> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # CreateSCMCredential creates an SCM credential in the given namespace. ## OpenAPI ````yaml /api-reference/openapi.v3.json post /v1/namespaces/{tenant_meta.namespace}/scm-credentials openapi: 3.0.3 info: description: Integrate your application with Endor Labs using the REST API. title: Endor Labs REST API Reference version: '1.0' servers: - url: https://api.endorlabs.com/ security: [] tags: - name: AISastCustomerContextService - name: APIKeyService - name: APIKeyValidatorService - name: ArtifactSignatureService - name: AuditLogService - name: AuthenticationLogService - name: AuthenticationService - name: AuthorizationPolicyService - name: BatchFileSegmentsService - name: BatchNotificationService - name: CallGraphDataService - name: CodeOwnersService - name: DependencyMetadataService - name: EndorIgnoreEntryService - name: ExporterService - name: FindingLogService - name: FindingService - name: HuggingFaceModelService - name: HuggingFaceOrganizationService - name: IPAddressPolicyService - name: IdentityProviderService - name: InstallationService - name: InvitationService - name: LicenseDependencyService - name: LicenseNoticesReportService - name: LicenseSummaryService - name: LinterResultService - name: MalwareService - name: MetricService - name: NamespaceService - name: NotificationService - name: NotificationTargetService - name: OnPremSchedulerService - name: PRCommentConfigService - name: PackageFirewallLogService - name: PackageLicenseOverrideService - name: PackageLicenseQueryService - name: PackageLicenseService - name: PackageManagerService - name: PackageVersionService - name: PluginBinaryService - name: PolicyService - name: PolicyTemplateService - name: ProjectService - name: ProvisioningResultService - name: QueryMalwareService - name: QueryService - name: QuerySimilarPackagesService - name: QueryVulnerabilityService - name: RegistryIngestionCheckpointService - name: RepositoryService - name: RepositoryVersionService - name: RuleSetImportService - name: SBOMExportService - name: SBOMImportService - name: SCMCredentialService - name: SavedQueryService - name: ScanLogRequestService - name: ScanProfileService - name: ScanResultService - name: ScanWorkflowResultService - name: ScanWorkflowService - name: SecretRuleService - name: SemgrepRuleService - name: SystemConfigService - name: TenantService - name: VEXExportService - name: VectorStoreService - name: VersionUpgradeService - name: VulnerabilityService paths: /v1/namespaces/{tenant_meta.namespace}/scm-credentials: post: tags: - SCMCredentialService summary: CreateSCMCredential creates an SCM credential in the given namespace. operationId: SCMCredentialService_CreateSCMCredential parameters: - description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". in: path name: tenant_meta.namespace required: true schema: type: string x-endor-name: Namespace requestBody: content: application/json: schema: $ref: '#/components/schemas/SCMCredentialServiceCreateSCMCredentialBody' required: true x-originalParamName: body responses: '200': content: application/json: schema: $ref: '#/components/schemas/v1SCMCredential' description: A successful response. default: content: application/json: schema: $ref: '#/components/schemas/googlerpcStatus' description: An unexpected error response. components: schemas: SCMCredentialServiceCreateSCMCredentialBody: description: >- SCMCredential represents SCM org/repo credentials for private dependency resolution. Customers configure these credentials to allow endorctl to authenticate with private Git repositories during agentless or SCM-integrated scans, eliminating resolution failures for cross-org private dependencies. properties: meta: $ref: '#/components/schemas/v1Meta' propagate: description: >- Propagate indicates that the object should be visible in child namespaces. type: boolean spec: $ref: '#/components/schemas/v1SCMCredentialSpec' tenant_meta: description: Namespaces are associated with a tenant. title: Namespaces are associated with a tenant. type: object uuid: description: The UUID of the SCM credential. readOnly: true type: string required: - meta - spec type: object v1SCMCredential: description: >- SCMCredential represents SCM org/repo credentials for private dependency resolution. Customers configure these credentials to allow endorctl to authenticate with private Git repositories during agentless or SCM-integrated scans, eliminating resolution failures for cross-org private dependencies. properties: meta: $ref: '#/components/schemas/v1Meta' propagate: description: >- Propagate indicates that the object should be visible in child namespaces. type: boolean spec: $ref: '#/components/schemas/v1SCMCredentialSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the SCM credential. readOnly: true type: string required: - meta - tenant_meta - spec type: object googlerpcStatus: description: >- The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). properties: code: description: |- The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. format: int32 type: integer details: description: >- A list of messages that carry the error details. There is a common set of message types for APIs to use. items: $ref: '#/components/schemas/googleprotobufAny' type: array message: description: >- A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. type: string type: object v1Meta: description: Common fields for all Endor Labs resources. properties: annotations: additionalProperties: type: string description: >- Annotations can be used to attach metadata to a resource message. Annotation values can be small or large, structured or unstructured, and may include characters not permitted by labels. The keys may contain alphanumerics, underscores (_), dots (.) and dashes (-). The values of an annotation must be 16384 bytes or smaller. type: object create_time: description: |- Time the resource was created. