From 089887e0998b972d9963936e2d3381fe5c88b1f8 Mon Sep 17 00:00:00 2001 From: Ibrahim Rahhal Date: Fri, 19 Sep 2025 13:10:33 +0300 Subject: [PATCH 01/10] CLI Updates --- cli.mdx | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/cli.mdx b/cli.mdx index 1c0a0cf..a30d54c 100644 --- a/cli.mdx +++ b/cli.mdx @@ -71,29 +71,61 @@ sudo mv corgea /usr/local/bin ### Login with your cli -To authenticate with your API token, use the following command: +To authenticate with the CLI, use the following command. This will redirect you to the web application to authorize the CLI: +```bash +corgea login +``` + +#### Login with custom scope (for customers with Single-Tenant Instance) +**Hint:** Your company scope is the Corgea subdomain, for example: `https://your-company.corgea.app` +```bash +corgea login --scope your-company +``` + + +#### Login with API Key (recommended for CI/CD pipelines) + +For automated pipelines and CI/CD environments, use API key authentication which provides a more reliable, non-interactive authentication method: ```bash corgea login YOUR_API_TOKEN ``` -### Point To A Single-Tenant Instance +You can also set the API token in an environment variable: + + +```bash MacOS/Unix +export CORGEA_API_TOKEN="your-api-token-here" +corgea login +``` + +```bash Windows +$env:CORGEA_API_TOKEN="your-api-token-here" +corgea login +``` + + +#### Point To A Single-Tenant Instance -Customers using a single-tenant instance need to have the CLI point to their instance. +Customers using a single-tenant instance need to configure the CLI to point to their specific instance using the `--url` option: ```bash corgea login --url https://<>.corgea.app YOUR_API_TOKEN ``` -You can also set the URL in an environment variable and the CLI will automatically detect it. +You can also set the URL in an environment variable and the CLI will automatically detect it: ```bash MacOS/Unix export CORGEA_URL="https://<>.corgea.app" +export CORGEA_API_TOKEN="your-api-token-here" +corgea login ``` ```bash Windows $env:CORGEA_URL="https://<>.corgea.app" +$env:CORGEA_API_TOKEN="your-api-token-here" +corgea login ``` @@ -169,10 +201,14 @@ The Corgea CLI allows you to export scan results to a file, which is particularl corgea scan --out-format=json --out-file=report.json ``` -The CLI currently supports html and json as output formats. +The CLI currently supports html, json and SARIF as output formats. ```bash corgea scan --out-format=html --out-file=report.html ``` + +```bash +corgea scan --out-format=sarif --out-file=report.sarif +``` #### Wait for a Scan To wait for the latest in-progress scan: From 6a68931911a91ba25cc1bebd2620cb733cab2148 Mon Sep 17 00:00:00 2001 From: Ibrahim Rahhal Date: Sat, 20 Sep 2025 15:36:33 +0300 Subject: [PATCH 02/10] fixing pii section --- pii.mdx | 6 ------ 1 file changed, 6 deletions(-) diff --git a/pii.mdx b/pii.mdx index 03ca5ea..9519e56 100644 --- a/pii.mdx +++ b/pii.mdx @@ -29,12 +29,6 @@ description: "PII/PHI Scanning automatically detects and identifies Personally I - Appropriate permissions to run security scans - Access to the scanning service -### Configuration Steps - -1. **Access Scanning Configuration**: Navigate to your project's security scanning settings -2. **Enable PII/PHI Scanning**: Toggle the PII/PHI scanning option to "enabled" -3. **Set Sensitivity Levels**: Configure detection sensitivity based on your compliance requirements -4. **Set Up Notifications**: Configure alerts for detected sensitive data ## Usage Guide From cd075d76936c5dec0e99bac22c179f616cf81663 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Mon, 20 Oct 2025 21:30:51 -0700 Subject: [PATCH 03/10] Fixed a couple of things --- api-reference/authentication.mdx | 211 +++++++++++++++++++++++++------ api-reference/introduction.mdx | 2 +- 2 files changed, 170 insertions(+), 43 deletions(-) diff --git a/api-reference/authentication.mdx b/api-reference/authentication.mdx index 0145f58..e999e86 100644 --- a/api-reference/authentication.mdx +++ b/api-reference/authentication.mdx @@ -1,60 +1,156 @@ --- title: 'Authentication' -description: 'Corgea API Endpoints' +description: 'Corgea API Authentication and Token Verification' --- +# Authentication -# Authentication and Token Verification +## Overview -## Introduction +The Corgea API uses API key authentication to secure access to all endpoints. Authentication is done via a custom header that must be included with every API request. -Authentication is a crucial part of interacting with the Corgea CLI API. The API uses token-based authentication to ensure secure access to its endpoints. This section covers how to verify your token using the provided endpoint. +## Authentication Method -## Verify Token +### API Key Header + +All API requests require authentication using the `CORGEA-TOKEN` header: + +- **Header Name**: `CORGEA-TOKEN` +- **Type**: API Key +- **Location**: Request Header +- **Required**: Yes (for all endpoints) + +### Getting Your API Token + +You can obtain your API token from the Corgea web application: + +1. Log in to your Corgea account at [https://www.corgea.app](https://www.corgea.app) +2. Navigate