Importing Scanner Vulnerability Reports

Users can import vulnerability report files from a wide variety of security tools. Reports are translated into Phoenix’s internal format, then loaded into assessments as assets and findings.

There are two supported integration paths:

Path	Endpoint	Who translates	Best for
Raw file REST API	POST /v1/import/assets/file/translate	Phoenix platform (server-side)	Custom apps in any language; upload native scanner output and let Phoenix translate it
Loading Script V5 PUB	POST /v1/import/assets (after client-side translation)	phoenix_multi_scanner_enhanced.py + scanner_translators/	CI/CD, operations teams, and richer client-side handling of Grype/Trivy and 200+ scanner formats

1. API Domains

The API domain for Production (SaaS) is https://api.securityphoenix.cloud. If you are not on Production, contact your Phoenix team for the correct API domain.

2. Authentication

2.1 Access Token

All API calls require a Bearer access token.

Create API credentials in the Phoenix UI (Organization > API Access). Store the client secret securely at creation time, it cannot be retrieved later.
Obtain a token using HTTP Basic Auth (client_id as username, client_secret as password):

GET {{baseUrl}}/v1/auth/access_token
Authorization: Basic base64(clientId:clientSecret)

2.1.1 Response

{
  "token": "string",
  "expiry": 1717500000
}

token: Opaque Bearer token for subsequent requests.
expiry: Unix timestamp when the token expires. Because of clock skew, don’t rely on this alone; handle “token invalid or expired” responses by re-authenticating.

3. REST API: Raw File Import

Import scan report files:

POST /v1/import/assets/file/translate

This is an asynchronous request: the report is uploaded and enqueued; translation and import run in the background.

Required header:

Content-Type: multipart/form-data

3.1 Parameters

file: Required. The actual contents of the report file (multi-part form format).
scanType: Required. The name of the scan type of the report – see the list of supported formats below.
assessmentName: Required. The name of the assessment that this report is associated with. It provides context to successive imports of reports covering the same scope (assets).
importType: Required. The type of import in the context of the assessment (“new” or “merge”).
scanTarget: Optional. A string with the name/path of the target that was scanner in the report.
autoImport: Optional. Defaults to true. Indicates that the import should take place automatically after report pre-processing, if there are no errors. Only change if you want to separate the processing and import steps.

3.1.1 Response

{
  "id": "uuid",
  "organizationId": "uuid",
  "requestDetails": {
    "importType": "new" | "merge",
    "scanType": "string",
    "assessmentName": "string",
    "scanTarget": "string",
    "autoImport": true
  },
  "status": "string",
  "createdAt": "date-time",
  "importedAt": "date-time",
  "error": "string"
}

id: The UUID identifying the import request. It can be used to check status of the import.
organizationId: The organisation ID where the import is taking place.
requestDetails: The same details that were passed as parameters in the request.
status: The status of the request (TRANSLATING, READY_FOR_IMPORT, IMPORTED, ERROR).
createdAt: Date-time of the creation of the import request.
importedAt: Timestamp of the actual import of the report, after pro-processing.
error: Description of any errors that might have taken place during processing and import.

3.2 Import Request Status

The response of the import request can contain one of the following status values:

TRANSLATING: This means that the request has been saved in the platform and is waiting for or in the process of being parsed and translated into Phoenix’s internal format.
READY_FOR_IMPORT: The pre-processing has completed successfully and the report can be imported. This is only relevant in autoImport is set to false in the request; otherwise the report is imported automatically after pre-processing (the default).
IMPORTED: The pre-processing and import steps have completed successfully.
ERROR: There was an error during the processing or import of the report. The error field would include additional details.

3.3 Check Import Status

Depending on the size of the report, the upload, pre-processing and import of the report can take some time. That’s why import requests through this API are asynchronous. Once a request is made, you can check the status of the import using the following API endpoint.

GET /v1/import/assets/file/translate/request/<request-id>

where the <request-id> is the “id” field received in the response to the import request.

