Sigrid API documentation

In addition to Sigrid CI, Sigrid also provides a more general-purpose REST API that you can use to obtain analysis results from Sigrid. This allows you to integrate data from Sigrid into your workflow.

General usage

The following example shows how to call the Sigrid API using curl:

curl -H 'Authorization: Bearer {SIGRID_CI_TOKEN}' https://sigrid-says.com/rest/analysis-results/api/v1/maintainability/{customer}

In the example, {customer} refers to your company’s Sigrid account name (lower case), and {SIGRID_CI_TOKEN} refers to your authentication token.

Including deactivated and/or excluded systems

In Sigrid’s web-based user interface, several portfolio (customer) level dashboards by default hides deactivated systems and excluded systems. The filter panel on the right hand side provides two toggles to override this behavior:

A system can be deactivated, or excluded from dashboards, in the metadata settings page:

Sigrid’s REST API mimics this behavior, as follows:

Available end points

Maintainability ratings

Maintainability ratings for a given customer are available via three endpoints:

The parameter {customer} refers to your Sigrid account name.

Example response
{
    "customer": "my-sigrid-account-name",
    "systems": [
        {
            "system": "my-system-name",
            "customer": "my-sigrid-account-name",
            "maintainability": 5.24,
            "maintainabilityDate": "2022-02-08",
            "allRatings": [
                {
                    "maintainability": 4.96,
                    "maintainabilityDate": "2022-02-06",
                    "componentIndependence": 2.922191130049036,
                    "componentEntanglement": 3.185432066401412,
                    "duplication": 3.8219019076088467,
                    "moduleCoupling": 3.7576658516974955,
                    "testCodeRatio": 1.3420540223995314,
                    "unitComplexity": 4.611590984421209,
                    "unitInterfacing": 2.139146638028358,
                    "unitSize": 3.9657948540316688,
                    "volumeInPersonMonths": 91.54868594563312,
                    "volumeInLoc": 68305
                }
            ]
        }
    ]
}

The top-level maintainability and maintainabilityDate refer to the current state of each system. The allRatings array contains a list of all historic measurements, which can be used for reporting or trend information.

Security and reliability findings

Sigrid’s REST API provides two endpoints to get all open security or reliability findings for a system:

The parameters {customer} and {system} refer to your Sigrid account name and system ID respectively.

Example response
[
    {
        "id": "00000000-0000-0000-0000-0000005d9c1e",
        "href": "https://sigrid-says.com/my-sigrid-account/my-system/-/sigrid-security/00000000-0000-0000-0000-0000005d9c1e",
        "firstSeenAnalysisDate": "2019-09-18",
        "lastSeenAnalysisDate": "2019-09-18",
        "firstSeenSnapshotDate": "2019-05-04",
        "lastSeenSnapshotDate": "2019-05-04",
        "filePath": "helloworld.py",
        "startLine": 12,
        "endLine": 23,
        "component": "frontend",
        "type": "",
        "cweId": "CWE-12345",
        "severity": "LOW",
        "impact": "LOW",
        "exploitability": "LOW",
        "severityScore": 2.0,
        "impactScore": 1.2,
        "exploitabilityScore": 0.8,
        "status": "FALSE_POSITIVE",
        "remark": "Test test test",
        "toolName": null,
        "isManualFinding": true,
        "isSeverityOverridden": true,
        "weaknessIds": [
            "CWE-12345"
        ]
    }
]

Open Source Health findings and ratings

A list of all third-party open source dependencies is available using the following endpoints:

The endpoints will include Open Source Health Quality Model ratings where available. The path parameter {customer} and {system} refer to your Sigrid account name and system ID respectively.

The response format is based on the CycloneDX (version 1.5) format for an SBOM (software bill of materials).