to Settings → API Keys +3. Generate a new API key or copy an existing one +4. Store it securely - treat it like a password + + +Never share your API token or commit it to version control. Use environment variables or secure secret management systems to store your tokens. + + +## Making Authenticated Requests + +Include your API token in the `CORGEA-TOKEN` header with every request: + + + +```bash cURL +curl -X GET "https://www.corgea.app/api/v1/verify" \ + -H "CORGEA-TOKEN: your_api_token_here" +``` + +```python Python +import requests + +headers = { + "CORGEA-TOKEN": "your_api_token_here" +} + +response = requests.get( + "https://www.corgea.app/api/v1/verify", + headers=headers +) +``` -The Verify Token endpoint allows you to check the validity of your token. This is the first step in ensuring you have the necessary permissions to access other API endpoints. +```javascript JavaScript +const headers = { + 'CORGEA-TOKEN': 'your_api_token_here' +}; + +fetch('http://github.com/service/https://www.corgea.app/api/v1/verify', { + method: 'GET', + headers: headers +}) + .then(response => response.json()) + .then(data => console.log(data)); +``` + + + +## Verify Token ### Endpoint -- **URL**: `https://corgea.app/api/cli/verify/{token}` -- **Method**: `GET` +Verify the validity of your API token and optionally retrieve user information. -### Parameters +- **URL**: `https://www.corgea.app/api/v1/verify` +- **Method**: `GET` +- **Authentication**: Required (CORGEA-TOKEN header) -| Name | In | Type | Required | Description | -|-------|------|--------|----------|-----------------------| -| token | path | string | yes | The token to be verified | +### Query Parameters -### Request Example +| Name | Type | Required | Default | Description | +|-----------|---------|----------|---------|------------------------------------------------| +| user_info | boolean | No | false | Whether to include user information in response | -The `` component works similar to CodeGroup, but displays the request content on the right sidebar. Thus, you can put multiple code blocks inside ``. +### Request Examples -```shell -# cURL -curl -X GET "https://corgea.app/api/cli/verify/your_token_here" +```bash Basic Verification +curl -X GET "https://www.corgea.app/api/v1/verify" \ + -H "CORGEA-TOKEN: your_api_token_here" +``` + +```bash With User Info +curl -X GET "https://www.corgea.app/api/v1/verify?user_info=true" \ + -H "CORGEA-TOKEN: your_api_token_here" ``` -```http -# HTTP Request -GET /cli/verify/your_token_here HTTP/1.1 -Host: corgea.app +```python Python +import requests + +headers = { + "CORGEA-TOKEN": "your_api_token_here" +} + +# Basic verification +response = requests.get( + "https://www.corgea.app/api/v1/verify", + headers=headers +) + +# With user info +response = requests.get( + "https://www.corgea.app/api/v1/verify", + headers=headers, + params={"user_info": True} +) ``` +### Response Examples + -```json -# Success Response +```json Basic Response { "status": "ok" } ``` -```json -# Error Response +```json With User Info +{ + "status": "ok", + "user": { + "id": 12345, + "email": "user@example.com", + "name": "John Doe", + "company": { + "id": 67890, + "name": "Acme Corporation" + } + } +} +``` + +```json Invalid Token { "status": "error" } @@ -64,30 +160,61 @@ Host: corgea.app ### Response Codes -- `200 OK`: The token is valid. -- `400 Bad Request`: The token is invalid. +| Status Code | Description | +|-------------|---------------------------------------| +| 200 | Token is valid | +| 401 | Invalid or missing authentication token | -### Usage +## Common Authentication Errors -To use this endpoint, replace `your_token_here` with the actual token you wish to verify. This will return a JSON response indicating whether the token is valid or not. +### Missing Token -### Example Scenario +If you don't include the `CORGEA-TOKEN` header, you'll receive a `401 Unauthorized` response: -#### Step-by-Step Example +```json +{ + "status": "error" +} +``` -1. **Prepare the request**: - - Ensure you have your token ready. - - Use the `curl` command or any HTTP client to send a GET request to the endpoint. +### Invalid Token -2. **Send the request**: - - Execute the request in your terminal or HTTP client. +If your token is invalid or expired, you'll receive a `401 Unauthorized` response: -3. **Check the response**: - - If the response status is `200 OK` and `status` is `ok`, your token is valid. - - If the response status is `400 Bad Request` and `status` is `error`, your token is invalid. +```json +{ + "status": "error" +} +``` -### Notes +## Best Practices + + + + Store API tokens in environment variables or secure secret management systems, never in code. + + + Regularly rotate your API tokens to maintain security. + + + Create separate tokens for different applications or environments. + + + Regularly review API token usage and revoke unused tokens. + + + +## Testing Your Token + +Use the verify endpoint to test your token before making other API calls: + +```bash +curl -X GET "https://www.corgea.app/api/v1/verify?user_info=true" \ + -H "CORGEA-TOKEN: