Back to home

API Documentation

Integrate ExecFormer vulnerability detection into your workflow

Quick Start

1

Get an API key

Scroll to the bottom of this page and click Create API key, or POST to /api/keys.

2

Make a request

# Scan code for vulnerabilities
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_KEY" \
  -d '{"code": "void f() { char *p = malloc(64); free(p); printf(\"%s\", p); }"}'
3

Parse the response

The response includes a vulnerable boolean, confidence score, CWE classification, and severity rating.

Authentication

API keys are created instantly via POST /api/keys and are valid for 30 minutes. Include your key in the request header:

X-API-Key: ef_your_key_here

Error responses

401Missing API key header
401Invalid API key
401Expired API key

Endpoints

POST/api/v1/scan

Scan C/C++ code for memory safety vulnerabilities

Authentication required — X-API-Key header

Request body

{
  "code": "void f() { char *p = malloc(64); free(p); printf(\"%s\", p); }",
  "language": "cpp",
  "threshold": 0.03
}

Response

{
  "id": "ef_abc123...",
  "vulnerable": true,
  "confidence": 0.85,
  "cwe": "CWE-416",
  "cwe_name": "Use-After-Free",
  "severity": "CRITICAL",
  "details": {
    "processing_time": 1.2,
    "token_count": 256,
    "gate_tokens_selected": 128,
    "threshold": 0.03
  }
}
POST/api/keys

Create a new API key

No authentication required

Response

{
  "key": "ef_abc123...",
  "created_at": "2024-01-01T00:00:00Z",
  "expires_at": "2024-01-01T00:30:00Z",
  "expires_in_minutes": 30
}
GET/api/health

Check service status

No authentication required

POST/api/scan

Web demo scanner (no authentication)

No authentication required

Same request format as /api/v1/scan but without the API key header. Intended for the web demo interface.

Supported CWE Types

CWENameSeverity
CWE-787Out-of-bounds WriteCRITICAL
CWE-125Out-of-bounds ReadHIGH
CWE-416Use-After-FreeCRITICAL
CWE-415Double FreeHIGH
CWE-401Memory LeakMEDIUM

Code Examples

import requests

# Create an API key
key_resp = requests.post("http://localhost:8000/api/keys")
api_key = key_resp.json()["key"]

# Scan code
resp = requests.post(
    "http://localhost:8000/api/v1/scan",
    headers={"X-API-Key": api_key},  
    json={"code": "void f() { char *p = malloc(64); free(p); *p = 0; }"}
)
result = resp.json()
print(f"Vulnerable: {result['vulnerable']}, CWE: {result['cwe']}")

GitLab CI Integration

Add ExecFormer as a SAST scanner in your .gitlab-ci.yml:

execformer-scan:
  stage: test
  image: python:3.11-slim
  script:
    - pip install requests
    - python scripts/scan_mr.py
  artifacts:
    reports:
      sast: gl-sast-report.json

Get your API key

Keys are valid for 30 minutes. Create as many as you need.

API keys expire after 30 minutes

No rate limiting during beta