Example response for a single system

Mimetype: application/vnd.cyclonedx+json

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.5",
    "version": 1,
    "metadata": {
        "timestamp": "2022-03-17T09:58:34Z",
        "tools": [
            {
                "vendor": "Software Improvement Group",
                "name": "Sigrid",
                "externalReferences": [
                    {
                        "type": "other",
                        "url": "https://sigrid-says.com/my-sigrid-account-name/my-system-id/-/open-source-health"
                    }
                ]
            }
        ]
    },
    "properties" : [
      {
        "name" : "sigrid:ratings:system",
        "value" : "3.89"
      },
      {
        "name" : "sigrid:ratings:vulnerability",
        "value" : "3.2976190476190474"
      },
      {
        "name" : "sigrid:ratings:licenses",
        "value" : "5.5"
      },
      {
        "name" : "sigrid:ratings:freshness",
        "value" : "1.4174311926605505"
      },
      {
        "name" : "sigrid:ratings:management",
        "value" : "3.189908256880734"
      },
      {
        "name" : "sigrid:ratings:activity",
        "value" : "1.3944954128440368"
      }
    ],
    "components": [
        {
            "group": "",
            "name": "yui",
            "version": "2.8.0r4",
            "purl": "pkg:npm/yui@2.8.0r4",
            "properties" : [
                {
                    "name" : "sigrid:risk:freshness",
                    "value" : "HIGH"
                }
            ],
            "type": "library",
            "bom-ref": "pkg:npm/yui@2.8.0r4",
            "evidence" : {
                "occurrences" : [
                    {
                        "location" : "foo/package.json"
                    }
                ]
            }
        }
    ],
    "vulnerabilities": [
        {
            "id": "CVE-2010-4710",
            "ratings": [
                {
                    "score": 4.3,
                    "severity": "medium",
                    "method": "CVSSv2"
                }
            ],
            "description": "Cross-site Scripting",
            "affects" : [
                {
                    "ref" : "pkg:npm/yui@2.8.0r4"
                }
            ]
        }
    ]
}

The properties of the root is an array of name/value pairs. It contains up to 6 items, as detailed in the table below. Note that the value of a property can never be null according to the CycloneDX specification. Consequently, if Sigrid cannot determine the value of a property for whatever reason, it is simply missing from the properties array.

Name Description
sigrid:ratings:system System Open Source Health Quality model rating
sigrid:ratings:vulnerability Vulnerability Open Source Health Quality model rating
sigrid:ratings:licenses Licenses Open Source Health Quality model rating
sigrid:ratings:freshness Freshness Open Source Health Quality model rating
sigrid:ratings:management Management Open Source Health Quality model rating
sigrid:ratings:activity Activity Open Source Health Quality model rating

Vulnerable libraries in Open Source Health

Additionally, it is possible to filter only vulnerable/non vulnerable dependencies using the aforementioned endpoint as such:

The vulnerable URL query parameter is optional and defaults to false. The meaning is as follows:

The endpoint that returns third-party vulnerabilities for all systems for the given customer returns an array of SBOMs, one for each system as follows:

{
    "customer" : "sig",
    "exportDate" : "2022-07-12",
    "systems" : [ {
        "customerName" : "sig",
        "systemName" : "bch",
        "sbom" : {
            ...                   // Same as the response format in the single-system case
        }
    ]
}

The properties member of elements of the components array is an array of name/value pairs. Currently, this array may have up to 12 items, as detailed in the table below. Similar to above, if Sigrid cannot determine the value of a property it will be missing from the array.

Name Description
sigrid:risk:vulnerability Vulnerability risk (one of NONE, LOW, MEDIUM, HIGH, CRITICAL)
sigrid:risk:legal Legal (license) risk (one of NONE, LOW, MEDIUM, HIGH, CRITICAL)
sigrid:risk:freshness Freshness risk (one of NONE, LOW, MEDIUM, HIGH, CRITICAL)
sigrid:risk:activity Activity risk (one of NONE, LOW, MEDIUM, HIGH, CRITICAL)
sigrid:risk:stability Stability risk (one of NONE, LOW, MEDIUM, HIGH)
sigrid:risk:management Dependency management risk (one of NONE, LOW, MEDIUM, HIGH)
sigrid:releaseDate Release date of the detected version (ISO 8601: YYYY-MM-DD)
sigrid:next:version Version number of the next version
sigrid:next:releaseDate Release date of the next version (ISO 8601: YYYY-MM-DD)
sigrid:latest:version Version number of the latest version
sigrid:latest:releaseDate Release date of the latest version (ISO 8601: YYYY-MM-DD)
sigrid:transitive Indicates whether the dependency is transitive or not (TRANSITIVE or DIRECT)

More information on the SBOM format and the various fields is available from the CycloneDX SBOM specification.