your_api_token_here" +``` -- Always ensure your token is kept secure and not exposed in public repositories or logs. -- Use this endpoint as the first step before making requests to other endpoints to confirm your token's validity. +If successful, you'll see your user information, confirming that: +- ✅ Your token is valid +- ✅ Your token is properly formatted in the header +- ✅ You can proceed with other API requests diff --git a/api-reference/introduction.mdx b/api-reference/introduction.mdx index 1eba9f2..aefd841 100644 --- a/api-reference/introduction.mdx +++ b/api-reference/introduction.mdx @@ -160,7 +160,7 @@ Paginated responses include: Learn how to authenticate your API requests - + Contact our support team for assistance From e611b088c90b2c4a5c15337da3c7a81ba4303f1f Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Thu, 23 Oct 2025 08:31:00 -0700 Subject: [PATCH 04/10] v1.50.4 --- changelog.mdx | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index 228e767..e4df09e 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -4,7 +4,32 @@ description: "Product updates and announcements" --- - + + **New Features & Enhancements:** + - Enhanced Export Capabilities: Added support for exporting CSV reports that include false positive data for comprehensive security analysis. + - Advanced API Filtering: Introduced filtering and sorting capabilities in the API to provide more flexible data access and integration options. + - Third-Party Scanner Integration: Improved support for third-party security scanners with enhanced deep linking capabilities for seamless workflow integration. + - Checkmarx Integration: Added additional context support for Checkmarx scans to provide more detailed security insights. + + **Performance & Usability Improvements:** + - Scan List Optimization: Significantly improved page load times for the scan list to provide faster navigation and better user experience. + - Enhanced Issue Management: Fixed issues with false positive visibility controls to ensure accurate issue filtering and management. + - Improved Scan Organization: Code quality scans are now properly excluded from the main scan list for cleaner project organization. + + **Platform Reliability:** + - Enhanced Monitoring: Improved system monitoring with heartbeat functionality for better service reliability. + - Issue Status Management: Fixed issue status inheritance to ensure consistent status tracking across projects. + - Jira Integration: Resolved Jira integration issues for seamless ticket management. + - File Type Handling: Improved file type detection and processing for more accurate scan results. + + **General Improvements:** + - Various bug fixes and performance enhancements across the platform. + - Improved user experience based on customer feedback. + - Enhanced system stability and reliability. + + + + **New Features & Enhancements:** - Project Management: Added permissions to allow authorized users to delete projects when needed. - CWE Filtering: Introduced an option to filter vulnerabilities by CWE category directly in project settings. @@ -27,7 +52,7 @@ description: "Product updates and announcements" - + **New Features:** - Risk Management Enhancements: Added automatic expiry options for accepted risks, making it easier to manage ongoing security decisions. - Project Settings Update: Improved project settings interface for a smoother configuration experience. From ad7944853b94d097755fd419449b9b11d8eb3f58 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Sat, 25 Oct 2025 16:37:11 -0700 Subject: [PATCH 05/10] Updated api --- .vscode/corgea.extension.log | 14 ++ api-reference/openapi.json | 286 +++++++++++++++++++++++++++++++++-- 2 files changed, 288 insertions(+), 12 deletions(-) diff --git a/.vscode/corgea.extension.log b/.vscode/corgea.extension.log index a04cb7b..81f79fd 100644 --- a/.vscode/corgea.extension.log +++ b/.vscode/corgea.extension.log @@ -238,3 +238,17 @@ [2025-10-21T04:21:43.838Z] Response Status: 200 [2025-10-21T04:21:43.838Z] Response Headers: {"date":"Tue, 21 Oct 2025 04:21:43 GMT","server":"WSGIServer/0.2 CPython/3.12.12","content-type":"application/json","x-frame-options":"DENY","content-length":"30","vary":"Cookie","x-content-type-options":"nosniff","referrer-policy":"same-origin","cross-origin-opener-policy":"same-origin"} [2025-10-21T04:21:43.838Z] Response Data: {"status":"no_project_found"} +[2025-10-23T23:29:00.705Z] Request: GET https://wf.corgea.app/api/v1/issues +[2025-10-23T23:29:00.705Z] Request Headers: {"Accept":"application/json, text/plain, */*","CORGEA-TOKEN":"447a3567-ffb2-4094-a21b-7bc182097715"} +[2025-10-23T23:29:00.705Z] Request Params: {"project":"docs","page":1,"page_size":50} +[2025-10-23T23:29:00.705Z] Request Data: undefined +[2025-10-23T23:29:15.690Z] Response Status: 200 +[2025-10-23T23:29:15.691Z] Response Headers: {"date":"Thu, 23 Oct 2025 23:29:15 