This endpoint is deprecated. Deprecated since 2026-01-05. It will be removed on 2026-07-30.
Batch retrieval of package metadata and alerts by PURL strings. Compatible with CycloneDX reports.
Package URLs (PURLs) are an ecosystem agnostic way to identify packages. CycloneDX SBOMs use the purl format to identify components. This endpoint supports fetching metadata and alerts for multiple packages at once by passing an array of purl strings, or by passing an entire CycloneDX report.
Note: This endpoint has a batch size limit (default: 1024 PURLs per request). Requests exceeding this limit will return a 400 Bad Request error.
More information on purl and CycloneDX:
This endpoint returns the latest available alert data for artifacts in the batch (stale while revalidate). Actively running analysis will be returned when available on subsequent runs.
Examples:
Looking up an npm package:
{
"components": [
{
"purl": "pkg:npm/[email protected]"
}
]
}Looking up an PyPi package:
{
"components": [
{
"purl": "pkg:pypi/[email protected]"
}
]
}Looking up a Maven package:
{
"components": [
{
"purl": "pkg:maven/log4j/[email protected]"
}
]
}Batch lookup
{
"components": [
{
"purl": "pkg:npm/[email protected]"
},
{
"purl": "pkg:pypi/[email protected]"
},
{
"purl": "pkg:maven/log4j/[email protected]"
}
]
}This endpoint consumes 100 units of your quota.
This endpoint requires the following org token scopes:
- packages:list