Architecture Quality ratings

Arcitecture quality ratings for a given customer are available via two endpoints:

The path parameters {customer} and {system} refer to your Sigrid account name and system ID respectively.

Example system-level response format

The response format of the system-level endpoint is as follows:

{
  "customer" : "my-sigrid-account-name",
  "system" : "my-system-name",
  "snapshotDate" : "2022-01-31",
  "analysisDate" : "2022-02-28",
  "modelVersion" : "1.4",
  "ratings" : {
    "architecture" : 3.84,
    "subcharacteristics" : {
      "dataAccess" : 3.5,
      "technologyStack" : 4.18,
      "evolution" : 3.71,
      "communication" : 3.83,
      "structure" : 4.07,
      "knowledge" : 3.74
    },
    "systemProperties" : {
      "componentCoupling" : 2.86,
      "codeReuse" : 5.38,
      "knowledgeDistribution" : 3.24,
      "boundedEvolution" : 4.21,
      "componentFreshness" : 4.23,
      "communicationCentralization" : 3.18,
      "technologyPrevalence" : 4.18,
      "codeBreakdown" : 3.27,
      "componentCohesion" : 4.46,
      "dataCoupling" : 3.5
    }
  }
}

The customer-level endpoint retuns an array with each element identical to the system-level response.

Architecture Quality data

For reporting purposes, using the end point for architecture quality ratings is usually sufficient. However, some advanced use cases require the full Architecture Quality data, beyond just the ratings.

The end point GET https://sigrid-says.com/rest/analysis-results/api/v1/architecture-quality/{customer}/{system}/raw will generate the full Architecture Quality analysis results, in JSON format. This end point is intended for system-to-system integration, where one of your own systems needs to process this data without relying on the Sigrid user interface.

This end point will return the “raw” architecture graph, which is documented in the Architecture Quality documentation.

System metadata

System metadata can be viewed and updated using the following three endpoints:

The path parameters {customer} and {system} refer to your Sigrid account name and system ID respectively.

Example system-level `GET` and `PATCH` response format

The response format of both system-level endpoints (GET and PATCH) is as follows:

{
  "displayName" : "User-friendly system name",
  "divisionName" : "Division name",
  "teamNames" : [ "My Team" ],
  "supplierNames" : [ "Supplier 1", "Supplier 2" ],
  "lifecyclePhase" : "EOL",
  "inProductionSince" : 2012,
  "businessCriticality" : "HIGH",
  "targetIndustry" : "ICD9530",
  "deploymentType" : "PUBLIC_FACING",
  "applicationType" : "ANALYTICAL",
  "softwareDistributionStrategy": "DISTRIBUTED",
  "remark" : "A remark",
  "externalID" : "ab12345",
  "isDevelopmentOnly" : false,
  "technologyCategory": "MODERN_GENERAL_PURPOSE"
}
Example customer-level response

The response format of the customer-level endpoint (GET https://sigrid-says.com/rest/analysis-results/api/v1/system-metadata/{customer}) is as follows:

[
  {
    "customerName": "foo",
    "systemName": "bar",
    "displayName" : "User-friendly system name",
    "divisionName" : "Division name",
    "teamNames" : [ "My Team" ],
    "supplierNames" : [ "Supplier 1", "Supplier 2" ],
    "lifecyclePhase" : "EOL",
    "inProductionSince" : 2012,
    "businessCriticality" : "HIGH",
    "targetIndustry" : "ICD9530",
    "deploymentType" : "PUBLIC_FACING",
    "applicationType" : "ANALYTICAL",
    "softwareDistributionStrategy": "DISTRIBUTED",
    "remark" : "A remark",
    "externalID" : "ab12345",
    "isDevelopmentOnly" : false,
    "technologyCategory": "MODERN_GENERAL_PURPOSE"
  }
]

All properties can be null except for supplierNames and teamNames (which are always an array, but possibly empty), and isDevelopmentOnly (which is always true or false).