GMT","content-type":"application/json","transfer-encoding":"chunked","connection":"close","nel":"{\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}","server":"cloudflare","x-frame-options":"DENY","vary":"Cookie","x-content-type-options":"nosniff","referrer-policy":"same-origin","cross-origin-opener-policy":"same-origin","cf-cache-status":"DYNAMIC","strict-transport-security":"max-age=0","report-to":"{\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=4FnmsCRYPsU1Q9fWj2s9%2Bc7V9Q8IwG049Dw%2BRms7Oak8CA5s%2BWvrKilNXMJvHk3xN8%2F6H4RcZ8B1LWb4EQHy3nBQfW7zQOyqiQUHiQ%3D%3D\"}]}","set-cookie":["AWSALB=lFkFWp2CHEekCoSAlNb7kGCOsvN8U9RChMCuE754fPvK35cV2XVCPakQcMbGToYZwat0QSs82wBnzL4P9rcvBaPKw3C5BZo+UcsaYox10odQLcfAXqMOhvgxFuo9; Path=/; Expires=Thu, 30 Oct 2025 23:29:15 GMT","AWSALBCORS=lFkFWp2CHEekCoSAlNb7kGCOsvN8U9RChMCuE754fPvK35cV2XVCPakQcMbGToYZwat0QSs82wBnzL4P9rcvBaPKw3C5BZo+UcsaYox10odQLcfAXqMOhvgxFuo9; SameSite=None; Secure; Path=/; Expires=Thu, 30 Oct 2025 23:29:15 GMT"],"cf-ray":"993503f8bbed7aeb-SJC"} +[2025-10-23T23:29:15.691Z] Response Data: {"status":"no_project_found"} +[2025-10-23T23:29:15.691Z] Request: GET https://wf.corgea.app/api/v1/issues +[2025-10-23T23:29:15.691Z] Request Headers: {"Accept":"application/json, text/plain, */*","CORGEA-TOKEN":"447a3567-ffb2-4094-a21b-7bc182097715"} +[2025-10-23T23:29:15.691Z] Request Params: {"project":"docs","page":1,"page_size":50} +[2025-10-23T23:29:15.691Z] Request Data: undefined +[2025-10-23T23:29:15.932Z] Response Status: 200 +[2025-10-23T23:29:15.932Z] Response Headers: {"date":"Thu, 23 Oct 2025 23:29:15 GMT","content-type":"application/json","transfer-encoding":"chunked","connection":"close","nel":"{\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}","server":"cloudflare","x-frame-options":"DENY","vary":"Cookie","x-content-type-options":"nosniff","referrer-policy":"same-origin","cross-origin-opener-policy":"same-origin","cf-cache-status":"DYNAMIC","strict-transport-security":"max-age=0","report-to":"{\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=ZnB0plukOeUTWrMWWAcA2YmVFlOPiiF5E48JxOwqyi9QlbEtNtH46E1pni3p5NuRPk2Sb28yXARJDI%2B0X656BkIg7zvCmFG6nERFkQ%3D%3D\"}]}","set-cookie":["AWSALB=1aVNISb1dMUjtQJRLXidQROtzEtbEfEpUFWq1VASwjhjkZBxIkKVf1/hka1al705eI++c8JdZ1n6ocnR4pTryPUBiWifQeC8qpnQYWf73mh2xgGfG2ONOv+S72ZP; Path=/; Expires=Thu, 30 Oct 2025 23:29:15 GMT","AWSALBCORS=1aVNISb1dMUjtQJRLXidQROtzEtbEfEpUFWq1VASwjhjkZBxIkKVf1/hka1al705eI++c8JdZ1n6ocnR4pTryPUBiWifQeC8qpnQYWf73mh2xgGfG2ONOv+S72ZP; SameSite=None; Secure; Path=/; Expires=Thu, 30 Oct 2025 23:29:15 GMT"],"cf-ray":"993503fa2d047aeb-SJC"} +[2025-10-23T23:29:15.932Z] Response Data: {"status":"no_project_found"} diff --git a/api-reference/openapi.json b/api-reference/openapi.json index 65a5f3f..0d583bf 100644 --- a/api-reference/openapi.json +++ b/api-reference/openapi.json @@ -694,6 +694,96 @@ "maximum": 50 }, "description": "The number of results per page" + }, + { + "name": "urgency", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by urgency levels (comma-separated). Valid values: CR, HI, ME, LO", + "example": "CR,HI" + }, + { + "name": "status", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by status (comma-separated). Valid values: fixed, false_positive, accepted_risk, open, fix_in_progress, duplicate", + "example": "open,fix_in_progress" + }, + { + "name": "confidence", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by confidence levels (comma-separated). Valid values: HI, ME, LO", + "example": "HI,ME" + }, + { + "name": "language", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by programming language (case-insensitive)", + "example": "python" + }, + { + "name": "file_path", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by file path (partial match)", + "example": "src/auth" + }, + { + "name": "classification", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by classification/CWE (partial match)", + "example": "CWE-89" + }, + { + "name": "sla_status", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by SLA status (comma-separated). Valid values: overdue, escalated", + "example": "overdue" + }, + { + "name": "sort_by", + "in": "query", + "required": false, + "schema": { + "type": "string", + "enum": [ + "created_at", + "-created_at", + "urgency", + "-urgency", + "status", + "-status", + "classification", + "-classification" + ] + }, + "description": "Sort results by field (prefix with '-' for descending order)", + "example": "-created_at" } ], "responses": { @@ -867,6 +957,86 @@ "maximum": 50 }, "description": "The number of results per page" + }, + { + "name": "severity", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by severity levels (comma-separated). Valid values: CRITICAL, HIGH, MEDIUM, LOW", + "example": "CRITICAL,HIGH" + }, + { + "name": "package", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by package name (partial match)", + "example": "lodash" + }, + { + "name": "ecosystem", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by package ecosystem (case-insensitive)", + "example": "npm" + }, + { + "name": "cve", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by CVE identifier (partial match)", + "example": "CVE-2021" + }, + { + "name": "path", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by file path (partial