At Cobalt, we strive to make security easier, and more accessible. To incorporate pentesting more tightly into the SDLC, you need the right tools — ones that can integrate with workflows, automate repetitive tasks, and enable you to analyze vulnerabilities holistically.
We are excited to announce that the Cobalt API is no longer read-only! We have rolled out the first set of updates enabling our customers to interact with Assets and Findings through the API, so your teams can directly integrate your systems and applications with Cobalt.
What Has Changed?
It is now possible to manage your Finding State and Assets with the Cobalt API. Let's look at the new operation for updating a Finding’s State.
Updating a Finding’s State
|
Methods |
|
|
get |
GET /findings/{finding_id}/possible_states |
|
patch |
PATCH /findings/{finding_id} |
In order to update a state for a Finding, it is necessary to know the possible options. Here we have an example of the response for available statuses:
|
GET |
|
Response: { "resource": { "current_state": "wont_fix", "possible_states": [ "need_fix" ] } } |
We can see the possible state for an update for this finding is “need_fix”. To update the finding’s state, you can pass the new status through:
|
UPDATE |
|
|
Request: { "state":"need_fix" } |
Response: Http Status: 204 - No content |
Managing Assets
Here are examples for each operation related to asset management :
|
Methods |
|
|
post |
POST /assets |
|
get |
GET /assets/{asssetId} |
|
put |
PUT /assets/{asssetId} |
|
delete |
DELETE /assets/{asssetId} |
To create an asset, it is necessary to know its size and type. These values can be reviewed in our API documentation.
|
POST |
|
|
Request: { "title": "An Asset", "assetType": "web", "description": "description" } |
Response: Http Status: 201 - Created |
To get the ID of your new asset, you can check in the response headers, and from there you can use it to perform additional operations. For example, you can retrieve a single asset from your organization, using the Asset ID as a parameter. Or if you'd like to get all assets, just call the method without the ID as a parameter.
|
GET |
|
Response: { "data": { "resource": { "id": "as_4Nf6j2X5w1rqybdPGW47df", "title": "An Asset", "description": "description", "asset_type": "web_plus_api", "attachments": [] }, "links": { "ui": { "url": "some_url" } } } } |
The last two new operations available are for updating and deleting an Asset :
|
UPDATE |
|
|
Request: { "title": "An Asset updated", "assetType": "mobile", "description": "description" } |
Response: Http Status: 204 - No content |
|
DELETE |
|
Response: Http Status: 204 - No content |
How Can You Use These Functions?
The current workflow of asset creation requires users to go to our platform and create each asset manually. Supposing an organization has a large number of assets, this can take a lot of time. The benefit of using our API is related to time and efficiency gains, where users could leverage scripts, as an example, when creating those assets. In addition, users will be able to make updates via the API.
For managing their findings’ state, users will be able to make updates in our API. The most obvious use case here is for ticketing and bug tracking systems — users can combine their system’s API with our API in order to update the findings state. An example of this would be to register a webhook that is called when a ticket changes state, and have this trigger a call to our API in order to update the state of this finding accordingly in the Cobalt platform.
Future of the Cobalt API
We aren’t done yet! The Integrations Team has many additional launches planned for 2022. Coming soon, we will enable our users to pull a single finding or pentest, and consume a Pentest’s Report via the API to showcase it in other analytics tools, internal applications, reports, etc. There has also been a growing need for User Management with our API, so we are working to support the adding, updating, and removing of Users later this year.
Users planning to integrate should also keep an eye out for our upcoming Webhooks roll out, which will enable consuming events directly from Cobalt, rather than polling the API!
What else would you like to do with our API? Share your feedback and suggestions by emailing us at integrations@cobalt.io and make sure to check out our integrations page for more info.