For the PATCH endpoint, please take the following into account:

$ curl 'https://sigrid-says.com/rest/analysis-results/api/v1/system-metadata/{customer}/{system}' -X PATCH \
    -H 'Content-Type: application/merge-patch+json' \
    -H 'Authorization: Bearer {SIGRID_CI_TOKEN}' \
    -d '{
  "supplierNames" : [ "Supplier 1" ],
  "remark" : null,
}'

This example request replaces the list of supplier names with the list consisting of one single supplier name (Supplier 1). It also removes the remark. Next to this, it leaves all metadata as-is. For instance, if the external ID before executing this request is ab12345, after this request it still is.

Metadata fields

The metadata fields are described by the following table. Note that the setting for deploymentType is used to assess impact of security findings.

Path Type Description
displayName String The display name of the system. Must be between 0 and 60 characters. Can contain blanks: true
externalDisplayName String The external display name of the system. Must be between 0 and 60 characters. Can contain blanks: true
divisionName String The name of the division this system belongs to. Must be between 0 and 60 characters. Can contain blanks: true
supplierNames Array Array of the names of the suppliers for this system
teamNames Array Array of the names of the teams maintaining this system
inProductionSince Number The year the system went into production. Cannot be later than the current year, must be at least 1960
businessCriticality String Importance of the system in terms of the effects of it not being available on the user’s business. Must match any of the following values (case-sensitive): CRITICAL, HIGH, MEDIUM, LOW
lifecyclePhase String The phase of its lifecycle the system is in. Must be an industry identifier from the table of lifecycle phase identifiers below (case-sensitive)
targetIndustry String The industry in which the system is normally used. Must be an industry identifier from the table of target industry identifiers below (case-sensitive)
deploymentType String The way in which the system is typically deployed. Must be an industry identifier from the table of deployment types below (case-sensitive)
applicationType String The type of the system. Must be an industry identifier from the table of application types below (case-sensitive)
softwareDistributionStrategy String The type of the software distribution strategy. Must be one of the distribution strategy identifiers from the table below (case-sensitive)
isDevelopmentOnly Boolean If true, the system is not shown as part of customer’s portfolio, in the UI this is known as the “Excluded from dashboards” toggle
remark String Remark(s) about the system as (possibly empty) free-format text. Must be between 0 and 300 characters. Can contain blanks: true
externalID String Allow customers to record an external identifier for a system. free-format text. Must be between 0 and 60 characters. Can contain blanks: true

The specific set of values that are allowed for each field can be found in the respective section on the system metadata fields and allowed values on the system metadata page.

System lifecycle management

Sigrid allows you to deactivate a given system.

The endpoint that enables such deactivation is:

PATCH https://sigrid-says.com/rest/analysis-results/api/v1/systems/{customer}/{system}: enables setting the deactivation date for a system as the instant when this endpoint was called.

The request format is:

{"deactivateNow": <deactivate_now>}

where the placeholder, <deactivate_now> can assume the following values:

{"deactivateNow": false} : when setting the boolean value deactivateNow to false, the system will be viewed by Sigrid as being active, so, setting this value to false effectively marks a system as active and re-activates a previously deactivated system;

{"deactivateNow": true} : when this value is true, the deactivation date for the system will be set using Instant.now() representing the current instant when the endpoint was called. This effectively deactivates a system from the moment the endpoint was called;

The response format on a successful request is, as an example, for SIG’s bch system:

{
    "name": "bch",
    "deactivationDate": "2017-12-03T00:00:00Z"
}

If the request body is not in the expected format, the returned response status will be: 400 BAD REQUEST.

System and portfolio objectives

Sigrid allows you to define quality objectives: either per system, or as portfolio-wide objectives that apply to all systems that match certain conditions. Defining quality objectives helps to set some realistic and feasible expectations, considering both the system’s business context and its current technical state. For instance, typically business-critical systems using modern technologies require more ambitious targets than legacy systems.

Once you have defined quality objectives in Sigrid, you can use these targets in Sigrid CI.

In addition to Sigrid and Sigrid CI, you can also use the API to retrieve objectives.