match)", + "example": "package.json" + }, + { + "name": "has_fix", + "in": "query", + "required": false, + "schema": { + "type": "boolean" + }, + "description": "Filter by whether a fix is available (true/false)", + "example": true + }, + { + "name": "sort_by", + "in": "query", + "required": false, + "schema": { + "type": "string", + "enum": [ + "created_at", + "-created_at", + "severity", + "-severity", + "package", + "-package", + "ecosystem", + "-ecosystem" + ] + }, + "description": "Sort results by field (prefix with '-' for descending order)", + "example": "-severity" } ], "responses": { @@ -954,6 +1124,86 @@ "maximum": 50 }, "description": "The number of results per page" + }, + { + "name": "severity", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by severity levels (comma-separated). Valid values: CRITICAL, HIGH, MEDIUM, LOW", + "example": "CRITICAL,HIGH" + }, + { + "name": "package", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by package name (partial match)", + "example": "lodash" + }, + { + "name": "ecosystem", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by package ecosystem (case-insensitive)", + "example": "npm" + }, + { + "name": "cve", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by CVE identifier (partial match)", + "example": "CVE-2021" + }, + { + "name": "path", + "in": "query", + "required": false, + "schema": { + "type": "string" + }, + "description": "Filter by file path (partial match)", + "example": "package.json" + }, + { + "name": "has_fix", + "in": "query", + "required": false, + "schema": { + "type": "boolean" + }, + "description": "Filter by whether a fix is available (true/false)", + "example": true + }, + { + "name": "sort_by", + "in": "query", + "required": false, + "schema": { + "type": "string", + "enum": [ + "created_at", + "-created_at", + "severity", + "-severity", + "package", + "-package", + "ecosystem", + "-ecosystem" + ] + }, + "description": "Sort results by field (prefix with '-' for descending order)", + "example": "-severity" } ], "responses": { @@ -1414,17 +1664,17 @@ "description": "Base64-encoded JSON string containing repository information (branch_name, integration_url, etc.)" } ], - "requestBody": { - "required": true, - "description": "The scan report content as UTF-8 text (typically SARIF or JSON format)", - "content": { - "text/plain": { - "schema": { - "type": "string" - } + "requestBody": { + "required": true, + "description": "The scan report content as UTF-8 text (typically SARIF or JSON format)", + "content": { + "text/plain": { + "schema": { + "type": "string" } } - }, + } + }, "responses": { "200": { "description": "Scan report uploaded successfully", @@ -1857,7 +2107,13 @@ }, "status": { "type": "string", - "enum": ["open", "in_progress", "fixed", "accepted_risk", "false_positive"] + "enum": [ + "open", + "in_progress", + "fixed", + "accepted_risk", + "false_positive" + ] }, "sla_status": { "type": "string", @@ -1887,7 +2143,13 @@ }, "status": { "type": "string", - "enum": ["open", "in_progress", "fixed", "accepted_risk", "false_positive"] + "enum": [ + "open", + "in_progress", + "fixed", + "accepted_risk", + "false_positive" + ] }, "urgency": { "type": "string", @@ -2111,4 +2373,4 @@ } } } -} \ No newline at end of file +} From 26e186dab52e43ea31462aae84574740ec5c0e94 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Mon, 27 Oct 2025 15:09:00 -0700 Subject: [PATCH 06/10] Added Swift --- language_support.mdx | 12 ++++++------ mint.json | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/language_support.mdx b/language_support.mdx index b11dbbd..90c5469 100644 --- a/language_support.mdx +++ b/language_support.mdx @@ -50,7 +50,11 @@ Here's a detailed breakdown of the languages and frameworks currently supported ### **C & C++** - **Native Language Support**: Corgea handles low-level programming constructs including pointers, memory management, and templates. - Focuses on memory-related vulnerabilities, buffer overflows, and system-level security issues common in C/C++ applications. -- Enabled for false positive detection and auto-fixing. Coming to scanning soon. +- Enabled for false positive detection and auto-fixing. Coming to scanning soon. + +### **Swift** +- **Native Language Support**: Corgea analyzes Swift-specific features including optionals, protocol extensions, generics, and value types. +- Enhances security in iOS and macOS application development, addressing vulnerabilities like insecure data storage, improper SSL/TLS validation, and insecure inter-process communication. ## Key Features Across All Supported Languages @@ -65,8 +69,4 @@ Here's a detailed breakdown of the languages and frameworks currently supported 5. **Continuous Learning**: Corgea's AI model is constantly updated to address new security threats and CWEs as they emerge. ## Roadmap -We're committed to expanding our language and framework support. Our upcoming roadmap includes: - -- **Swift**: To enhance security in iOS and macOS application development, including Swift-specific features like optionals and protocol extensions. - -Stay tuned for updates as we continue to broaden our support, ensuring Corgea remains at the forefront of