Klarity

Common API actions

Page Sections

This page shows examples of using Klarity's GraphQL API usage. To use the API, you can leverage GRAPHIQL or https://github.com/hasura/graphqurl.

For example, if you want to...

Add an application

mutation addApplication($name: String!, $ownerId: ID!) {
  addApplicationV2(
    input: { name: $name, displayName: $name, ownerId: $ownerId }
  ) {
    id
  }
}

Variables:

{"name":, "ownerId": }

Add an application's environment / stage

mutation addEnvironment(
  $applicationNID: ID!
  $name: String!
  $type: EnvironmentType!
  $ownerID: ID!
) {
  addEnvironmentV2(
    input: {
      applicationNid: $applicationNID
      name: $name
      displayName: $name
      type: $type
      ownerId: $ownerID
    }
  ) {
    id
  }
}

Variables:

{"applicationNID": "", "name":"", "type": "PRODUCTION", "ownerID": "" }

For type available options are PRODUCTION, STAGING, DEVELOPMENT, OTHER.

Get a list of accounts

query getAccounts {
  accountsV2(limit: 50, page: 0) {
    count
    pages
    accounts {
      nid
      provider
      providerId
      name
      status
    }
  }
}

Add an account as a mapping rule

mutation addAccountAsDiscoveryRule(
  $environmentID: String!
  $ruleName: String!
  $account: String!
) {
  addDiscoveryRule(
    input: {
      environmentId: $environmentID
      name: $ruleName
      match: { cloudAccount: [$account] }
    }
  ) {
    id
  }
}

Variables

{"environmentID":"", ruleName:"", $account:""}

Get a list of applications and their environments

query getApplications {
  applicationsPaginated(limit: 50, page: 0) {
    count
    pages
    results {
      nid
      name
      displayName
      description
      environmentsV2(page: 0, limit: 50) {
        environments {
          nid
          name
          displayName
          environmentType
        }
      }
    }
  }
}

Add a contact person

mutation addContact($name: String!, $email: String!) {
  addPerson(input: { email: $email, name: $name }) {
    id
  }
}

Variables:

{"email":"", "name":""}

Add an account

mutation addAccount(
        $provider: Provider!
        $name: String!
        $ownerID: ID!
        $providerId: ID!
        $creds: String!
        ) {
        addAccountV2(
            input: {
                provider: $provider
                providerId: $providerId
                name: $name
                ownerId: $ownerID
                creds: $creds
            }
        ) {
            id
        }
    }

Variables:

{"provider": "<AWS|GCP|AZURE>", "providerId":"<account ID>" "name":"", "ownerID": "", "creds": "see description below"}

The credentials must follow the rules described in the API documentation:

Credentials that are saved, and then assumed to perform scanning operations credential, are passed as string-encoded JSON, with following format for each provider (based on the provider field):

  • AZURE provider: { "password": "asdf2389-fwan", "appId": "63894e1a-1b3b-4a89-9574-3b1660ac4c10", "tenantId": "bd84a79f-f391-4e9f-b358-c18d4b8b078b" }
  • GCP provider: { "type": "service_account", "project_id": "test-sa", "private_key_id": "8f3ce9b574486fafa80c1a6052775409efd76642", "private_key": "-----BEGIN PRIVATE KEY-----...", "client_email": "test@test-sa.iam.gserviceaccount.com", "client_id": "494254016998140918876", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test%40test-sa.iam.gserviceaccount.com" }
  • AWS provider, the credentials are a role-chain that is assumed from a proxy account: { "roles": [ { "externalId": "awd87JKLdsan.jk", "arn": "arn:aws:iam::123123123123:role/CMPScannerServiceRole" } ] }
  • additionally, credentials for AWS chain can include static credentials in addition to assumed role-chain for AWS provider, the credentials are a role-chain that is assumed from a proxy account: { "credentials: { "AWS_ACCESS_KEY_ID": "12312dawf23wefq3urhfwliueq", "AWS_SECRET_ACCESS_KEY": "adsfbhjkauv23089purhjfqwlcanpiuqweh" }, "roles": [ { "externalId": "awd87JKLdsan.jk", "arn": "arn:aws:iam::123123123123:role/CMPScannerServiceRole" } ], "region": "cn-northwest-1" }
Edit this page on GitHub

Prev

Manage API Keys

Next

API for External Integrations