Retrieving portfolio objectives

GET https://sigrid-says.com/rest/analysis-results/api/v1/objectives/{customer}

This returns a response containing the portfolio-level objectives defined for the given portfolio, including their conditions. The response looks like the following:

Example portfolio-level objectives response

The response format of the portfolio-level endpoint (GET https://sigrid-says. com/rest/analysis-results/api/v1/objectives/{customer}) is as follows:

{
  "objectives": [
    {
      "id": 5,
      "conditions": {
        "businessCriticality": [
          "LOW", "MEDIUM"
        ],
        "deploymentType": [
          "INTERNAL"
        ]
      },
      "objective": {
        "target": 0.5,
        "level": "PORTFOLIO",
        "type": "TEST_CODE_RATIO",
        "feature": "MAINTAINABILITY"
      },
      "remark": "Test code ratio is 50% - this is acceptable for low or medium-criticality,internal systems."
    }
  ]
}

Retrieving objectives for a system

GET https://sigrid-says.com/rest/analysis-results/api/v1/objectives/{customer}/{system}/config

This end point returns the following response structure:

{
  "MAINTAINABILITY": 4.0,
  "NEW_CODE_QUALITY": 3.5,
  "OSH_MAX_SEVERITY": "LOW",
  "TEST_CODE_RATIO": 0.8
}

Systems always have a single target per objective type. If you define multiple overlapping objectives, precedence rules are applied to determine which objective “wins” and gets to decide the target for that system:

This particular endpoint returns the target based on these precedence rules. The endpoint does not explain why that target exists. Use the objectives status end point to obtain more information on which objectives are applied to a system.

Defining and editing system objectives

PUT https://sigrid-says.com/rest/analysis-results/api/v1/objectives/{customer}/{system}

The PUT endpoint can be used to create a new system-level objective, or edit an existing one. It takes a request body with the following structure:

{
  "type": "TEST_CODE_RATIO",
  "target": 0.7
}
Type Description Allowed target values
MAINTAINABILITY Overall maintainability rating Decimal number between 0.5 and 5.5, inclusive
TEST_CODE_RATIO Test code ratio Positive decimal number, e.g. 0.7 sets a target of 70%
ARCHITECTURE_QUALITY Decimal number between 0.5 and 5.5, inclusive Decimal number between 0.5 and 5.5, inclusive
OSH_MAX_SEVERITY Highest allowed severity of known vulnerabilities One of: "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"
OSH_MAX_FRESHNESS_RISK Highest allowed freshness risk One of: "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"
OSH_MAX_LICENSE_RISK Highest allowed license risk One of: "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"
SECURITY_MAX_SEVERITY Highest allowed severity of security findings One of: "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"
RELIABILITY_MAX_SEVERITY Highest allowed severity of reliability findings One of: "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"

The endpoint returns the objective that was just created or modified.

Deleting system objectives

DELETE https://sigrid-says.com/rest/analysis-results/api/v1/objectives/{customer}/{system}/{type}

This will delete the system objective of the given type, using the type names from the above table. For instance:

DELETE https://sigrid-says.com/rest/analysis-results/api/v1/objectives/{customer}/{system}
/TEST_CODE_RATIO

This would delete the system-level test code ratio objective, if it exists at the system level, and return 204. In case the objective does not exist at the system level, the endpoint returns 404.

Retrieving objectives status

GET https://sigrid-says.com/rest/analysis-results/api/v1/objectives-evaluation/{customer}?startDate={start}&endDate={end}

This will return the current objectives status and delta for all systems in your portfolio, for the specified time period. The startDate and endDate parameters accept dates in ISO 8601 format, for example 2024-05-17.

This end point returns the following response:

Example objectives status response
{
  "systems": [
    "systemName": "my-example-system",
      "objectives": [
        {
          "type": "OSH_MAX_LICENSE_RISK",
          "feature": "OPEN_SOURCE_HEALTH",
          "target": "LOW",
          "targetMetAtStart": "NOT_MET",
          "targetMetAtEnd": "NOT_MET",
          "delta": "SIMILAR",
          "stateAtEnd": "MEDIUM",
          "level": "PORTFOLIO",
          "parentId": 16
        },
        {
          "type": "ARCHITECTURE_QUALITY",
          "feature": "ARCHITECTURE_QUALITY",
          "target": 4.0,
          "targetMetAtStart": "NOT_MET",
          "targetMetAtEnd": "NOT_MET",
          "delta": "DETERIORATING",
          "stateAtEnd": 3.68909,
          "level": "SYSTEM"
        }
      ]
    ]
  }
}

The response contains every system in your portfolio, with each system containing all objectives that apply to that system. The objectives follow the same precedence rules as in Sigrid, so only objectives with conditions that match the metadata of the system are included in the result.