code security across diverse development environments. \ No newline at end of file +We're committed to expanding our language and framework support. Stay tuned for updates as we continue to broaden our support, ensuring Corgea remains at the forefront of code security across diverse development environments. diff --git a/mint.json b/mint.json index 60d794e..89e58de 100644 --- a/mint.json +++ b/mint.json @@ -12,7 +12,7 @@ "dark": "#F56C26", "background": { "light": "#fffdfd", - "dark": "#131313" + }, "anchors": { "from": "#F56C26", @@ -134,4 +134,4 @@ "measurementId": "G-GGF9NXG1LJ" } } -} \ No newline at end of file +} From 0272dbdd5b69e6c4187ae8328f186b401a823a53 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Mon, 27 Oct 2025 15:12:58 -0700 Subject: [PATCH 07/10] Corrected mint error --- mint.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/mint.json b/mint.json index 89e58de..e4fb0c6 100644 --- a/mint.json +++ b/mint.json @@ -12,7 +12,7 @@ "dark": "#F56C26", "background": { "light": "#fffdfd", - + "dark": "#131313" }, "anchors": { "from": "#F56C26", @@ -60,7 +60,7 @@ "introduction", "quickstart", { - "group": "Setup & Configuration", + "group": "Setup & Configuration", "pages": ["how_it_works"] } ] @@ -70,11 +70,23 @@ "pages": [ { "group": "Security Analysis", - "pages": ["blast", "sca", "pii", "vulnerability_support", "language_support" , "scanning"] + "pages": [ + "blast", + "sca", + "pii", + "vulnerability_support", + "language_support", + "scanning" + ] }, { "group": "Issue Management", - "pages": ["fixes", "false_positive", "issue_assignment", "issue_export"] + "pages": [ + "fixes", + "false_positive", + "issue_assignment", + "issue_export" + ] }, { "group": "Policy Management", From 736abb5ecba8690fac7853a8cb87132ee625bc7d Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Thu, 30 Oct 2025 14:51:02 -0700 Subject: [PATCH 08/10] v1.50.7 --- changelog.mdx | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/changelog.mdx b/changelog.mdx index e4df09e..3187dc4 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -3,6 +3,44 @@ title: "Changelog" description: "Product updates and announcements" --- + + **New Features:** + - Vulnerability Source from OSV: Added detailed vulnerability source information powered by the OSV database, enhancing transparency and traceability in scan results. + + **Improvements:** + - History View: Enhanced the history view for a clearer, more streamlined experience. + - Commenting Experience: Improved commenting interface and added AI-powered LLM explanations for better context understanding. + - Repository Dropdown: Fixed overlapping UI elements between the repository dropdown and navigation bar. + - Search Bar on Projects Page: Refined search functionality for smoother navigation and quicker access to projects. + - Case-Insensitive Branch Search: Dropsite branch search is now case-insensitive for easier usability. + + **Bug Fixes & Stability:** + - Resolved issues with project list visibility for GitHub repositories. + - Improved handling of missing Git user info to prevent failures. + - Addressed GitLab "branch not found" errors gracefully. + - General bug fixes and performance improvements. + + + + **New Features:** + - Scan Audit History: Added a dedicated tab for viewing detailed scan audit history. + + **Improvements:** + - Enhanced messaging and consistency across various pages. + - Displayed a proper 404 error page for invalid scan or issue links. + + **Bug Fixes & Stability:** + - Fixed inaccurate counts on the scan page for non-BLAST scans. + - Improved API handling for invalid or missing scan IDs. + - Stability fixes for integration tests and backend reliability. + + + + **Bug Fixes & Stability:** + - Fixed versioning display to ensure accurate build tracking. + - General fixes and optimizations for smoother performance. + + **New Features & Enhancements:** @@ -195,4 +233,4 @@ description: "Product updates and announcements" - Added email notification when fixes are available - Added ability to delete issue - Code integrity improvements - \ No newline at end of file + From b8ba142aa5fe40e8f064c715defea924d7869327 Mon Sep 17 00:00:00 2001 From: Ibrahim Rahhal Date: Sun, 2 Nov 2025 00:51:29 +0300 Subject: [PATCH 09/10] Adding MCP --- mcp.mdx | 447 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ mint.json | 2 +- 2 files changed, 448 insertions(+), 1 deletion(-) create mode 100644 mcp.mdx diff --git a/mcp.mdx b/mcp.mdx new file mode 100644 index 0000000..2d7b82b --- /dev/null +++ b/mcp.mdx @@ -0,0 +1,447 @@ +--- +title: 'Model Context Protocol (MCP)' +description: 'Connect AI assistants to Corgea using the Model Context Protocol' +--- + +# Model Context Protocol Integration + +Corgea supports the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/), allowing AI assistants like Claude to directly interact with your security scans, issues, and policies. MCP enables AI models to understand your security context and provide more relevant assistance. + +## What is MCP? + +The Model Context Protocol is an open standard that enables AI models to securely connect to external data