Back to top
Software inventory in Secure60 is built from events sent to the ingest HTTP endpoint. Each ingest request is a single JSON object (one event per POST). Two event types are used: software-scan-completed (one per scan run per host) and inventory-package-present (one per package detected on that run). Together they describe what software was present on each host at each scan.
Endpoint: POST https://ingest.secure60.io/ingest/1.0/http/project/{project_id}
Content-Type: application/json
Authorization: Bearer {JWT}
Use the same inv_scan_id for the scan-completed event and all package events that belong to that scan so the platform can associate packages with the correct run (e.g. for “latest packages per host” queries).
Sent once per scan run per host. It marks that a scan finished and can carry optional host metadata (IP, FQDN, OS version) used for host discovery and Create Host.
| Field | Description |
|---|---|
type |
Event type. Use "endpoint" for inventory. |
operation |
Must be "software-scan-completed". |
outcome |
Result of the operation; e.g. "success". |
host_name |
Identifier for the host (e.g. hostname or instance ID). |
inv_scan_id |
Unique ID for this scan run. Use the same value in all inventory-package-present events for this run. |
inv_pkg_source |
How packages were enumerated; e.g. "dpkg", "rpm". |
inv_package_count |
(Optional) Number of packages reported in this scan. |
host_os |
(Optional) High-level OS; e.g. "Linux", "Windows". |
environment |
(Optional) Environment label; e.g. "Production". |
inv_host_ip |
(Optional) Host IP address. Used for host discovery and Create Host. |
inv_host_fqdn |
(Optional) Fully qualified domain name of the host. |
inv_host_os_version |
(Optional) Full OS version string; e.g. "Linux Ubuntu 25.3", "24.04". |
{
"type": "endpoint",
"operation": "software-scan-completed",
"outcome": "success",
"host_name": "au-nsw-gbl1-aica-svr1",
"inv_pkg_source": "dpkg",
"host_os": "Linux",
"environment": "Production",
"inv_scan_id": "s60-e2e-scan-20260216-001",
"inv_package_count": "3",
"inv_host_ip": "10.15.1.10",
"inv_host_fqdn": "au-nsw-gbl1-gecko-svr1.secure60.local",
"inv_host_os_version": "Linux Ubuntu 25.3"
}
Sent once per package detected in a scan. Each event must reference the same inv_scan_id and host_name as the software-scan-completed event for that run so packages are tied to the correct scan.
| Field | Description |
|---|---|
type |
Event type. Use "endpoint" for inventory. |
operation |
Must be "inventory-package-present". |
outcome |
Result; e.g. "success". |
host_name |
Must match the host that was scanned (same as in the scan-completed event). |
inv_scan_id |
Must match the software-scan-completed event for this run. |
app_name |
Package or application name (e.g. "apt", "curl"). |
inv_pkg_version_normalised |
Primary version field: parsed/canonical form for comparison and grouping (e.g. "2.7.14", "8.5.0"). |
inv_pkg_version_raw |
(Optional) Exactly what the host reports (e.g. 2.7.14build2, v8.11.0-beta). |
inv_cpe |
(Optional) CPE identifier for vulnerability feeds. |
inv_purl |
(Optional) Package URL (purl) for vulnerability feeds. |
vendor |
(Optional) Package vendor or publisher (e.g. "Ubuntu"), when derivable from dpkg/rpm. |
inv_pkg_ecosystem |
Package ecosystem; e.g. "deb", "rpm". |
inv_pkg_source |
How the package was enumerated; e.g. "dpkg". |
{
"type": "endpoint",
"operation": "inventory-package-present",
"outcome": "success",
"host_name": "au-nsw-gbl1-gecko-svr1",
"inv_scan_id": "s60-e2e-scan-20260216-001",
"app_name": "apt",
"inv_pkg_version_normalised": "2.7.14",
"inv_pkg_version_raw": "2.7.14build2",
"vendor": "Ubuntu",
"inv_pkg_ecosystem": "deb",
"inv_pkg_source": "dpkg"
}
host_name and inv_scan_id).host_name and inv_scan_id.s60-e2e-scan-YYYYMMDD-001) or generate a UUID per run; the platform uses (host_name, inv_scan_id) to group packages with the correct scan for features like “latest packages per host.”For querying discovered hosts and package lists via the API, see the metrics API (e.g. data_type=events_detail, query=operation = 'software-scan-completed' or operation = 'inventory-package-present').