3.3.1 Response

{
  "id": "uuid",
  "organizationId": "uuid",
  "requestDetails": {
    "importType": "new" | "merge",
    "scanType": "string",
    "assessmentName": "string",
    "scanTarget": "string",
    "autoImport": true
  },
  "status": "string",
  "createdAt": "date-time",
  "importedAt": "date-time",
  "error": "string"
}

These values have the same meaning as for the response to the import request above. Once the whole process is completed (in the background) the status field’s value would be “IMPORTED” and the importedAt field would contain the import timestamp.

4. Loading Script V5 PUB

The Loading Script V5 PUB toolkit translates scanner output locally, validates and batches payloads, then calls:

POST /v1/import/assets
Content-Type: application/json
Authorization: Bearer <token>

With Phoenix JSON. It does not send raw files to /file/translate for upload (it only calls the /file/translate/request/<id> endpoint to poll status).

4.1 What’s Included

Component	Purpose
phoenix_multi_scanner_enhanced.py	Main CLI, translate and upload directly to Phoenix
scanner_translators/	44 dedicated Python translators (Tier 1)
scanner_field_mappings.yaml	YAML fallback covering additional scanner formats (200+ scanner types in total)
phoenix-scanner-client/	CLI uploader for CI/CD
phoenix-scanner-service/	Optional Docker API + worker queue
simple-upload-actions/	GitHub Actions/Jenkins direct-upload templates

4.2 Grype & Trivy

These scanners have Tier 1 Python translators with ongoing enhancements.

4.2.1 Anchore Grype

Topic	Detail
Input	Grype JSON (grype <image> -o json)
REST scanType	Anchore Grype
Asset type	CONTAINER (Grype is container-only)
V5 enhancements	OCI labels org.opencontainers.image.base.digest > imageDigest and …base.name > imageName; all other labels > asset tags; package metadata (name, version, CPE) attached to findings

4.3 Trivy

Topic	Detail
Input	Trivy JSON (current schema, SchemaVersion 2)
REST scanType	Trivy Scan
Asset type	Auto-detected from the JSON (CLI –asset-type is a fallback only)

The V5 Trivy translator detects the asset type from the report’s ArtifactType/structure:

container_image: CONTAINER
vm: INFRA
aws_account: CLOUD
repository: REPOSITORY
filesystem/cyclonedx/spdx with lang-pkgs or os-pkgs: BUILD
filesystem/cyclonedx/spdx with secrets only: REPOSITORY
Top-level Resources[] (Kubernetes): INFRA
Legacy array format (no ArtifactType): –asset-type if set, else CONTAINER

Finding types translated: Vulnerabilities[], Misconfigurations[], Secrets[].

Other behaviors:

Severity is sent as a float for risk scoring.
Assets with no findings are skipped (pass –create-inventory-assets to create them anyway).

In V5, Trivy is not limited to CONTAINER. Only Grype is container-only. The platform catalog may list Trivy Scan under container scanners, but the V5 translator assigns BUILD, INFRA, REPOSITORY or CLOUD when the JSON supports it.

4.3.1 Trivy Operator

Topic	Detail
REST scanType	Trivy Operator Scan
V5 flag	–scanner trivy-operator
Typical asset type	CONTAINER (Kubernetes workloads)

4.4 Combining Grype & Trivy in one Assessment

Run Trivy with –import-type new to establish the baseline.
Run Grype with –import-type merge to add findings to the same assessment.
Use the same –assessment name on every run.

This works for both REST and V5 CLI.

4.5 Import Types

Supported on the REST file-import API (importType) and on the V5 CLI (–import-type).

new: Full snapshot for the assessment scope. Findings absent from the new report may be closed.
merge: Add or update assets and findings in the assessment.
delta: Add or update only what is in the report; does not remove or close findings/assets missing from the report.

5. Choosing an Import Path

Need	Use
Language-agnostic integration, minimal dependencies	/file/translate
Best Grype/Trivy handling (secrets, misconfig, asset-type logic)	V5 PUB
Enterprise CI/CD with queues and job monitoring	client + service
Pipeline traceability (repo, branch, commit, run ID)	–tag-file or simple-upload-actions/

6. scanType Values for REST File Import

The list below covers all the report types that can be imported the Phoenix API. The name of the report as shown below (literally, the whole string, including parenthesys) is the value to be passed in the scanType parameter described above.

