JFrog Catalog REST API
API for querying and managing package metadata, searching for packages and CVEs, and managing custom labels for software components through a GraphQL-based interface.
OpenAPI Specification
openapi: 3.1.0
info:
title: JFrog Catalog REST API
description: >-
API for querying and managing package metadata, searching for packages and
CVEs, and managing custom labels for software components. JFrog Catalog
provides a unified view of all packages across the JFrog Platform with
enriched security and metadata information, primarily accessed through a
GraphQL-based interface.
version: 1.x
contact:
name: JFrog
url: https://jfrog.com
license:
name: Proprietary
url: https://jfrog.com/terms-of-service/
termsOfService: https://jfrog.com/terms-of-service/
externalDocs:
description: JFrog Catalog Documentation
url: https://jfrog.com/help/r/jfrog-security-user-guide/products/catalog
servers:
- url: https://{server}.jfrog.io/catalog/api/v1
description: JFrog Cloud
variables:
server:
default: myserver
description: Your JFrog server name
- url: https://{host}/catalog/api/v1
description: Self-hosted JFrog instance
variables:
host:
default: localhost:8082
description: Your self-hosted JFrog server host
security:
- bearerAuth: []
- basicAuth: []
tags:
- name: GraphQL
description: GraphQL query interface for package and CVE data
- name: Labels
description: Custom label management for packages
- name: Packages
description: Package metadata search and retrieval
paths:
/custom/graphql:
post:
operationId: executeGraphQLQuery
summary: JFrog Execute GraphQL Query
description: >-
Executes a GraphQL query against the JFrog Catalog. Supports querying
packages, package versions, CVE information, license data, and custom
labels. This is the primary interface for interacting with the Catalog
service.
tags:
- GraphQL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/GraphQLRequest'
responses:
'200':
description: GraphQL query executed successfully
content:
application/json:
schema:
$ref: '#/components/schemas/GraphQLResponse'
'400':
description: Invalid GraphQL query syntax
'401':
description: Unauthorized
/packages/search:
post:
operationId: searchPackages
summary: JFrog Search Packages
description: >-
Searches for packages across the catalog using various filter criteria
including name, type, version, and labels.
tags:
- Packages
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PackageSearchRequest'
responses:
'200':
description: Search results retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PackageSearchResponse'
'400':
description: Invalid search criteria
/packages/{packageType}/{packageName}:
get:
operationId: getPackage
summary: JFrog Get Package Details
description: >-
Returns detailed metadata for a specific package, including versions,
licenses, vulnerabilities, and custom labels.
tags:
- Packages
parameters:
- name: packageType
in: path
required: true
schema:
type: string
enum: [npm, maven, pypi, docker, go, nuget, gems, cargo, conda, composer, helm, cocoapods, pub, swift, rpm, debian, conan]
description: Package ecosystem type
- name: packageName
in: path
required: true
schema:
type: string
description: Package name (URL-encoded if contains special characters)
responses:
'200':
description: Package details retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PackageDetail'
'404':
description: Package not found
/packages/{packageType}/{packageName}/versions:
get:
operationId: getPackageVersions
summary: JFrog Get Package Versions
description: >-
Returns all known versions of a specific package with their associated
metadata, vulnerability counts, and license information.
tags:
- Packages
parameters:
- name: packageType
in: path
required: true
schema:
type: string
description: Package ecosystem type
- name: packageName
in: path
required: true
schema:
type: string
description: Package name
- name: limit
in: query
schema:
type: integer
default: 25
description: Maximum number of results
- name: offset
in: query
schema:
type: integer
description: Pagination offset
responses:
'200':
description: Package versions retrieved
content:
application/json:
schema:
type: object
properties:
versions:
type: array
items:
$ref: '#/components/schemas/PackageVersion'
total_count:
type: integer
/packages/{packageType}/{packageName}/versions/{version}/vulnerabilities:
get:
operationId: getVersionVulnerabilities
summary: JFrog Get Version Vulnerabilities
description: >-
Returns all known CVEs affecting a specific package version, including
both direct (non-transitive) and transitive vulnerabilities.
tags:
- Packages
parameters:
- name: packageType
in: path
required: true
schema:
type: string
description: Package ecosystem type
- name: packageName
in: path
required: true
schema:
type: string
description: Package name
- name: version
in: path
required: true
schema:
type: string
description: Package version
- name: severity
in: query
schema:
type: string
enum: [Low, Medium, High, Critical]
description: Filter by minimum severity
responses:
'200':
description: Vulnerabilities retrieved
content:
application/json:
schema:
type: object
properties:
vulnerabilities:
type: array
items:
$ref: '#/components/schemas/CatalogVulnerability'
total_count:
type: integer
/labels:
get:
operationId: listLabels
summary: JFrog List Labels
description: >-
Returns a list of all custom labels configured in the Catalog.
Labels can be attached to packages for organizational and policy purposes.
tags:
- Labels
responses:
'200':
description: Labels list retrieved
content:
application/json:
schema:
type: object
properties:
labels:
type: array
items:
$ref: '#/components/schemas/Label'
post:
operationId: createLabel
summary: JFrog Create Label
description: >-
Creates a new custom label that can be applied to packages in the Catalog.
