Access Tokens

Access tokens are cryptographic keys that enable secure, programmatic access to the CVEScan Web API without requiring user login sessions. Designed for automation scenarios like CI/CD pipelines and vulnerability scanning, tokens can be created at the vault, project, or component level with specific permissions. This approach allows automated systems to interact with the API efficiently, serving as a flexible alternative to OAuth2 or JWT authentication.

Key Features

  • Hierarchical Scoping: Tokens can be scoped to vault, project, or component levels.
  • Permission-Based Access: Fine-grained permissions control what actions tokens can perform.
  • Expiration Support: Optional expiration dates for enhanced security.
  • Usage Tracking: Monitor token usage with counters and last-used timestamps.
  • Secure Storage: Tokens are hashed and stored securely in the database.

Permissions

Currently, CVEScan Web API supports one access token permission:

  • create-scan
    • Description: Use the create (import) scan API.
    • Purpose: Allows automated systems to upload vulnerability scan reports.

Token Management

Access tokens can be managed through the WebUI at different organizational levels.

Token Scoping

Access tokens follow a hierarchical scoping model that determines their access level:

Vault-Level Tokens

  • Scope: Access to all projects and components within a vault.
  • Use Case: Organization-wide automation, CI/CD pipelines.
  • Creation: Requires vault admin or higher role.

Project-Level Tokens

  • Scope: Access to a specific project and all its components.
  • Use Case: Project-specific automation, component scanning.
  • Creation: Requires project admin or higher role.

Component-Level Tokens

  • Scope: Access to a specific component only.
  • Use Case: Component-specific scanning, targeted automation.
  • Creation: Requires project admin or higher role.

API Authentication

To authenticate API requests, the client must include the token in the x-access-token HTTP header of each request. This mechanism allows the server to verify the identity and permissions associated with the token, ensuring that only authorized actions are performed. The access token should be kept confidential and transmitted only over secure (HTTPS) connections to prevent interception or misuse.