> ## Documentation Index
> Fetch the complete documentation index at: https://gecko.security/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# List vulnerabilities for a repository

> Returns vulnerabilities for the repository path in `repositoryId`. URL-encode the repository path before you send it. For example, use `gecko-security%2FPaperbaum` for `gecko-security/Paperbaum`.



## OpenAPI

````yaml /api-reference/openapi.json get /api/v1/repositories/{repositoryId}/vulnerabilities
openapi: 3.1.0
info:
  title: Gecko SAST Scanner API
  version: v1
  description: >-
    Use the Gecko API to launch scans and read scan, repository, and
    vulnerability data for your active team.
servers:
  - url: https://app.gecko.security
    description: Production
security:
  - ApiKeyAuth: []
tags:
  - name: Scans
    description: Launch scans and read scan-level data.
  - name: Repositories
    description: Read repository inventory and repository vulnerability data.
  - name: Vulnerabilities
    description: Read vulnerability data across your active team.
  - name: Utility
    description: Service health and utility endpoints.
paths:
  /api/v1/repositories/{repositoryId}/vulnerabilities:
    get:
      tags:
        - Repositories
      summary: List vulnerabilities for a repository
      description: >-
        Returns vulnerabilities for the repository path in `repositoryId`.
        URL-encode the repository path before you send it. For example, use
        `gecko-security%2FPaperbaum` for `gecko-security/Paperbaum`.
      operationId: getApiV1RepositoriesByRepositoryIdVulnerabilities
      parameters:
        - $ref: '#/components/parameters/repositoryId'
        - $ref: '#/components/parameters/severityMinimum'
        - $ref: '#/components/parameters/type'
        - $ref: '#/components/parameters/cwe'
        - $ref: '#/components/parameters/days'
        - $ref: '#/components/parameters/limit'
        - $ref: '#/components/parameters/offset'
      responses:
        '200':
          description: A paginated list of vulnerabilities for the repository.
          headers:
            X-RateLimit-Remaining:
              $ref: '#/components/headers/XRateLimitRemaining'
            X-RateLimit-Reset:
              $ref: '#/components/headers/XRateLimitReset'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RepositoryVulnerabilityListResponse'
              example:
                version: v1
                repository: gecko-security/Paperbaum
                data:
                  - id: 3b8d0e21-4c2f-5e3d-0b44-2edf9d8b2e12
                    scanId: 11111111-1111-1111-1111-111111111111
                    scanName: Weekly Security Scan
                    scanCreatedAt: '2025-08-02T08:00:00.000Z'
                    severity: 7.5
                    confidenceScore: 9
                    title: Path Traversal in File Download
                    type: LFI
                    cwe: CWE-22
                    filePath: api/files/download.py
                    shortDescription: User-controlled path allows reading arbitrary files.
                    cvssVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                pagination:
                  total: 5
                  limit: 100
                  offset: 0
                  hasMore: false
                filters:
                  severity: null
                  type: null
                  cwe: null
                  days: 7
        '400':
          description: The path or query parameters are invalid.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                missingRepositoryId:
                  value:
                    error: Repository ID is required
                badSeverity:
                  value:
                    error: Severity must be a number between 0 and 10
                badDays:
                  value:
                    error: Days must be a positive integer
        '401':
          $ref: '#/components/responses/UnauthorizedError'
        '429':
          $ref: '#/components/responses/RateLimitedError'
        '500':
          $ref: '#/components/responses/InternalServerError'
components:
  parameters:
    repositoryId:
      name: repositoryId
      in: path
      required: true
      description: >-
        URL-encoded repository path, for example `gecko-security%2FPaperbaum` or
        `gitlab:group%2Fproject`.
      schema:
        type: string
    severityMinimum:
      name: severity
      in: query
      required: false
      description: >-
        Filter to vulnerabilities with a severity greater than or equal to this
        value.
      schema:
        type: number
        minimum: 0
        maximum: 10
      example: 9
    type:
      name: type
      in: query
      required: false
      description: >-
        Filter vulnerabilities by type. Gecko performs a case-insensitive
        substring match.
      schema:
        type: string
      example: sqli
    cwe:
      name: cwe
      in: query
      required: false
      description: >-
