VAT read only API access
We are looking to automate the pull of vulnerabilities for consumption into our ticketing system for quickest possible resolution.
With that said, we need a read only key to interact with the Public VAT APIs documented here https://vat.dso.mil/api/p1/swagger/ui/
Ultimately our goal is to be able to pull this Curl type cmd programmatically with the details of which vulnerabilities need justification vs not. JSON response provided by the API, works perfectly for our needs.
Example request:
curl -X 'GET' \
'https://vat.dso.mil/api/p1/image?name=pingam&tag=v8.0.1&branch=master' \
-H 'accept: application/json'Example response: (justified vs not justified):
{
...,
"findings": [
{
"findingId": "5128226",
"identifier": "CVE-2025-49125",
"scannerName": "Twistlock CVE",
"description": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.u00a0 When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.",
"severity": "Low",
"package": "tomcat-util-10.1.41",
"packagePath": "/opt/tomcat/lib/tomcat-util.jar",
"inheritsFrom": "",
"state": {
"findingStatus": "Needs Justification",
"designator": "True Positive",
"fixDateUnknown": false,
"factors": {
"abc": {
"warnings": [],
"issues": [],
"findingFirstFound": "2025-07-03T20:20:24.350Z",
"publishDate": "2025-06-16T15:15:24.000Z"
}
}
},
"flags": {
"scanSource": "twistlock_cve",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125",
"scannerSeverity": "Low"
}
},
{
"findingId": "5128227",
"identifier": "CVE-2025-46392",
"scannerName": "Twistlock CVE",
"description": "Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario\\'s where you only load trusted configurations. Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.",
"severity": "Low",
"package": "commons-configuration_commons-configuration-1.10",
"packagePath": "/opt/tomcat/webapps/am/WEB-INF/lib/commons-configuration-1.10.jar",
"inheritsFrom": "",
"state": {
"findingStatus": "Justified",
"designator": "True Positive",
"fixDateUnknown": false,
"factors": {
"abc": {
"warnings": [],
"issues": [],
"findingFirstFound": "2025-05-10T02:30:12.997Z",
"publishDate": "2025-05-09T12:31:33.000Z"
}
}
},
"justificationGate": {
"justification": "This is a 3rd party dependency and not directly used by PingAM. The vulnerability pertains to “when loading untrusted configurations” which PingAM does not do, therefore PingAM would not be vulnerable. We will still update this dependency upon the next maintenance release.",
"by": "Scott Gusler",
"on": "2025-06-11T14:17:11.585Z"
},
"flags": {
"scanSource": "twistlock_cve",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2025-46392",
"scannerSeverity": "Low"
}
}
]
}