arcanon

Scan Payload Format

Reference for the scan upload payload accepted by Arcanon Hub.

Overview

The scanner uploads a JSON payload to POST /api/v1/scans/upload. This page documents the payload format for developers building custom scanners or integrations.

Payload structure

{
  "version": "1",
  "repo_name": "acme-api",
  "repo_url": "https://github.com/acme/acme-api",
  "branch": "main",
  "commit_sha": "a1b2c3d4e5f6",
  "findings": [
    {
      "service_name": "api-gateway",
      "service_type": "service",
      "language": "Python",
      "version": "2.1.0",
      "endpoints": [
        {
          "method": "GET",
          "path": "/api/v1/health",
          "kind": "rest"
        }
      ],
      "connections": [
        {
          "target_service": "user-service",
          "protocol": "rest",
          "target_endpoint": "/api/v1/users"
        }
      ],
      "schemas": [
        {
          "connection_target": "user-service",
          "role": "request",
          "fields": [
            { "name": "user_id", "type": "string", "required": true }
          ]
        }
      ]
    }
  ]
}

Field reference

Top-level

FieldTypeRequiredDescription
versionstringyesPayload version — currently "1"
repo_namestringyesRepository name (e.g., acme-api)
repo_urlstringnoRepository URL for linking
branchstringnoGit branch name
commit_shastringnoGit commit SHA
findingsarrayyesArray of service findings

Finding

FieldTypeRequiredDescription
service_namestringyesName of the detected service
service_typestringnoservice, database, cache, broker, external
languagestringnoPrimary language
versionstringnoService version
endpointsarraynoExposed endpoints
connectionsarraynoOutbound connections to other services
schemasarraynoRequest/response schemas for connections

Versioning policy

Payload versions are additive only. New fields may be added without bumping the version. Removed fields get a 6-month deprecation window. The hub accepts multiple payload versions simultaneously.

Sanitization

Service names are sanitized at ingest — HTML tags, script content, null bytes, and control characters are stripped to prevent XSS in the multi-tenant dashboard.

Size limits

Maximum payload size: 5 MB. Payloads exceeding this limit receive a 413 Payload Too Large response.

MCP Server

Query your service graph from AI coding tools.

Real-Time Events (SSE)

Subscribe to live graph change events via Server-Sent Events.

On this page

OverviewPayload structureField referenceTop-levelFindingVersioning policySanitizationSize limits