Get Results

GET /api/static/scan

Check the status of a scan and retrieve results once completed.

Request

Headers:

x-api-key (required): Your Rafter API key

Query Parameters:

scan_id (required): The scan request ID to check
format (optional): Output format - json (default) or md

Example Requests

Check status (JSON format):

curl -H "x-api-key: RFabc-your-api-key-here" \
  "https://rafter.so/api/static/scan?scan_id=b1b2c3d4-e5f6-7890-abcd-ef1234567890"

Get results in Markdown format (format=md):

curl -H "x-api-key: RFabc-your-api-key-here" \
  "https://rafter.so/api/static/scan?scan_id=b1b2c3d4-e5f6-7890-abcd-ef1234567890&format=md"

Response

Scan Pending/Processing

Status: pending, queued, or processing

{
  "status": "pending"
}

Scan Completed (JSON Format)

Status: completed

{
  "status": "completed",
  "repository_name": "myorg/myrepo",
  "branch_name": "prod",
  "scan_date": "2025-07-24T00:00:00.000+00:00",
  "scan_id": "abcdabcd-abcd-abcd-abcd-abcdabcd",
  "vulnerabilities": [
    {
      "rule_id": "SEC001",
      "level": "high",
      "file": "src/auth.js",
      "line": 42,
      "column": 15,
      "message": "Hardcoded API key detected",
      "description": "API keys should be stored in environment variables",
      "suggestion": "Move the API key to an environment variable"
    },
    {
      "rule_id": "SEC002", 
      "level": "medium",
      "file": "src/database.js",
      "line": 78,
      "column": 8,
      "message": "SQL injection vulnerability",
      "description": "User input is directly concatenated into SQL query",
      "suggestion": "Use parameterized queries or prepared statements"
    }
  ]
}

Scan Completed (Markdown Format - format=md)

Status: completed with format=md

{
  "status": "completed",
  "repository_name": "myorg/myrepo",
  "branch_name": "prod",
  "scan_date": "2025-07-24T00:00:00.000+00:00",
  "scan_id": "abcdabcd-abcd-abcd-abcd-abcdabcd",
  "markdown": "You are a senior Application-Security, Web-Application, and Cloud-Reliability engineer.\n# Security Issues and Vulnerabilities \n\n**Total Issues**: 2\n\n## Vulnerabilities\n\n### High Severity\n\n**SEC001: Hardcoded API key detected**\n- **File**: src/auth.js:42\n- **Description**: API keys should be stored in environment variables\n- **Suggestion**: Move the API key to an environment variable\n\n### Medium Severity\n\n**SEC002: SQL injection vulnerability**\n- **File**: src/database.js:78\n- **Description**: User input is directly concatenated into SQL query\n- **Suggestion**: Use parameterized queries or prepared statements\n"
}

Scan Failed

Status: failed

{
  "status": "failed",
  "error": "Repository access denied or not found"
}

No Vulnerabilities Found

Status: completed with no issues

{
  "status": "completed",
  "repository_name": "myorg/myrepo",
  "branch_name": "prod",
  "scan_date": "2025-07-24T00:00:00.000+00:00",
  "scan_id": "abcdabcd-abcd-abcd-abcd-abcdabcd",
  "vulnerabilities": []
}

Error Responses

Error (400 Bad Request):

{
  "error": "Missing required parameter: scan_id"
}

Error (401 Unauthorized):

{
  "error": "Invalid or inactive API key."
}

Error (404 Not Found):

{
  "error": "Scan not found."
}

Error (500 Internal Server Error):

{
  "error": "An unexpected error occurred."
}

Response Fields

Common Fields

Field	Type	Description
`status`	string	Scan status: `pending`, `queued`, `processing`, `completed`, `failed`

Completed Scan Fields (JSON)

Field	Type	Description
`repository_name`	string	Repository name in format “org/repo”
`branch_name`	string	Branch name that was scanned
`scan_date`	string	ISO 8601 timestamp when scan was created
`vulnerabilities`	array	Array of vulnerability objects

Vulnerability Object Fields

Field	Type	Description
`rule_id`	string	Unique identifier for the security rule
`level`	string	Severity level: `critical`, `high`, `medium`, `low`
`file`	string	File path where vulnerability was found
`line`	integer	Line number in the file
`column`	integer	Column number in the line
`message`	string	Short description of the issue
`description`	string	Detailed explanation of the vulnerability
`suggestion`	string	Recommended fix or mitigation