Requires administrator permissions.
tags:
- Labels
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/LabelRequest'
responses:
'201':
description: Label created
content:
application/json:
schema:
$ref: '#/components/schemas/Label'
'400':
description: Invalid label configuration
'409':
description: Label name already exists
/labels/{labelName}:
get:
operationId: getLabel
summary: JFrog Get Label
description: Returns details for a specific label.
tags:
- Labels
parameters:
- name: labelName
in: path
required: true
schema:
type: string
description: Label name
responses:
'200':
description: Label details retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/Label'
'404':
description: Label not found
put:
operationId: updateLabel
summary: JFrog Update Label
description: Updates an existing label configuration.
tags:
- Labels
parameters:
- name: labelName
in: path
required: true
schema:
type: string
description: Label name
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/LabelRequest'
responses:
'200':
description: Label updated
'404':
description: Label not found
delete:
operationId: deleteLabel
summary: JFrog Delete Label
description: Removes a label from the Catalog and detaches it from all packages.
tags:
- Labels
parameters:
- name: labelName
in: path
required: true
schema:
type: string
description: Label name
responses:
'204':
description: Label deleted
'404':
description: Label not found
/labels/{labelName}/packages:
post:
operationId: applyLabelToPackages
summary: JFrog Apply Label to Packages
description: Applies a label to one or more packages.
tags:
- Labels
parameters:
- name: labelName
in: path
required: true
schema:
type: string
description: Label name
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
packages:
type: array
items:
type: object
properties:
package_type:
type: string
package_name:
type: string
package_version:
type: string
required:
- package_type
- package_name
required:
- packages
responses:
'200':
description: Label applied to packages
delete:
operationId: removeLabelFromPackages
summary: JFrog Remove Label from Packages
description: Removes a label from one or more packages.
tags:
- Labels
parameters:
- name: labelName
in: path
required: true
schema:
type: string
description: Label name
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
packages:
type: array
items:
type: object
properties:
package_type:
type: string
package_name:
type: string
required:
- package_type
- package_name
required:
- packages
responses:
'200':
description: Label removed from packages
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: Access token authentication
basicAuth:
type: http
scheme: basic
description: Basic username/password authentication
schemas:
GraphQLRequest:
type: object
properties:
query:
type: string
description: GraphQL query string
variables:
type: object
additionalProperties: true
description: GraphQL query variables
operationName:
type: string
description: Named operation to execute when query contains multiple operations
required:
- query
GraphQLResponse:
type: object
properties:
data:
type: object
additionalProperties: true
description: Query result data
errors:
type: array
items:
type: object
properties:
message:
type: string
locations:
type: array
items:
type: object
properties:
line:
type: integer
column:
type: integer
path:
type: array
items:
type: string
PackageSearchRequest:
type: object
properties:
query:
type: string
description: Text search query for package name
package_type:
type: string
description: Filter by package type
labels:
type: array
items:
type: string
description: Filter by applied labels
has_vulnerabilities:
type: boolean
description: Filter packages with known vulnerabilities
min_severity:
type: string
enum: [Low, Medium, High, Critical]
description: Minimum vulnerability severity filter
limit:
type: integer
default: 25
offset:
type: integer
PackageSearchResponse:
type: object
properties:
packages:
type: array
items:
$ref: '#/components/schemas/PackageSummary'
total_count:
type: integer
PackageSummary:
type: object
properties:
package_type:
type: string
package_name:
type: string
latest_version:
type: string
versions_count:
type: integer
vulnerabilities_count:
type: integer
labels:
type: array
items:
type: string
license:
type: string
PackageDetail:
type: object
properties:
package_type:
type: string
package_name:
type: string
description:
type: string
latest_version:
type: string
versions_count:
type: integer
licenses:
type: array
items:
type: object
properties:
name:
type: string
full_name:
type: string
url:
type: string
format: uri
vulnerabilities_summary:
type: object
properties:
critical:
type: integer
high:
type: integer
medium:
type: integer
low:
type: integer
total:
type: integer
labels:
type: array
items:
type: string
repository_url:
type: string
format: uri
homepage:
type: string
format: uri
PackageVersion:
type: object
properties:
version:
type: string
published:
type: string
format: date-time
licenses:
type: array
items:
type: string
vulnerabilities_count:
type: integer
direct_vulnerabilities_count:
type: integer
description: Non-transitive vulnerabilities affecting this version
transitive_vulnerabilities_count:
type: integer
description: Transitive vulnerabilities from dependencies
labels:
type: array
items:
type: string
CatalogVulnerability:
type: object
properties:
cve:
type: string
description: CVE identifier
severity:
type: string
enum: [Low, Medium, High, Critical]
cvss_v3_score:
type: number
summary:
type: string
is_transitive:
type: boolean
description: Whether this is a transitive vulnerability from a dependency
fixed_versions:
type: array
items:
type: string
published:
type: string
format: date-time
jfrog_research_severity:
type: string
description: JFrog Security Research team severity assessment
jfrog_research_summary:
type: string
description: JFrog Security Research enrichment summary
Label:
type: object
properties:
name:
type: string
description: Unique label name
description:
type: string
color:
type: string
description: Label display color (hex)
created:
type: string
format: date-time
created_by:
type: string
packages_count:
type: integer
description: Number of packages with this label applied
LabelRequest:
type: object
properties:
name:
type: string
description:
type: string
color:
type: string
required:
- name