Uploading data via API

Use the IBM® Concert API to upload SBOM files, image scans, and certificate data.

Note: Refer to the API documentation for a full index of endpoints and requests.

Supported data types

You can use a POST request to the API endpoint to upload the following data types to Concert:

Application SBOM (application_sbom)
Build SBOM (application_sbom)
Deploy SBOM (application_sbom)
Package SBOM (package_sbom)
Vulnerability scans (CVEs and exposures)
- Vulnerability scan of an image (image_scan)
- Vulnerability scan of source code (code_scan)
- Vulnerability scan of a runtime or virtual machine (vm_scan)
- Dynamic Application Security Testing (DAST) for a CVE (dynamic_scan)
- Static Application Security Testing (SAST) of source code in SARIF format (static_code_scan)
Certificate details (certificate)

Note: When uploading a ConcertDef SBOM file, you must set the data_type parameter value to application_sbom, regardless if it is an application SBOM, build SBOM, or deploy SBOM.

Before you begin

You must have a valid Concert API key to authenticate requests. Refer to Generating an API key for instructions.
Refer to API reference and authentication for details about the base URL and API request headers.

API endpoint for data ingestion

https://${concert_host}:${port}/ingestion/api/v1/upload_files

Table 1. Concert data ingestion API URL variables
Variable	Description
`${concert_host}`	Hostname of the Concert API server.
`{port}`	The number of the port on which the API server is listening for incoming requests. For SaaS and OpenShift Container Platform deployments, the port value of `443`. The port number can vary for VM deployments.

Code snippet

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: <string>" \
    -H "Authorization: <type> ${Concert_API_Key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=<enum>" \
    -F "filename=@<string>"

Parameters

Table 2. API request parameters for data ingestion
Parameter	Description
`InstanceID`	Unique ID of your Concert instance. This value appears temporarily in the UI, along with other details that are related to API key usage, when you generate an API key in the Concert UI. Example format: `0000-0000-0000-0000`
`Authorization`	The Concert API key type and value. Replace `<type>` with `C_API_KEY` for SaaS and VM deployments, and `ZenApiKey` for OpenShift Container Platform deployments. Replace `${Concert_API_key}` with the unique API key value generated in the Concert UI.
`data_type`	The type of data you are uploading. Application SBOM (`application_sbom`) Build SBOM (`application_sbom`) Deploy SBOM (`application_sbom`) Package SBOM (`package_sbom`) Vulnerability scans (CVEs and exposures) Vulnerability scan of an image (`image_scan`) Vulnerability scan of source code (`code_scan`) Vulnerability scan of a runtime or virtual machine (`vm_scan`) Dynamic Application Security Testing (DAST) for a CVE (`dynamic_scan`) Static Application Security Testing (SAST) of source code in SARIF format (`static_code_scan`) Certificate details (`certificate`)
`filename`	File path and name of the file you want to upload. Precede the file path with an `@` symbol. For example, `@slacksim-definition.json`

Table 3. File upload matrix
This table has the information on Concert's file upload matrix.
Category	Data format	Data type	File type	Metadata
Concert Inventory	Application SBOM (ConcertDef)	application_sbom	json	No metadata
	Build SBOM (ConcertDef)	application_sbom	json	No metadata
	Deploy SBOM (ConcertDef)	application_sbom	json	No metadata
Software Composition	Package SBOM (CycloneDX) - Image	package_sbom	json	(Optional) image_name; tag; digest
	Package SBOM (CycloneDX) - Library	package_sbom	json	(Optional) library_name; version
	Package SBOM (CycloneDX) - Source	package_sbom	json	(Required) repo_url; repo_name (Optional) branch_name; commit SHA
Vulnerability	Prisma Cloud scan	image_scan	csv, xlx, xlsx, json	(Optional) scanner_name; application_name; application_version; scan_date
	Trivy	image_scan	json	(Optional) scanner_name; application_name; application_version; scan_date
	Grype (CycloneDX)	image_scan	json	(Optional) scanner_name; application_name; application_version; scan_date
	Sysdig	image_scan	csv, xls, xlsx	(Optional) scanner_name; application_name; application_version; scan_date
	VDR scan (CycloneDX)	image_scan	json	(Optional) scanner_name; application_name; application_version; scan_date
	Aqua Security	image_scan	json	(Optional) scanner_name; application_name; application_version; scan_date
	Concert Custom Format	code_scan	csv	(Required) repo url (Optional) scanner_name; application_name; application_version; scan_date
	Mend (CycloneDX)	code_scan	csv, xls, xlsx, json	(Required) repo url (Optional) scanner_name; application_name; application_version; scan_date
	Trivy, Grype (CycloneDX)	code_scan	csv, xls, xlsx, json	(Required) repo url (Optional) scanner_name; application_name; application_version; scan_date
	Nessus	vm_scan	csv, xls, xlsx, json	(Optional) scan_date
	Microsoft Defender for Cloud	vm_scan	csv, xls,xlsx	(Optional) scan_date
	Qualys	vm_scan	csv, xls,xlsx	(Optional) scan_date
	SARIF	static_code_scan	json	(Required) repo_name; repo_url (Optional) scanner_name; application_name; application_version
	Concert Custom Format	static_code_scan	csv	(Required) repo_name; repo_url (Optional) scanner_name; application_name; application_version
	SonarQube	static_code_scan	csv	(Required) repo_name; repo_url (Optional) scanner_name; application_name; application_version
	Zap	dynamic_scan	json	(Required) env_name; access_point_name (Optional) scanner_name; application_name; application_version
	Concert Custom Format	dynamic_scan	csv	(Required) env_name; access_point_name; access_point_url (Optional) scanner_name; application_name; application_version
Certificate	Concert Custom Format	certificate	csv	(Required) env_name
Certificate	Certificate SBOM (ConcertDef)	certificate	json	No metadata
Compliance	Compliance Catalog	compliance_catalog	json, xml, yaml, tar	No metadata
	Compliance Posture	compliance_posture	json	No metadata
	Component definition	component_definiton	json	(Required) catalog_id