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string created_by: description: |- Name and authentication source of the user who created the object, for example, ewok@endor.ai@google@api-key. readOnly: true type: string description: description: Resource description. Must be less than 1024 bytes. type: string index_data: $ref: '#/components/schemas/v1IndexData' kind: description: >- Resource kind, for example, HelloResponse. Auto-generated using the protobuf message proto.MessageName().Name(). readOnly: true type: string name: description: Resource name. Must be 63 characters or less. type: string parent_kind: description: Parent object resource kind, for example, Project. type: string parent_uuid: description: Parent object UUID. type: string references: additionalProperties: $ref: '#/components/schemas/googleprotobufAny' description: Map of objects referenced in a query API. readOnly: true type: object tags: description: >- List of tags attached to the resource. Tags can be used to select objects and to find collections of objects that satisfy certain conditions. A tag must be 255 characters or less. items: type: string type: array update_time: description: |- Time the resource was last updated. Note: Updated on all create/patch/delete operations. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string updated_by: description: >- Name and authentication source of the last user who updated the object, for example, vulnerabilityingestor@endor.ai@x509. readOnly: true type: string upsert_time: description: |- Time the resource was last upserted. Note: create_time is only set the first time the resource is created. upsert_time is set every time the resource is upseted. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string version: description: Message version. readOnly: true type: string required: - name type: object v1SCMCredentialSpec: properties: access_token: description: >- Access token for authenticating to the SCM platform. Used for HTTPS-based Git operations (e.g., git URL rewrites). Works across all SCM providers: GitHub PAT, GitLab PAT, Bitbucket access token, Azure DevOps PAT, etc. The secure annotation ensures automatic redaction and secure storage. type: string description: title: Optional human-readable description for this credential type: string platform_source: $ref: '#/components/schemas/v1PlatformSource' scm_credential_status: $ref: '#/components/schemas/SpecSCMCredentialStatus' target_url: description: >- The target URL of the SCM org or repo for which this credential applies. Examples: - Org-level: "https://github.com/myorg" - Repo-level: "https://github.com/myorg/private-repo" Git URL rewrites will be applied for all sub-paths of this URL. type: string required: - platform_source - target_url - access_token type: object v1TenantMeta: description: Tenant related data for the tenant containing the resource. properties: namespace: description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". type: string required: - namespace type: object googleprotobufAny: additionalProperties: {} description: >- `Any` contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message. Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type. Example 1: Pack and unpack a message in C++. Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... } Example 2: Pack and unpack a message in Java. Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); } Example 3: Pack and unpack a message in Python. foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ... Example 4: Pack and unpack a message in Go foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... } The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z". JSON ==== The JSON representation of an `Any` value uses the regular representation of the deserialized, embedded message, with an additional field `@type` which contains the type URL. Example: package google.profile; message Person { string first_name = 1; string last_name = 2; } { "@type": "type.googleapis.com/google.profile.Person", "firstName": , "lastName": } If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field `value` which holds the custom JSON in addition to the `@type` field. Example (for message [google.protobuf.Duration][]): { "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" } properties: '@type': description: >- A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading "." is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics. type: string type: object v1IndexData: description: |- IndexData is used to index the resource for search. It's an internal object. properties: data: items: type: string readOnly: true type: array search_score: description: >- search_score is the score of the resource for search. Internal use only. format: float readOnly: true type: number tenant: readOnly: true type: string will_be_deleted_at: description: Time that the resource will be deleted. format: date-time readOnly: true type: string type: object v1PlatformSource: default: PLATFORM_SOURCE_UNSPECIFIED description: Type of source control platform a resource was discovered on. enum: - PLATFORM_SOURCE_UNSPECIFIED - PLATFORM_SOURCE_GITHUB - PLATFORM_SOURCE_GITLAB - PLATFORM_SOURCE_GITSERVER - PLATFORM_SOURCE_BITBUCKET - PLATFORM_SOURCE_BINARY - PLATFORM_SOURCE_HUGGING_FACE - PLATFORM_SOURCE_AZURE - PLATFORM_SOURCE_ARCHIVE - PLATFORM_SOURCE_EXTERNAL_AI_SERVICE - PLATFORM_SOURCE_GITHUB_ENTERPRISE type: string SpecSCMCredentialStatus: properties: error_message: description: error_message if any was found. readOnly: true type: string last_tested_at: description: last_tested_at is the time when the credential was last tested. format: date-time type: string state: $ref: '#/components/schemas/SpecSCMCredentialStatusState' type: object SpecSCMCredentialStatusState: default: STATE_UNSPECIFIED description: |- The status of the SCM credential. - STATE_FAIL: STATE_FAIL covers all failure modes: unreachable host, invalid token, and expired token. Inspect error_message for the specific cause. enum: - STATE_UNSPECIFIED - STATE_SUCCESS - STATE_FAIL type: string ````