • token - Redacted sensitive token that was discovered.
  • token_length - Length, in number of characters, of the sensitive token found.
  • permalink - A permalink to the exact line of the sensitive finding in GitHub.
  • created_at - Date/time of when the result was found.
  • signature - SHA1 hash of commit_hash, permalink, and context together.

GET /api/v1/scans/:scan_id

Sample Usage — Login to auto-fill values below curl -X GET https://radar.nightfall.ai/api/v1/scans/SCAN_ID \ -u API_KEY:

Sample Response { "id": "0b6b08cf-f1ff-436b-a69f-7a1cb0d06e44", "url": "https://github.com/nightfalldlp/sample", "duration": "0.822404097", "created_at": "2019-04-28 22:51:10 UTC", "scanned_files": 24, "status_code": 200, "results_count": 1, "results": [ { "result_id": "db2d2f85-8c06-41ef-85bf-2ea2dc786ca3", "repo_path": "sample", "file_path": "sample.rb", "branch": "origin/master", "commit_hash": "3a07b08d2461b6906376081d1f13b303215bf55d", "author_email": "49463194+nightfalldlp@users.noreply.github.com", "context": "a4300836696c47b4f2d7c'\n+\n+auth_token = '", "token": "db▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪", "token_length": 32, "permalink": "https://github.com/nightfalldlp/sample/blob/3a07b08d2461b6906376081d1f13b303215bf55d/sample.rb#L7", "created_at": "2019-04-28 22:51:13 UTC", "signature": "74285ef22c444da264ad891176d459ea16ae4d1g" } ] }

Get Runs

Returns all Runs for all Workflows in an organization, sorted newest to oldest.

Arguments:

• None

Returns:

• An array of Run objects. A Run is a singular run of a Workflow and corresponds to a full historical scan of a GitHub organization at a moment in time. This array is sorted by most recent Run (first array element is the most recent). Each Run object has the following attributes:
  • id - Identifier of the Run. Use this ID when calling Get Run Results below.
  • workflow_id - Identifier of the Workflow that the Run belongs to.
  • status - The status of the Run. If 1 this means the Run is finished running, else it is still running or in a pending state.
  • created_at - Date/time of when the Run was started.
  • updated_at - Date/time of when the Run was last updated.

GET /api/v2/runs

Sample Usage — Login to auto-fill values below curl -X GET https://radar.nightfall.ai/api/v2/runs \ -u API_KEY:

Sample Response [ { "id": "d00ac88d-e384-4aea-8d3e-15a609651e35", "workflow_id": "3fc50c3-b11c-474f-02eb-075c955e84dd5", "status": 1, "created_at": "2021-08-23T04:51:15.916Z", "updated_at": "2021-09-01T03:29:35.021Z" }, { "id": "88d95f2c-e8e4-4ed4-a40e-49174052b7c1", "workflow_id": "3fc50c3-b11c-474f-02eb-075c955e84dd5", "status": 1, "created_at": "2021-08-22T17:09:36.301Z", "updated_at": "2021-08-22T17:10:43.661Z" } ]

Get Run Results

Returns all results for all scans in a completed Workflow Run, as JSON or CSV.

Arguments:

• run_id - Required. The identifier of the Run for which results are being retrieved.
• export_format - Optional. Specify this argument with value csv as a query parameter for response to be in a CSV format (e.g. /api/v2/runs/:run_id?export_format=csv). If any other value, or if excluded, response will be standard JSON.

Returns:

• run_id - Identifier of the Run whose results are being retrieved.
• results - An array of Result objects. There is one Result object for each sensitive token string (API key, credential, etc.) that is found. Each Result object has the following attributes:
  • result_id - Identifier of the result.
  • scan_id - Identifier of the corresponding scan that the result belongs to.
  • repo_path - Path of the repository in which the result was found.
  • author_email - Author of the commit.
  • commit_hash - Commit hash in GitHub repo.
  • file_path - Path of the file in which the result was found.
  • context - The preceding characters before the sensitive token.
  • token - Redacted sensitive token that was discovered.
  • permalink - A permalink to the exact line of the sensitive finding in GitHub.
  • created_at - Date/time of when the result was found.
  • signature - SHA1 hash of commit_hash, permalink, and context together.

GET /api/v2/runs/:run_id

Sample Usage — Login to auto-fill values below curl -X GET https://radar.nightfall.ai/api/v2/runs/RUN_ID \ -u API_KEY:

Sample Response { "run_id": "0254df80-4bee-4794-b34a-224ec9c1236f", "results": [ { "result_id": "2fee1783-6528-4ea8-88db-0834d1954b2f6", "scan_id": "e54b67a6-e1c7-4ed0-9514-358a98e77c48", "repo_path": "https://github.com/nightfallai-radar/sample-repo", "author_email": "nightfall-support@users.noreply.github.com", "commit_hash": "6a0d1b279ee6f839cdb1f53928b8883589d857cd", "file_path": "sample.py", "context": "stripe.api_key = \"", "token": "sk******************************", "permalink": "https://github.com/nightfallai-radar/sample-repo/blob/6a0d1b279ee6f839cdb1f53928b8883589d857cd/sample.py#L2", "created_at": "2020-08-06T03:56:57.499Z", "signature": "befca7c63d9be2be94a9438f290ae3e1589d20af" }, { "result_id": "33f89fbb-8a1d-518e-b922-2ac20d80ce2", "scan_id": "fb764fda-8bcf-49a3-b82c-cd2452152fa9", "url": "https://github.com/nightfallai-radar/test-repo", "author_email": "nightfall-support@users.noreply.github.com", "commit_hash": "580743b38370b2d48c588c7e0f1233e68e2ef726", "file_path": "sample.rb", "context": "auth_token = '", "token": "db******************************", "permalink": "https://github.com/nightfallai-radar/test-repo/blob/580743b38370b2d48c588c7e0f1233e68e2ef726/sample.rb#L7", "created_at": "2020-08-06T03:56:58.808Z", "signature": "d497186dab435c8f36fb0a6b3e55878aa47b0ca7" } ] }

Webhook Endpoint

You can register a webhook URL for Nightfall to notify you when a scan is completed and results are ready for you to retrieve. When a scan is completed, Nightfall creates an Event object.