Rate Limiting

The API implements rate limiting to ensure fair usage:

Rate Limit: 100 requests per minute per IP address
Quota: Based on your subscription plan

Examples

JavaScript

async function getScanResults(scanId, format = 'json') {
  const response = await fetch(
    `https://rafter.so/api/static/scan?scan_id=${scanId}&format=${format}`,
    {
      headers: {
        'x-api-key': 'RFabc-your-api-key-here'
      }
    }
  );

  const data = await response.json();
  
  if (data.status === 'completed') {
    if (format === 'json') {
      console.log(`Found ${data.vulnerabilities.length} vulnerabilities`);
    } else {
      console.log('Markdown report generated');
    }
  } else {
    console.log(`Scan status: ${data.status}`);
  }
  
  return data;
}

Python

import requests
import time

def wait_for_scan_completion(scan_id, api_key, max_wait=300):
    """Wait for scan completion with polling"""
    start_time = time.time()
    
    while time.time() - start_time < max_wait:
        response = requests.get(
            f'https://rafter.so/api/static/scan?scan_id={scan_id}',
            headers={'x-api-key': api_key}
        )
        
        data = response.json()
        
        if data['status'] == 'completed':
            return data
        elif data['status'] == 'failed':
            raise Exception(f"Scan failed: {data.get('error', 'Unknown error')}")
        
        print(f"Scan status: {data['status']}")
        time.sleep(10)
    
    raise Exception("Scan timed out")

# Usage
try:
    results = wait_for_scan_completion('your-scan-id', 'RFabc-your-api-key-here')
    print(f"Found {len(results['vulnerabilities'])} vulnerabilities")
except Exception as e:
    print(f"Error: {e}")

Polling Strategy

For long-running scans, implement a polling strategy:

#!/bin/bash

SCAN_ID="b1b2c3d4-e5f6-7890-abcd-ef1234567890"
API_KEY="RFabc-your-api-key-here"
MAX_ATTEMPTS=15

for i in $(seq 1 $MAX_ATTEMPTS); do
    RESPONSE=$(curl -s -H "x-api-key: $API_KEY" \
      "https://rafter.so/api/static/scan?scan_id=$SCAN_ID")
    
    STATUS=$(echo $RESPONSE | jq -r '.status')
    
    if [ "$STATUS" = "completed" ]; then
        echo "Scan completed!"
        echo $RESPONSE | jq '.vulnerabilities | length' | xargs echo "Found vulnerabilities:"
        break
    elif [ "$STATUS" = "failed" ]; then
        echo "Scan failed!"
        echo $RESPONSE | jq -r '.error'
        exit 1
    else
        echo "Attempt $i/$MAX_ATTEMPTS: Status is $STATUS"
        sleep 10
    fi
done

API documentation

Endpoints

GET /api/static/scan

Request

Example Requests

Response

Scan Pending/Processing

Scan Completed (JSON Format)

Scan Completed (Markdown Format - format=md)

Scan Failed

No Vulnerabilities Found

Error Responses

Response Fields

Common Fields

Completed Scan Fields (JSON)

Vulnerability Object Fields

Rate Limiting

Examples

JavaScript

Python

Polling Strategy

API documentation

Endpoints

​GET /api/static/scan

​Request

​Example Requests

​Response

​Scan Pending/Processing

​Scan Completed (JSON Format)

​Scan Completed (Markdown Format - format=md)

​Scan Failed

​No Vulnerabilities Found

​Error Responses

​Response Fields

​Common Fields

​Completed Scan Fields (JSON)

​Vulnerability Object Fields

​Rate Limiting

​Examples

​JavaScript

​Python

​Polling Strategy

GET /api/static/scan

Request

Example Requests

Response

Scan Pending/Processing

Scan Completed (JSON Format)

Scan Completed (Markdown Format - format=md)

Scan Failed

No Vulnerabilities Found

Error Responses

Response Fields

Common Fields

Completed Scan Fields (JSON)

Vulnerability Object Fields

Rate Limiting

Examples

JavaScript

Python

Polling Strategy