Scopes catalog
Every scope a WASViking API key can carry, what it allows, and which UI surface exposes it.
API keys are bags of scopes. The portal exposes a curated subset; the
backend supports every scope listed here. Keys can be created via the
portal UI or programmatically with api_keys:manage.
Read scopes
| Scope | Allows |
|---|---|
scans:read |
Read scan status, reports, evidence. |
findings:read |
Read findings, evidence, AI recommendations. |
inventory:read |
Read Asset Inventory. |
templates:read |
Resolve org-scoped scan templates by slug. |
audit_logs:read |
Read the customer-facing audit log. |
sca:read |
Read SBOM inventory and Supply Chain Watch. |
posture:read |
Read posture snapshots and Posture Shares metadata. |
Write scopes
| Scope | Allows |
|---|---|
scans:run |
Trigger scans, cancel scans. |
findings:update |
Status transitions, comments, assignment, bulk updates. |
targets:manage |
Create, update, archive targets. |
inventory:export |
Export the Asset Inventory as CSV. |
sca:submit |
Submit SBOM documents (used by sentinel sbom). |
secrets:submit |
Submit secret detections (used by sentinel secrets). |
sca:ioc |
Manual IOC ingestion (staff and tenants). |
evidence.share |
Create Posture Shares and SBOM Evidence Bundles. |
webhooks:manage |
Create, rotate, delete webhook subscriptions. |
Admin scopes
| Scope | Allows | Default role |
|---|---|---|
api_keys:manage |
Issue and rotate API keys. | Admin |
rbac:manage |
Create roles, change role assignments. | Admin |
org:settings |
Edit organization-wide settings. | Admin |
billing:read |
Read invoices and usage. | Admin |
sso:configure |
Configure SAML 2.0 SSO. | Admin |
Ticketing scopes
| Scope | Allows |
|---|---|
ticketing:read |
Read ticketing integration state. |
ticketing:manage |
Configure Jira / Linear / GitHub Issues sync. |
These scopes are mapped to backend capabilities; the portal UI surfaces them as part of the Integrations page rather than as raw scope toggles.
What is hidden vs surfaced in the UI
Five scopes are intentionally hidden in the API Key creation UI to keep
the chooser short and avoid least-privilege violations. They are still
available via api_keys:manage if you need them:
sca:iocfindings:read(combined into a broader UI bundle by default)audit_logs:readticketing:readticketing:manage
Curated UI scopes you will see in the modal:
- Read findings and evidence
- Run scans
- Submit SBOMs (Sentinel)
- Submit secrets (Sentinel)
- Manage webhooks
The verb+noun labeling in the UI is deliberate ("Submit SBOMs" instead of "CycloneDX submit").
Scope changes after issuance
A key's scope set is immutable. To change scopes:
- Create a new key with the new scopes.
- Roll the old key to the new one in your automation.
- Revoke the old key.
This forces an explicit decision and an auditable trail.
Recommended scope sets
| Use case | Scopes |
|---|---|
| Read-only dashboard | findings:read, inventory:read, audit_logs:read |
| CI/CD (full) | scans:run, sca:submit, secrets:submit, templates:read |
| CI/CD (SCA only) | sca:submit |
| SIEM ingestion | findings:read, audit_logs:read, webhooks:manage |
| Compliance export | findings:read, inventory:read, sca:read, posture:read |
| Partner Console handoff | (none from this catalog; partners use the partner ApiKey realm) |