Partner API
Call the ShipItClean adversarial code review engine directly from your application. Wholesale pricing, no feature gating, every scan is the full engine.
Who this is for. Developers and companies building their own code review, AI security, or DevSecOps product who want to run scans through the ShipItClean engine instead of calling foundation model APIs directly. You set your retail price, we charge wholesale.
Quick Start
1. Get an API key. Log in to your ShipItClean account, open the dashboard, and create an API key under the API section. Keys look like sic_live_.... Keep them secret.
2. Submit a scan.
curl -X POST https://shipitclean.com/api/v1/external/scan/repo \
-H "Authorization: Bearer sic_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"repo": "your-org/your-repo", "branch": "main"}'3. Poll for results. The submit returns a scan_id. Poll the status endpoint every ~10 seconds until status is done.
curl https://shipitclean.com/api/v1/external/scan/SCAN_ID \
-H "Authorization: Bearer sic_live_YOUR_KEY"Authentication
All endpoints require a Bearer token:
Authorization: Bearer sic_live_YOUR_KEYAPI keys are user-scoped. Scans submitted with a key are only visible to that key.
Keys never expire automatically. Rotate or revoke from the dashboard at any time.
Endpoints
POST
/api/v1/external/scan/repo
Submit a GitHub repository for adversarial review.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| repo | string | yes | Repository in owner/name format. |
| branch | string | no | Branch to scan. Default: main. |
| github_token | string | no | GitHub personal access token. Required for private repos. Sent securely, never stored. |
| project_type | string | no | Hint for scan tuning. One of: auto, api, webapp, cli, library. Default: auto. |
Response
{
"scan_id": "a1b2c3d4e5f6",
"status": "queued",
"status_url": "/api/v1/external/scan/a1b2c3d4e5f6"
}
POST
/api/v1/external/scan/code
Submit a code snippet (up to 100,000 characters).
Request body
| Field | Type | Required | Description |
|---|---|---|---|
| code | string | yes | Source code to scan. Max 100,000 characters. |
| language | string | no | Language hint (e.g. python, javascript, go). Default: python. |
| context | string | no | Optional context about what the code does. Max 2000 characters. |
| project_type | string | no | Same values as repo scan. Default: auto. |
Response
{
"scan_id": "a1b2c3d4e5f6",
"status": "queued",
"status_url": "/api/v1/external/scan/a1b2c3d4e5f6"
}
GET
/api/v1/external/scan/{scan_id}
Fetch scan status and findings (when complete).
Response (in progress)
{
"id": "a1b2c3d4e5f6",
"type": "repo",
"status": "scanning",
"input_repo": "your-org/your-repo",
"total_findings": 0,
"critical_count": 0,
"high_count": 0,
"medium_count": 0,
"low_count": 0,
"created_at": "2026-04-17T18:30:00.000Z",
"completed_at": null,
"elapsed_secs": 45
}Response (complete)
{
"id": "a1b2c3d4e5f6",
"type": "repo",
"status": "done",
"decision": "request_changes",
"total_findings": 14,
"critical_count": 1,
"high_count": 3,
"medium_count": 7,
"low_count": 3,
"ai_opinion": "REAL THREATS\n...",
"created_at": "2026-04-17T18:30:00.000Z",
"completed_at": "2026-04-17T18:33:42.000Z",
"elapsed_secs": 222,
"findings": [
{
"file": "app/auth.py",
"line": 45,
"severity": "critical",
"category": "credential_management",
"title": "Hardcoded API key",
"description": "...",
"suggested_fix": "..."
}
]
}Status values: queued, scanning, reviewing, done, cancelled, error.
POST
/api/v1/external/scan/{scan_id}/cancel
Cancel a running scan. No partial billing for cancelled scans.
Response
{"scan_id": "a1b2c3d4e5f6", "status": "cancelled"}
GET
/api/v1/external/usage
List recent scans and total findings for the authenticated key.
Query parameters
| Field | Type | Description |
|---|---|---|
| limit | int | Max scans to return (1-500). Default: 100. |
| offset | int | Offset for pagination. Default: 0. |
Response
{
"total_scans": 42,
"total_findings_across_scans": 631,
"scans": [
{"id": "...", "type": "repo", "status": "done", "total_findings": 14, ...}
]
}Errors
| Code | Meaning |
|---|---|
| 400 | Bad request. Check your JSON body and required fields. |
| 401 | Missing or invalid API key. |
| 404 | Scan not found, or you don't own this scan ID. |
| 429 | Rate limit exceeded. Backoff and retry. |
| 502 | Scan engine temporarily unavailable. Retry after a few seconds. |
Error body
{"detail": "Human-readable error description"}What You Get Per Scan
Every scan through this API runs the full ShipItClean engine:
- Up to 137 adversarial AI agents — each focused on a different attack surface (SQL injection, auth bypass, XSS, SSRF, deserialization, crypto, secrets, prompt injection, supply chain, denial-of-wallet, and more). Full Gold-tier panel runs on every partner scan, no feature gating.
- Hyrex rules engine — 300+ curated patterns including semgrep-community derived rules
- Baseline security tools — Gitleaks, Trivy, Bandit, Semgrep, flake8
- CVE corpus enrichment — 327,000+ published vulnerabilities cross-referenced against findings
- AI consensus + refinement — false positives filtered, findings deduplicated, severity normalized
- Unlimited repo size — proprietary memory architecture scans multi-million-token codebases with no context loss
Pricing
Billing is per-token processed, invoiced monthly. Pricing details and volume tiers are available on request. Reach us through the contact form to activate wholesale access on your account.
Rate Limits
- Submit endpoints: 60 requests per hour per key
- Status/usage endpoints: 600 requests per hour per key
- Concurrent scans per key: 5 (contact us for higher limits)
Support
Questions, integration help, or custom requirements: use the contact form.