Within each objective, the parentId refers to the ID of a portfolio objective, which you can obtain with the portfolio objectives end point. If the objective does not have a parentId, it means it’s a system objective.

For advanced reporting use cases, you can combine the information from this end point with other end points: Combining the objective status with the portfolio objectives allows you to replicate Sigrid’s objectives dashboard in your report. You can also combine this with metadata to provide additional drill-down information, for example for specific teams or divisions.

Managing user permissions via API

In addition to the general usage of the Sigrid API, users also can also perform user management tasks via the API as an alternative to doing these tasks within the web-based user interface of Sigrid itself. This also allows Sigrid administrators to better construct automated processes for managing the access to systems for their users.

The following example shows how to call the User Management API via curl:

curl -H 'Authorization: Bearer {SIGRID_PERSONAL_TOKEN}' https://sigrid-says.com/rest/auth/api/user-management/{customer}/users

Managing individual user permissions

A number of endpoints are available that make managing existing users within the portfolio easier:

The path parameters {customer} and {userID} refer to your Sigrid account name and a unique user ID respectively.

The response format upon successful request of a single user looks like the following:

{
	"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
	"firstName": "string",
	"lastName": "string",
	"email": "string",
	"isAdmin": true,
  	"accessToAll": true,
  	"systems": [
    	{
      		"systemName": "string"
    	}
  	],
	"lastLoginAt": "2024-03-07T16:54:33.438Z"
}

Of particular interest is the systems field in the response, which contains the set of systems that the user can access from the portfolio. Each systems is denoted by a string that relates to the name of the system when it was onboarded in Sigrid.

When leveraging the PUT https://sigrid-says.com/rest/auth/api/user-management/{customer}/users/{userID}/permissions endpoint, the user must include in the request body the permissions to be updated.

An example request could be the following:

$ curl 'https://sigrid-says.com/rest/auth/api/user-management/{customer}/users/{userID}/permissions' -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer {SIGRID_PERSONAL_TOKEN}' \
    -d '{
	"accessToAll": false,
	"systems": [ 
		{
			"systemName": "system-a"
		},
		{
			"systemName": "system-b"
		},
		{
			"systemName": "system-c"
	]
}'

This request will replace the set of system permissions granted to the specified user with the set provided in the request body consisting of 3 systems - system-a, system-b and system-c. No other change is made, so user details such as firstName / lastName / email all will remain as-is upon successful request of this endpoint.

Upon succesful request of the above endpoint for a user with id d987c69d-464f-4276-bea8-5780cc782b97, the response format for GET https://sigrid-says.com/rest/auth/api/user-management/{customer}/users/d987c69d-464f-4276-bea8-5780cc782b97 :

{
	"id": "d987c69d-464f-4276-bea8-5780cc782b97",
	"firstName": "string",
	"lastName": "string",
	"email": "string",
	"isAdmin": false,
	"accessToAll": false,
	"systems": [
		{
			"systemName": "system-a"
		},
		{
			"systemName": "system-b"
		},
		{
			"systemName": "system-c"
		}
	],
	"lastLoginAt": "2024-03-07T16:54:33.438Z"
}

Related to this is the accessToAll boolean field, which indicates if a user has the explicit right to access every system in the portfolio, both for systems that are currently onboarded and those that will be onboarded in the future. This permission is typically reserved for administrators of the Sigrid account, however this option can be applied to all users within a portfolio.

For more information, see the detailed section on user management in Sigrid.

Managing authorization group permissions

In addition to managing individual user permissions within the portfolio, authorization group permissions can also be managed via the API. This allows for bulk editing of permissions users inherit based on their authorization group membership, as well as the set of users that are part of a specified group.

Available endpoints include:

The path parameters {customer} and {groupID} refer to your Sigrid account name and a unique authorization group ID respectively.

The response format upon successful request of a single authorization group looks like the following:

{
	"id": "string($uuid)",
	"name": "string",
	"description": "string",
	"users": [
    	"string($uuid)"
  	],
	"systems": [
    	{
			"systemName": "string"
    	}
	],
	"updatedAt": "2024-03-07T17:41:59.278Z",
	"updatedByUser": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
}

Unlike the response received when leveraging the endpoint to return a single user, groups have two fields that can be modified via the API: users and systems.