Examples

Each of the following examples demonstrates the structure of an API call for uploading a specific type of data to the Concert platform.

Upload an application, build, or deploy SBOM file (ConcertDef format)

The following example uploads an application, build, or deploy SBOM file that is called, example-SBOM.json, in ConcertDef format.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=application_sbom" \
    -F "filename=@my-application-SBOM.json"

Upload a package SBOM (CycloneDX format)

The following example uploads a package SBOM file that is called, my-package-sbom.json, in CycloneDX format.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=package_sbom" \
    -F "filename=@my-package-SBOM.json"

Upload a vulnerability scan (of image)

The following example uploads a vulnerability scan called, my-image-scan.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=image_scan" \
    -F "filename=@my-image-scan.csv" \
    -F 'metadata={"scanner_name": "<scan source>"}'

Upload a vulnerability scan (of source code)

The following example uploads a vulnerability scan called, my-code-scan.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=code_scan" \
    -F "filename=@my-code-scan.csv" \
    -F 'metadata={"scanner_name": "<scan source>"}'

Upload a vulnerability scan (of a runtime or virtual machine)

The following example uploads a vulnerability scan called, my-vm-scan.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=vm_scan" \
    -F "filename=@my-vm-scan.csv" \
    -F 'metadata={"scanner_name": "<scan source>"}'

Upload a DAST dynamic vulnerability scan

The following example uploads a Dynamic Application Security Testing (DAST) scan that is called, dast-scan.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=dynamic_scan" \
    -F "filename=@/Users/jsmith/Desktop/dast-scan.csv" \
    -F 'metadata={"env_name": "prod","access_point_name": "<string>","access_point_url": "<url>"}'

Upload a SAST vulnerability scan

The following example uploads a Static Application Security Testing (SAST) scan in SARIF format that is called, sast-scan.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/json' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=static_code_scan" \
    -F "filename=@/Users/jsmith/Desktop/sast-scan.csv" \
    -F 'metadata={"env_name": "prod","repo_url": "<url>", "repo_name":"<string>"}'

Upload certificate details

Certificate data can be uploaded as a csv file or JSON file. For detailed steps and sample files, refer uploading certificate data.

The following example is for uploading a csv file that is called, my-certificates.csv.

$CURL -X 'POST' \
    "https://${concert_host}:${port}/ingestion/api/v1/upload_files" \
    -H 'accept: application/csv' \
    -H "InstanceID: 0000-0000-0000-0000" \
    -H "Authorization: <type> ${Concert_API_key}" \ 
    -H 'Content-Type: multipart/form-data' \
    -F "data_type=certificate" \
    -F 'metadata={"env_name": "prod"}'
    -F "filename=@my-certificates.csv"

The following example uses JSON file that is called my-certificates.json for uploading certificate data.

$CURL -X 'POST' \ "https://${concert_host}:{port}/ingestion/api/v1/upload_files" \ 
-H 'accept: application/json' \ 
-H "InstanceID: 0000-0000-0000-0000" \ 
-H "Authorization: <type> ${Concert_API_key}" \ 
-H 'Content-Type: multipart/form-data" \ 
-F "data_type=certificate" \ 
-F "filename=@my-certificates.json"

Note: You can also use the API to upload evidence files. Refer to Upload evidence through API.

HTTP response codes

200 Success. The file was uploaded successfully.
400 Invalid request parameters. Review the details of your request.
401 Unauthorized - Invalid or missing authorization token.
500 Internal Server Error - An error occurred on the server.