Tests

Create a new test.

Currently the Test API Shim supports 2 paths to starting Tests:

• Subject-based (DEPRECATED Jan 2026)
• Resource-based (Preferred)

Resource-based Tests are the foundation for the Test API moving forward. Resources represent a "thing" to be Tested by Snyk, including both what that thing is as well as where to find it. Resources should always be provided with a ScanConfiguration in the TestConfiguration. The ScanConfiguration contains scanner-specific parameter objects for the scanners offered by Snyk. The presence of a specific scanner's config informs the Test API to attempt to use that scanner to Test the Resource(s).

The design of the Resource & ScanConfig structure is that Snyk will handle determining which requested Scans can be performed on the provided list of Resources.

Currently, the Test API supports running one Scanner on the provided Resources, and each scanner only in combination with specific sets of Resources.

Resource-based Tests that are currently supported are:

• Secrets Scan (Closed Beta): Secrets ScanConfig + (1) Upload Resource containing Source code.
• SBOM SCA Scan (Early Access): SCA ScanConfig + (1) Upload Resource containing an SBOM.
• SBOM SCA Scan + Reachability Analysis (Early Access): SCA ScanConfig + (2) Upload Resources, one containing Source Code and another containing an SBOM.

As more Test flows are made available through the Test API, this listing will be updated.

Subject-based Tests represent the initial version of the Test API and use a "Subject" to inform Snyk of both what should be Tested as well as how to Test it - e.g. a DepGraph Subject tells the Shim to Test the provided DepGraph using the Open Source scanner.

Currently supported Subjects are:

• Dep Graph (SCA Scan)
• SBOM Bundle (SCA Scan)
• SBOM + Reachability Bundle (SCA Scan)

Each of these Subjects is available for use through the Test API and will run and yield results for users with appropriate permissions.

Other Subjects that are present in the API specification and are not officially released are:

• Git URL
• Deepcode Bundle

Either of these Subjects will be accepted through the API, but are not guaranteed to return enriched Test results.

Required permissions

• View Organization (org.read)

• Test packages (org.package.test)

Get a test.

A Test returned through this endpoint is intended to be a completed Test with results. The data returned through this endpoint does not contain the Findings for the Test, but a description of the Test that was run and its status.

Tests that completed successfully are marked with an appropriate outcome according to the configured Thresholds.

Facts about the Test (e.g. how many dependencies were present in a Tested SBOM) are attached to this response as well as a summary of the Findings uncovered during the Test.

Any Errors or Warnings that occurred during the Test will be present in the response from this endpoint.

Required permissions

• View Organization (org.read)

Get a test job.

The Test API is Asynchronous, and Tests begun through the API are assigned a Job ID which references the in-progress Test. The Job ID is provided in a successful response from the CreateTest endpoint.

This endpoint is used to poll for the status of a Test using its associated Job ID.

When the Job is Finished and the Test is ready for consumption, the Related link will be populated in the response with a link to the finished Test entity.

Required permissions

• View Organization (org.read)