|
1 | 1 | # API |
2 | 2 |
|
3 | | -This section documents the public API for Phylum's artifact repository offering. |
| 3 | +This section provides additional instructions for usage of Phylum's Artifact |
| 4 | +Repository API. The full API is documented on [Swagger]. |
4 | 5 |
|
5 | | -## Webhooks |
| 6 | +[Swagger]: https://swagger.phylum.io/?urls.primaryName=Artifact+Repository+API |
6 | 7 |
|
7 | | -Webhooks will send out notifications whenever a package that was accessed |
8 | | -through a repository proxy fails analysis. |
| 8 | +## Authentication |
9 | 9 |
|
10 | | -To setup a new webhook, you can use the following curl command: |
| 10 | +The Artifact Repository API expects authentication in the basic auth format. The |
| 11 | +username is optional and provides context for which group should be used for the |
| 12 | +request. The group must either be the group name itself, for standalone groups, |
| 13 | +or the organization and group name combined using a `/`. |
11 | 14 |
|
12 | | -```sh |
13 | | -# Phylum group used with the registry proxy. |
14 | | -export PHYLUM_GROUP=… |
15 | | -# https://docs.phylum.io/knowledge_base/api-keys#generate-an-api-key |
16 | | -export PHYLUM_API_KEY=… |
17 | | -# URL which will be called on analysis failure. |
18 | | -export WEBHOOK_URL=… |
19 | | -# Shared secret used to validate authenticity of webhook callbacks |
20 | | -export SECRET=… |
| 15 | +The following script will create a valid authorization token for the org |
| 16 | +`phylum`, group `demo`, and with the token stored in `$PHYLUM_API_KEY`: |
21 | 17 |
|
22 | | -curl \ |
23 | | - -X PUT \ |
24 | | - --user "$PHYLUM_GROUP:$PHYLUM_API_KEY" \ |
25 | | - --json "{\"url\": \"$WEBHOOK_URL\", \"secret\": \"$SECRET\"}" \ |
26 | | - "https://aviary.phylum.io/webhooks" |
| 18 | +```sh |
| 19 | +echo "Basic $(printf \"phylum/demo:$PHYLUM_API_KEY\" | base64)" |
27 | 20 | ``` |
28 | 21 |
|
29 | | -> ⚠️ **WARNING** ⚠️ |
30 | | -> |
31 | | -> Do not accidentally save your token into your shell history. |
| 22 | +## Webhooks |
| 23 | + |
| 24 | +Webhooks will send out notifications whenever a package that was accessed |
| 25 | +through a repository proxy fails analysis. |
32 | 26 |
|
33 | | -Once a webhook is registered, policy violations will be sent to it in the same |
34 | | -format as the [package check endpoint]. |
| 27 | +Once a webhook is [registered][register webhook endpoint], policy violations |
| 28 | +will be sent to it in the same format as the [package check endpoint]. |
35 | 29 |
|
36 | 30 | Since these reports contain security advisories, it's important to make sure |
37 | 31 | that they were generated by Phylum and the endpoint wasn't called by a third |
38 | 32 | party. To make this possible, all official webhook notification calls will |
39 | 33 | include a `sha256` query parameter which contains a hexadecimal representation |
40 | 34 | of the SHA256-HMAC of the response body, generated with the shared secret |
41 | | -provided when registering the webhook. |
42 | | - |
43 | | -### Deleting Webhooks |
44 | | - |
45 | | -If a webhook is no longer in use, it should be deleted: |
46 | | - |
47 | | -```sh |
48 | | -# Phylum group used with the registry proxy. |
49 | | -export PHYLUM_GROUP=… |
50 | | -# https://docs.phylum.io/knowledge_base/api-keys#generate-an-api-key |
51 | | -export PHYLUM_API_KEY=… |
52 | | -# URL-encoded URL used during webhook setup. |
53 | | -export WEBHOOK_URL=… |
54 | | - |
55 | | -curl \ |
56 | | - -X DELETE \ |
57 | | - --user "$PHYLUM_GROUP:$PHYLUM_API_KEY" \ |
58 | | - "https://aviary.phylum.io/webhooks/$WEBHOOK_URL" |
59 | | -``` |
60 | | - |
61 | | -> ⚠️ **WARNING** ⚠️ |
62 | | -> |
63 | | -> Do not accidentally save your token into your shell history. |
64 | | -
|
65 | | -### Retrieving configured Webhooks |
66 | | - |
67 | | -To get a list with all configured webhook URLs for a group, you can send a `GET` |
68 | | -request to the `/webhooks` endpoint: |
69 | | - |
70 | | -```sh |
71 | | -# Phylum group used with the registry proxy. |
72 | | -export PHYLUM_GROUP=… |
73 | | -# https://docs.phylum.io/knowledge_base/api-keys#generate-an-api-key |
74 | | -export PHYLUM_API_KEY=… |
75 | | - |
76 | | -curl \ |
77 | | - --user "$PHYLUM_GROUP:$PHYLUM_API_KEY" \ |
78 | | - "https://aviary.phylum.io/webhooks" |
79 | | -``` |
80 | | - |
81 | | -> ⚠️ **WARNING** ⚠️ |
82 | | -> |
83 | | -> Do not accidentally save your token into your shell history. |
| 35 | +provided when registering the webhook. This checksum **must** be validated |
| 36 | +before accepting the authority of new webhook events. |
84 | 37 |
|
85 | | -[package check endpoint]: https://api.phylum.io/api/v0/swagger/index.html#/Organizations/organizations_group_packages_check |
| 38 | +[register webhook endpoint]: https://swagger.phylum.io/?urls.primaryName=Artifact+Repository+API#/default/add_webhook |
| 39 | +[package check endpoint]: https://swagger.phylum.io/?urls.primaryName=API#/Organizations/organizations_group_packages_check |
0 commit comments