Acunetix Scan
Acunetix360 Scan
Anchore Engine Scan
Anchore Enterprise Policy Check
Anchore Grype
AnchoreCTL Policies Report
AnchoreCTL Vuln Report
AppSpider Scan
Aqua Scan
Arachni Scan
AuditJS Scan
AWS Prowler Scan
AWS Prowler V3
AWS Scout2 Scan
AWS Security Finding Format (ASFF) Scan
AWS Security Hub Scan
Azure Security Center Recommendations Scan
Bandit Scan
Blackduck Component Risk
Blackduck Hub Scan
Brakeman Scan
BugCrowd Scan
Bundler-Audit Scan
Burp Enterprise Scan
Burp GraphQL API
Burp REST API
Burp Scan
CargoAudit Scan
Checkmarx OSA
Checkmarx Scan
Checkmarx Scan detailed
Checkov Scan
Clair Klar Scan
Clair Scan
Cloudsploit Scan
Cobalt.io Scan
Codechecker Report native
Contrast Scan
Coverity API
Crashtest Security JSON File
Crashtest Security XML File
CredScan Scan
CycloneDX Scan
DawnScanner Scan
Dependency Check Scan
Dependency Track Finding Packaging Format (FPF) Export
Detect-secrets Scan
docker-bench-security Scan
Dockle Scan
DrHeader JSON Importer
DSOP Scan
Edgescan Scan
ESLint Scan
Fortify Scan
Generic Findings Import
Ggshield Scan
Github Vulnerability Scan
GitLab API Fuzzing Report Scan
GitLab Container Scan
GitLab DAST Report
GitLab Dependency Scanning Report
GitLab SAST Report
GitLab Secret Detection Report
Gitleaks Scan
Gosec Scanner
Govulncheck Scanner
HackerOne Cases
Hadolint Dockerfile check
Harbor Vulnerability Scan
Horusec Scan
HuskyCI Report
Hydra Scan
IBM AppScan DAST
Immuniweb Scan
IntSights Report
JFrog Xray API Summary Artifact Scan
JFrog Xray Scan
JFrog Xray Unified Scan
KICS Scan
Kiuwan Scan
kube-bench Scan
Meterian Scan
Microfocus Webinspect Scan
MobSF Scan
Mobsfscan Scan
Mozilla Observatory Scan
Netsparker Scan
NeuVector (compliance)
NeuVector (REST)
Nexpose Scan
Nikto Scan
Nmap Scan
Node Security Platform Scan
NPM Audit Scan
Nuclei Scan
Openscap Vulnerability Scan
OpenVAS CSV
ORT evaluated model Importer
OssIndex Devaudit SCA Scan Importer
Outpost24 Scan
PHP Security Audit v2
PHP Symfony Security Check
pip-audit Scan
PMD Scan
Popeye Scan
PWN SAST
Qualys Infrastructure Scan (WebGUI XML)
Qualys Scan
Qualys Webapp Scan
Retire.js Scan
Risk Recon API Importer
Rubocop Scan
Rusty Hog Scan
SARIF
Scantist Scan
Scout Suite Scan
Semgrep JSON Report
SKF Scan
Snyk Scan
Solar Appscreener Scan
SonarQube API Import
SonarQube Scan
SonarQube Scan detailed
Sonatype Application Scan
SpotBugs Scan
SSL Labs Scan
Sslscan
Sslyze Scan
SSLyze Scan (JSON)
StackHawk HawkScan
Talisman Scan
Tenable Scan
Terrascan Scan
Testssl Scan
TFSec Scan
Trivy Operator Scan
Trivy Scan
Trufflehog Scan
Trufflehog3 Scan
Trustwave Fusion API Scan
Trustwave Scan (CSV)
Twistlock Image Scan
VCG Scan
Veracode Scan
Veracode SourceClear Scan
Vulners
Wapiti Scan
Wazuh
WFuzz JSON report
Whispers Scan
WhiteHat Sentinel
Whitesource Scan
Wpscan
Xanitizer Scan
Yarn Audit Scan
ZAP Scan

Updated on June 4, 2026