This Event object contains relevant information about the Scan. Nightfall then sends the Event object, via an HTTP POST request, to the webhook URL that you have defined on your Settings page.

To set up an endpoint, you need to define a route on your server for receiving events and configure your Webhook URL on your Settings page so Nightfall knows where to POST events.

Event Object

Attributes:

• status - Conventional HTTP response code indicating the status of the scan. If the code is 2xx it indicates success, and you can use the scan_id to get the scan's results via the Get Scan Results endpoint, described above.
• scan_id - Identifier of the scan.
• duration - Duration of the scan in seconds.
• url - URL of the GitHub repo that was scanned.

Sample Event { "status": 200, "scan_id": "2bf24516-337f-4dc2-83b2-4e9b101183cb", "duration": "1.057264743", "url": "https://github.com/nightfalldlp/sample" }

Allowing Tokens via Allow List

The allow list enables you to "allow" tokens, files, or directories to pass through our filters undetected. In other words, items on the allow list will be ignored when displaying scan results for a repository. For example, let’s say there is a test API key in your repository that you do not want to get flagged by Radar - you can add it to the allow list. The allow list applies on a global, account level and will affect all subsequent scans for all repos.

Allow-listing can be performed on two Key Types (specified by the key_type parameter below): individual tokens (where the Key Type is api_key) or on an entire file/directory level (where the Key Type is subpath). As an example of api_key allow-listing, you could ignore the token “test_api_key” individually. As an example of subpath allow-listing, you could specify that the file “test_keys.py” is ignored completely. The inputs for a subpath start at the root of the repo and can be a specific file, blob, or directory.

• File path: /path/to/file/to/ignore.py
• Directory path: /path/to/some/test/directory/*

Get Allow List

Returns an array of items to be allowed. This array will be filtered based on the type of key you are adding to the allow list (key_type), as described above.

Arguments:

• key_type - Required. The type of key to allow, value is one of (a) api_key, corresponding to an individual token, or (b) subpath, corresponding to an entire file/directory.

Returns:

• status - The status of the request. One of Success or Error.
• allowlist - An array of items currently in the allow list, corresponding to the key type specified in the request.

GET /api/v1/allowlist

Sample Usage — Login to auto-fill values below curl -X GET https://radar.nightfall.ai/api/v1/allowlist \ -u API_KEY: \ -d 'key_type=api_key'

Sample Response { "status": "Success", "allowlist": [ "testkey1", "testkey2" ] }

Add to Allow List

Add a list of keys to the allow list, so Radar doesn't flag them. For example, these could be example or test keys that have been verified as safe to expose.

Arguments:

• key_type - Required. The type of key to allow, value is one of (a) api_key, corresponding to an individual token, or (b) subpath, corresponding to an entire file/directory.
• allowlist - Required. An array of items to add to the allow list, corresponding to the key type specified above.

Returns:

• status - The status of the request. One of Success or Error.
• message - A verbose description of the status.

POST /api/v1/allowlist

Sample Usage — Login to auto-fill values below curl -X POST https://radar.nightfall.ai/api/v1/allowlist \ -u API_KEY: \ --data-urlencode 'allowlist=["newtestkey"]' \ -d 'key_type=api_key'

Sample Response { "status": "Success", "message": "Key(s) added successfully." }

Delete from Allow List

Remove a list of keys from the allow list.

Arguments:

• key_type - Required. The type of key to allow, value is one of (a) api_key, corresponding to an individual token, or (b) subpath, corresponding to an entire file/directory.
• allowlist - Required. An array of items to remove from the allow list, corresponding to the key type specified above.

Returns:

• status - The status of the request. One of Success or Error.
• message - A verbose description of the status.

DELETE /api/v1/allowlist

Sample Usage — Login to auto-fill values below curl -X DELETE https://radar.nightfall.ai/api/v1/allowlist \ -u API_KEY: \ -d 'allowlist=["newtestkey"]' \ -d 'key_type=api_key'

Sample Response { "status": "Success", "message": "Key(s) added successfully." }

Bulk & Automated Scans

With Radar, you can scan all the GitHub repos in your account that you have access to, either manually or automatically on a fixed schedule.

You can accomplish this manually by writing a short script in a language of your choice. Follow our tutorial here to write a bash script to scan all your repos:
How to bulk scan your organization's GitHub repos

If you would like to automatically scan all of your organization's repos on a fixed schedule (e.g. weekly or monthly), this is a feature we can enable for you. Once enabled, scans will trigger on your set cadence, and results will automatically populate in your dashboard upon completion (similar to a manual scan). By default, scans will include all organization repos that you have access to.

If you would like to have Radar automatically scan the repos your account has access to, please email support@nightfall.ai to enable this.

Using the Dashboard

All scan results are also accessible in our dashboard UI, in case you'd prefer to access results visually rather than programatically.

See a full list of scans:

For each scan, see the results:

Questions?

For help, please email us at support@nightfall.ai or via the support widget in the bottom right.