        Filter vulnerabilities by CWE. Gecko performs a case-insensitive
        substring match.
      schema:
        type: string
      example: CWE-89
    days:
      name: days
      in: query
      required: false
      description: Filter results to scans created within the last `N` days.
      schema:
        type: integer
        minimum: 1
      example: 14
    limit:
      name: limit
      in: query
      required: false
      description: >-
        Maximum number of results to return. Gecko defaults to `100` and caps
        the value at `1000`.
      schema:
        type: integer
        default: 100
        minimum: 1
        maximum: 1000
      example: 50
    offset:
      name: offset
      in: query
      required: false
      description: Number of results to skip before Gecko starts returning rows.
      schema:
        type: integer
        default: 0
        minimum: 0
      example: 0
  headers:
    XRateLimitRemaining:
      description: Requests remaining in the current one-hour window for the API key.
      schema:
        type: integer
    XRateLimitReset:
      description: >-
        ISO 8601 timestamp for when the current one-hour rate-limit window
        resets.
      schema:
        type: string
        format: date-time
    RetryAfter:
      description: Seconds to wait before retrying the request.
      schema:
        type: integer
  schemas:
    RepositoryVulnerabilityListResponse:
      type: object
      required:
        - version
        - repository
        - data
        - pagination
        - filters
      properties:
        version:
          type: string
          const: v1
        repository:
          type: string
        data:
          type: array
          items:
            $ref: '#/components/schemas/VulnerabilitySummary'
        pagination:
          $ref: '#/components/schemas/Pagination'
        filters:
          $ref: '#/components/schemas/RepositoryVulnerabilityFilters'
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: string
        details:
          type:
            - string
            - 'null'
        hint:
          type:
            - string
            - 'null'
    VulnerabilitySummary:
      type: object
      required:
        - id
        - scanId
        - severity
        - title
        - type
        - cwe
        - filePath
        - shortDescription
      properties:
        id:
          type: string
          format: uuid
        scanId:
          type: string
          format: uuid
        scanName:
          type:
            - string
            - 'null'
        scanCreatedAt:
          type:
            - string
            - 'null'
          format: date-time
        severity:
          type: number
          minimum: 0
          maximum: 10
        confidenceScore:
          type:
            - number
            - 'null'
          minimum: 0
          maximum: 10
        title:
          type: string
        type:
          type: string
        cwe:
          type: string
        filePath:
          type: string
        shortDescription:
          type: string
        cvssVector:
          type:
            - string
            - 'null'
        createdAt:
          type:
            - string
            - 'null'
          format: date-time
    Pagination:
      type: object
      required:
        - total
        - limit
        - offset
        - hasMore
      properties:
        total:
          type: integer
        limit:
          type: integer
        offset:
          type: integer
        hasMore:
          type: boolean
    RepositoryVulnerabilityFilters:
      type: object
      required:
        - severity
        - type
        - cwe
        - days
      properties:
        severity:
          type:
            - number
            - 'null'
        type:
          type:
            - string
            - 'null'
        cwe:
          type:
            - string
            - 'null'
        days:
          type:
            - integer
            - 'null'
  responses:
    UnauthorizedError:
      description: The API key is missing, malformed, or invalid.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          examples:
            missingKey:
              value:
                error: API key is required
            badFormat:
              value:
                error: Invalid API key format
            badKey:
              value:
                error: Invalid API key
    RateLimitedError:
      description: The API key reached the per-hour request limit.
      headers:
        Retry-After:
          $ref: '#/components/headers/RetryAfter'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          example:
            error: Rate limit exceeded
    InternalServerError:
      description: Gecko failed to process the request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          example:
            error: Internal server error
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: Team-scoped Gecko API key. Keys start with `gk_`.

````