Integrate cramio

CI/CD, webhooks, and API

Connect your pipelines and tools so SBOMs and scan results flow into cramio automatically. Use API keys for scripts and custom integrations.

Webhooks

Incoming webhooks from GitHub, GitLab, Jenkins, and Kubernetes. Configure in your dashboard under Settings → Integrations. Use the same base URL as your cramio deployment (e.g. https://app.cramio.eu).

GitHub

Webhook on push or release to ingest SBOMs or trigger scans for a repository.

POST /api/v1/integrations/github-webhook

Add a webhook in your repo Settings → Webhooks. Payload: JSON. Send for push events (or release).

GitLab

Webhook on pipeline or release to send CycloneDX/SPDX artifacts to cramio.

POST /api/v1/integrations/gitlab-webhook

Project → Settings → Webhooks. Trigger: push or job events. Secret: set WEBHOOK_SECRET in cramio.

Jenkins

Post-build step to upload SBOM or call cramio API after a build.

POST /api/v1/sbom/ingest

Use curl or a pipeline step to POST your SBOM (CycloneDX/SPDX) with product ID and API key.

Kubernetes

Webhook for cluster or workload events to register scans or SBOMs.

POST /api/v1/integrations/kubernetes-webhook

Configure your controller or operator to send events to the webhook URL with the shared secret.

API keys

Create API keys in the dashboard (Settings → API keys) for programmatic access. Use them to ingest SBOMs, trigger scans, list vulnerabilities, and manage products. Keys are shown once at creation; store them securely.

  • List and create products
  • Upload or ingest SBOMs (CycloneDX, SPDX)
  • Trigger vulnerability scans
  • List vulnerabilities and incidents
  • Create and submit reports (with appropriate scope)

All API requests require the header Authorization: Bearer <your-api-key>. Base URL is your cramio origin (e.g. https://app.cramio.eu/api/v1).

Sign up to get API keys

After signup, go to Settings → Integrations and Settings → API keys in the dashboard to configure webhooks and create keys.