sources and tools. With Corgea's MCP integration, AI assistants can: + +- Query your security scan results +- Retrieve vulnerability details +- List and filter security issues +- Access SCA (Software Composition Analysis) data +- Check blocking rules and policies + +## Getting Started + +### Prerequisites + +- A Corgea API token (get it from your account settings) +- An MCP-compatible client (e.g., Claude Desktop, Continue, or any MCP client) + +### Connection Details + +**MCP Server URL:** +``` +https://www.corgea.app/mcp +``` + +Or for single-tenant deployments: +``` +https://.corgea.app/mcp +``` + +**Authentication:** +All MCP requests require authentication using your Corgea API token in the `CORGEA-TOKEN` header. + +## Available Tools + +Corgea's MCP server provides the following tools for AI assistants: + +### get_scan_info + +Get detailed information about a specific SAST scan. + +**Parameters:** +- `scan_id` (string, required): The unique identifier of the scan + +**Returns:** +Detailed scan information including status, findings count, scan date, and repository information. + +**Example:** +```json +{ + "scan_id": "abc123", + "status": "completed", + "created_at": "2024-11-01T10:30:00Z", + "findings_count": 15, + "project": "my-project", + "repository": "https://github.com/myorg/myrepo" +} +``` + +--- + +### get_issue_info + +Get detailed information about a specific security issue. + +**Parameters:** +- `issue_id` (string, required): The unique identifier of the issue + +**Returns:** +Comprehensive issue details including vulnerability type, severity, location, fix recommendations, and remediation status. + +**Example:** +```json +{ + "issue_id": "issue-456", + "title": "SQL Injection", + "severity": "high", + "file": "src/database.py", + "line": 42, + "description": "User input not properly sanitized", + "fix_available": true +} +``` + +--- + +### list_security_issues + +List security issues with optional filtering. + +**Parameters:** +- `scan_id` (string, optional): Filter issues by scan ID +- `project` (string, optional): Filter issues by project name +- `repo` (string, optional): Filter issues by repository URL + +**Returns:** +List of security issues matching the specified filters. + +**Example:** +```json +{ + "status": "ok", + "count": 25, + "issues": [ + { + "id": "issue-123", + "title": "Cross-Site Scripting (XSS)", + "severity": "medium", + "status": "open" + } + ] +} +``` + +--- + +### list_sca_security_issues + +List Software Composition Analysis (SCA) security issues with optional filtering. + +**Parameters:** +- `scan_id` (string, optional): Filter issues by scan ID +- `project` (string, optional): Filter issues by project name +- `repo` (string, optional): Filter issues by repository URL + +**Returns:** +List of SCA issues including vulnerable dependencies, CVEs, and version information. + +**Example:** +```json +{ + "status": "ok", + "count": 12, + "sca_issues": [ + { + "id": "sca-789", + "package": "lodash", + "current_version": "4.17.15", + "fixed_version": "4.17.21", + "cve": "CVE-2021-23337", + "severity": "high" + } + ] +} +``` + +--- + +### list_scans + +List all SAST scans with optional project filtering. + +**Parameters:** +- `project` (string, optional): Filter scans by project name + +**Returns:** +List of scans with basic information including scan ID, date, status, and findings count. + +**Example:** +```json +{ + "status": "ok", + "count": 50, + "scans": [ + { + "id": "scan-001", + "project": "web-app", + "created_at": "2024-11-01T09:00:00Z", + "status": "completed", + "findings": 8 + } + ] +} +``` + +--- + +### get_blocking_rules + +Get all blocking rules configured for your organization. + +**Parameters:** +None + +**Returns:** +List of blocking rules that prevent deployments based on security policies. + +**Example:** +```json +{ + "status": "ok", + "rules": [ + { + "id": "rule-1", + "name": "Block Critical Vulnerabilities", + "condition": "severity >= critical", + "action": "block", + "enabled": true + } + ] +} +``` + +## Setting Up MCP Clients + +### Claude Desktop + +Add Corgea to your Claude Desktop configuration: + +1. Open Claude Desktop settings +2. Navigate to the "Developer" section +3. Edit your MCP configuration file +4. Add the Corgea MCP server: + +```json +{ + "mcpServers": { + "corgea": { + "url": "https://www.corgea.app/mcp", + "headers": { + "CORGEA-TOKEN": "your_api_token_here" + } + } + } +} +``` + +### Cursor IDE + +Add Corgea to your Cursor MCP configuration: + +1. Open Cursor Settings (Cmd/Ctrl + Shift + J) +2. Navigate to "Cursor Settings" → "Models" → "MCP" +3. Or directly edit your MCP settings file at: + - **macOS/Linux**: `~/.cursor/mcp.json` + - **Windows**: `%APPDATA%\Cursor\User\mcp.json` + +4. Add the Corgea MCP server: + +```json +{ + "mcpServers": { + "corgea": { + "command": "npx", + "args": [ + "-y", + "@modelcontextprotocol/server-fetch", + "https://www.corgea.app/mcp" + ], + "env": { + "CORGEA_TOKEN": "your_api_token_here" + } + } + } +} +``` + +**Alternative Configuration (Direct HTTP):** + +If you're using a custom MCP client that supports direct HTTP