POST /v1/scans: Queueing Package Sandbox Scan Jobs

The /v1/scans endpoint is the HTTP entry point for queuing a one-off sandbox scan. It is used by fangs scan submit and fangs package add when a user or the watcher wants to inspect a specific npm package version. The endpoint wraps SubmitScan — the same internal function that the Watcher calls when it detects a new release — so manual and autonomous scans follow identical logic. The orchestrator validates that the named runner exists, applies defaults, stamps watched paths from the orchestrator config, creates a runs database row, and enqueues the job in the runner’s dispatch queue.

POST /v1/scans

Queues a sandbox scan job for a specific package@version on a named runner. Server-side processing When this endpoint is called, the orchestrator performs the following steps in order:

Validates that target_runner is registered in the in-memory runner registry.
Defaults job.kind to "sensor_only" if the field is empty.
Defaults job.duration to 10s (10,000,000,000 ns) if the value is zero.
Stamps defaultWatchedPaths onto job.watched_paths when the field is empty — loaded from the orchestrator’s config at startup so all scans share one authoritative path set.
Generates a new run_id if the field is zero-value.
Stamps dispatched_at with the current time.
Creates a runs row with state = "pending".
Enqueues the job for the target runner via the internal Dispatcher.

Request body

{
  "target_runner": "prod-runner-1",
  "Job": {
    "kind": "sandbox_scan",
    "package_name": "axios",
    "version": "1.7.9",
    "duration": 60000000000,
    "sandbox": {
      "image": "node:20-slim",
      "command": [
        "sh", "-c",
        "cd /tmp && mkdir -p test && cd test && npm init -y >/dev/null 2>&1 && npm install axios@1.7.9 2>&1 | tail -3; sleep 2"
      ],
      "network_mode": "bridge",
      "pull_policy": "missing",
      "user": "0:0",
      "grace_period": 2000000000
    }
  }
}

target_runner

string

required

The runner_id of the registered runner that should execute this scan. The orchestrator returns 404 if this runner is not currently registered.

Job

object

required

The job definition. All sub-fields correspond directly to the proto.Job wire type.

Show Job fields

kind

string

Job type. "sandbox_scan" spawns a fresh container using the sandbox spec. "sensor_only" attaches the sensor directly to cgroup_path. Defaults to "sensor_only" if omitted.

package_name

string

npm package name, e.g. "axios". Used as the baseline-keying identifier. When omitted for a sandbox_scan, the orchestrator falls back to the sandbox image name.

version

string

Package version string, e.g. "1.7.9".

duration

number

How long the runner should observe the sandbox, in nanoseconds. 60000000000 = 60 seconds. Defaults to 10000000000 (10 seconds) if zero.

cgroup_path

string

For sensor_only jobs only: the cgroup path the sensor should attach to. Ignored for sandbox_scan.

watched_paths

array

Paths to observe for file-access events. When empty, the orchestrator stamps the default set from its config (covering /etc/, /root/, /tmp/, /usr/, /dev/, plus credential-tagged paths). Provide explicit entries to override.Each element:

Show WatchedPath

prefix

string

required

Path prefix loaded into the kernel LPM trie.

cred_tagged

boolean

When true, matching events receive the EventTagCredAccess tag and are rendered with elevated severity in the UI.

sandbox

object

Container specification for sandbox_scan jobs.

Show SandboxSpec fields

image

string

required

Container image reference, e.g. "node:20-slim".

command

array

Entrypoint command. Each array element is one argument token.

env

object

Map of environment variable names to values injected into the container.

working_dir

string

Working directory inside the container.

user

string

user:group string, e.g. "0:0" for root. Runs as the image default when empty.

network_mode

string

Docker network mode. "bridge" gives the container outbound internet access; "none" fully isolates it.

memory_bytes

number

Container memory limit in bytes. 0 = no limit.

nano_cpus

number

CPU quota in nanocpus. 1000000000 = 1 CPU. 0 = no quota.

pids_limit

number

Maximum PIDs in the container. 0 = no limit.

pull_policy

string

"missing" pulls only if the image is absent locally. "always" forces a fresh pull.

grace_period

number

Time in nanoseconds to wait after the container command exits before force-stopping. Allows install processes to flush output. 2000000000 = 2 seconds.

Response — 202 Accepted

{
  "queued": true,
  "run_id": "a1b2c3d4e5f60708090a0b0c0d0e0f10"
}

queued

boolean

Always true on a 202 response.

run_id

string

Hex-encoded 16-byte run identifier. Use this to query events, deviations, and run state. Supports git-style prefix lookups in the fangs CLI.

Error responses

Status	Condition
400	`target_runner` field is missing or empty
404	`target_runner` is not registered with the orchestrator

{"error": "missing target_runner"}

GET /v1/health

Returns a liveness signal confirming the orchestrator process is up and accepting connections. Used by container health checks, load balancers, and the fangs status command. Response — 200 OK

{
  "status": "ok",
  "orchestrator_id": "fangs-orchestrator",
  "version": "dev"
}

status

string

Always "ok" when the process is alive.

orchestrator_id

string

Stable identifier configured at startup. Defaults to "fangs-orchestrator".

version

string

Build version string. "dev" in development builds; a semver tag in release builds.

Default sandbox command

When FANGS queues an npm package scan autonomously (via the Watcher or fangs package add), it uses the following standard command to run a clean install inside the container:

cd /tmp && mkdir -p test && cd test \
  && npm init -y >/dev/null 2>&1 \
  && npm install <package>@<version> 2>&1 | tail -3; \
  sleep 2

This pattern initializes a throwaway package.json, installs the target package (which triggers all install-time lifecycle hooks), and then sleeps 2 seconds to let any async post-install work complete before the grace period begins. The sleep 2 combined with grace_period: 2000000000 gives the sensor approximately 4 seconds of observation time after the install finishes.

To scan a package with a custom install command — for example, to test a post-install script in a specific directory — supply the full sandbox.command array in your POST /v1/scans body. The default command is only applied when the watcher or fangs package add submits the job programmatically.

CLI Reference

API Reference

Storage

POST /v1/scans: Queueing Package Sandbox Scan Jobs

POST /v1/scans

GET /v1/health

Default sandbox command

Build docs developers (and LLMs) love

CLI Reference

API Reference

Storage

Documentation Index

​POST /v1/scans

​GET /v1/health

​Default sandbox command

Build docs developers (and LLMs) love

POST /v1/scans

GET /v1/health

Default sandbox command