When leveraging the PUT https://sigrid-says.com/rest/auth/api/user-management/{customer}/groups/{groupID}/permissions endpoint, the user must include in the request body the permissions to be updated.

An example request could be the following:

$ curl 'https://sigrid-says.com/rest/auth/api/user-management/{customer}/groups/{groupID}/permissions' -X PATCH \
	-H 'Content-Type: application/json' \
	-H 'Authorization: Bearer {SIGRID_PERSONAL_TOKEN}' \
	-d '{
	"systems": [ 
    	{
			"systemName": "system-x"
		},
		{
			"systemName": "system-y"
		},
		{
			"systemName": "system-z"
		}
	]
}'

This request will replace the set of system permissions granted to the specified authorization group with the set provided in the request body consisting of 3 systems - system-x, system-y and system-z.

Upon succesful request of the above endpoint for a group with id f4a702ac-b998-44e1-a271-840a3f75e6d2, the response format for GET https://sigrid-says.com/rest/auth/api/user-management/{customer}/groups/f4a702ac-b998-44e1-a271-840a3f75e6d2 :

{
	"id": "f4a702ac-b998-44e1-a271-840a3f75e6d2",
	"name": "string",
	"description": "string",
	"users": [
		"3fa85f64-5717-4562-b3fc-2c963f66afa6"
  	],
	"systems": [
    	{
			"systemName": "system-x"
		},
		{
			"systemName": "system-y"
		},
		{
			"systemName": "system-z"
		}
	],
	"updatedAt": "2024-03-07T17:41:59.278Z",
	"updatedByUser": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
}

The process for updating membership to a group is done in a very similar manner when leveraing the PUT https://sigrid-says.com/rest/auth/api/user-management/{customer}/groups/{groupID}/permissionsendpoint. Again the request body is required and must contain valid unique IDs for the users to be assigned to the group.

An example request on the same group could be the following:

$ curl 'https://sigrid-says.com/rest/auth/api/user-management/{customer}/groups/f4a702ac-b998-44e1-a271-840a3f75e6d2/members' -X PATCH \
	-H 'Content-Type: application/json' \
    -H 'Authorization: Bearer {SIGRID_PERSONAL_TOKEN}' \
    -d '{
		"users": [ 
			"d987c69d-464f-4276-bea8-5780cc782b97",
			"3fa85f64-5717-4562-b3fc-2c963f66afa6" 
		]
	}'

Successful response format of this request would look like the following, with the updated members now inheriting the permissions assigned in the previous example:

{
	"id": "f4a702ac-b998-44e1-a271-840a3f75e6d2",
	"name": "string",
	"description": "string",
	"users": [
    	"d987c69d-464f-4276-bea8-5780cc782b97",
    	"3fa85f64-5717-4562-b3fc-2c963f66afa6" 
  	],
  	"systems": [
    	{
			"systemName": "system-x"
		},
		{
			"systemName": "system-y"
		},
		{
			"systemName": "system-z"
		}
	],
	"updatedAt": "2024-03-07T17:41:59.278Z",
	"updatedByUser": "3fa85f64-5717-4562-b3fc-2c963f66afa6"	
}

Removing subsystems

The Sigrid CI script only adds subsystems, they will never disappear by themselves. If you want to remove a subsystem, users with the administrator or maintainer role can do so via the API.

POST https://sigrid-says.com/rest/inboundresults/sig/{customer}/{system}/ci/subsystems:batch-delete/v1

The body of the request is a list of Unix paths that you want to remove from the system.

    {"names": ["path1", "path2"]}

The following example shows a complete curl commmand that will remove the two sub-systems:

curl --header 'Authorization: Bearer ${SIGRID_PERSONAL_TOKEN}' -X POST https://sigrid-says.com/rest/inboundresults/sig/{customer}/{system}/ci/subsystems:batch-delete/v1 -H 'Content-Type: application/json' --data '{ "names" : ["path1", "path2"] }'

A new analysis will run for your system and the results will be available in the Sigrid UI and API once the analysis is complete.

Contact and support

Feel free to contact SIG’s support department for any questions or issues you may have after reading this document, or when using Sigrid or Sigrid CI. Users in Europe can also contact us by phone at +31 20 314 0953.