connections: + +```json +{ + "mcpServers": { + "corgea": { + "url": "https://www.corgea.app/mcp", + "headers": { + "CORGEA-TOKEN": "your_api_token_here" + } + } + } +} +``` + +### Continue IDE Extension + +Add Corgea to your Continue configuration: + +```json +{ + "contextProviders": [ + { + "name": "corgea", + "params": { + "serverUrl": "https://www.corgea.app/mcp", + "headers": { + "CORGEA-TOKEN": "your_api_token_here" + } + } + } + ] +} +``` + +## Use Cases + +### Security-Aware Code Review + +Connect your AI assistant to Corgea and ask questions like: +- "What are the critical security issues in my last scan?" +- "Show me all SQL injection vulnerabilities in the authentication module" +- "Are there any high-severity SCA issues in my dependencies?" + +### Vulnerability Analysis + +Let AI help you understand and prioritize vulnerabilities: +- "Explain the security issue in issue-456 and suggest how to fix it" +- "Which vulnerabilities should I fix first based on severity and exploitability?" +- "What are the blocking rules that would prevent this deployment?" + +### Automated Remediation Planning + +Use AI to plan security fixes: +- "Create a remediation plan for all high-severity issues in scan-123" +- "What dependencies need to be updated to fix SCA issues?" +- "Generate a report of all open security issues grouped by file" + +## Best Practices + + + + - Never commit your API token to version control + - Rotate tokens periodically + - Use environment variables or secure secret managers + - Revoke tokens immediately if compromised + + + + - Use project and repo filters to narrow results + - Start with specific scans when debugging + - Filter by severity when prioritizing work + + + + - Request only the data you need + - Use specific issue/scan IDs when possible + - Cache results when appropriate + - Respect rate limits + + + +## Authentication + +All MCP tool calls require a valid Corgea API token passed in the `CORGEA-TOKEN` header. + +**Getting Your Token:** +1. Log in to your Corgea account +2. Navigate to Settings → API Keys +3. Generate a new API token +4. Copy the token and add it to your MCP client configuration + + +Keep your API token secure. Anyone with access to your token can query your security data through the MCP interface. + + +## Response Format + +All MCP tool responses follow the standard Corgea API response format: + +**Success Response:** +```json +{ + "status": "ok", + "data": { } +} +``` + +**Error Response:** +```json +{ + "status": "error", + "message": "Description of the error", + "error": "Detailed error information" +} +``` + +## Rate Limits + +MCP requests are subject to the same rate limits as standard API requests: +- 100 requests per minute per token +- 1000 requests per hour per token + +If you exceed rate limits, you'll receive a `429 Too Many Requests` response. + +## Troubleshooting + +### Connection Issues + +**Problem:** Cannot connect to MCP server + +**Solutions:** +- Verify your API token is valid using the `/verify` endpoint +- Check that the `CORGEA-TOKEN` header is correctly configured +- Ensure your network allows HTTPS connections to corgea.app + +### Authentication Errors + +**Problem:** Receiving 401 Unauthorized responses + +**Solutions:** +- Verify your API token hasn't expired +- Check that the token is passed in the `CORGEA-TOKEN` header (not Authorization) +- Ensure your token has the necessary permissions + +### Empty Results + +**Problem:** Queries return no data + +**Solutions:** +- Verify data exists in your Corgea account +- Check filter parameters (scan_id, project, repo) are correct +- Ensure you're querying the correct environment (multi-tenant vs single-tenant) + +## Support + + + + Learn more about the Corgea API + + + Get help from the Corgea community + + + Learn about API authentication + + + Read the official MCP documentation + + + +## Next Steps + +1. **Get your API token** from your Corgea account settings +2. **Configure your MCP client** with the Corgea server URL and token +3. **Test the connection** by asking your AI assistant about your scans +4. **Explore use cases** like security analysis and vulnerability remediation + +Start integrating Corgea's security intelligence into your AI-powered development workflow today! + diff --git a/mint.json b/mint.json index e4fb0c6..386571d 100644 --- a/mint.json +++ b/mint.json @@ -121,7 +121,7 @@ }, { "group": "API Reference", - "pages": ["api-reference/introduction"] + "pages": ["api-reference/introduction", "mcp"] }, { "group": "Releases & Roadmap", From 20005f734fb4a960b0dbdbf35460998d9302a836 Mon Sep 17 00:00:00 2001 From: Ahmad Sadeddin Date: Sun, 2 Nov 2025 07:32:56 -0800 Subject: [PATCH 10/10] Moved MCP link --- mint.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mint.json b/mint.json index 386571d..b388b2c 100644 --- a/mint.json +++ b/mint.json @@ -117,11 +117,11 @@ }, { "group": "Tools & Utilities", - "pages": ["cli"] + "pages": ["cli", "mcp"] }, { "group": "API Reference", - "pages": ["api-reference/introduction", "mcp"] + "pages": ["api-reference/introduction"] }, { "group": "Releases & Roadmap",