Inventory

Software inventory in Secure60 is built from events sent to the ingest HTTP endpoint. Each ingest request is a single JSON object (one event per POST). Two event types are used: software-scan-completed (one per scan run per host) and inventory-package-present (one per package detected on that run). Together they describe what software was present on each host at each scan.

Endpoint: POST https://ingest.secure60.io/ingest/1.0/http/project/{project_id}
Content-Type: application/json
Authorization: Bearer {JWT}

Use the same inv_scan_id for the scan-completed event and all package events that belong to that scan so the platform can associate packages with the correct run (e.g. for “latest packages per host” queries).

software-scan-completed

Sent once per scan run per host. It marks that a scan finished and can carry optional host metadata (IP, FQDN, OS version) used for host discovery and Create Host.

Request body (JSON)

Field	Description
`type`	Event type. Use `"endpoint"` for inventory.
`operation`	Must be `"software-scan-completed"`.
`outcome`	Result of the operation; e.g. `"success"`.
`host_name`	Identifier for the host (e.g. hostname or instance ID).
`inv_scan_id`	Unique ID for this scan run. Use the same value in all inventory-package-present events for this run.
`inv_pkg_source`	How packages were enumerated; e.g. `"dpkg"`, `"rpm"`.
`inv_package_count`	(Optional) Number of packages reported in this scan.
`host_os`	(Optional) High-level OS; e.g. `"Linux"`, `"Windows"`.
`environment`	(Optional) Environment label; e.g. `"Production"`.
`inv_host_ip`	(Optional) Host IP address. Used for host discovery and Create Host.
`inv_host_fqdn`	(Optional) Fully qualified domain name of the host.
`inv_host_os_version`	(Optional) Full OS version string; e.g. `"Linux Ubuntu 25.3"`, `"24.04"`.

Example

{
  "type": "endpoint",
  "operation": "software-scan-completed",
  "outcome": "success",
  "host_name": "au-nsw-gbl1-aica-svr1",
  "inv_pkg_source": "dpkg",
  "host_os": "Linux",
  "environment": "Production",
  "inv_scan_id": "s60-e2e-scan-20260216-001",
  "inv_package_count": "3",
  "inv_host_ip": "10.15.1.10",
  "inv_host_fqdn": "au-nsw-gbl1-gecko-svr1.secure60.local",
  "inv_host_os_version": "Linux Ubuntu 25.3"
}

inventory-package-present

Sent once per package detected in a scan. Each event must reference the same inv_scan_id and host_name as the software-scan-completed event for that run so packages are tied to the correct scan.

Request body (JSON)

Field	Description
`type`	Event type. Use `"endpoint"` for inventory.
`operation`	Must be `"inventory-package-present"`.
`outcome`	Result; e.g. `"success"`.
`host_name`	Must match the host that was scanned (same as in the scan-completed event).
`inv_scan_id`	Must match the software-scan-completed event for this run.
`app_name`	Application or scanner identifier. Use the package name (e.g. `"apt"`, `"curl"`) when each event represents a single package from a traditional inventory source (dpkg, rpm). For vulnerability or SBOM scanning, use a fixed value such as `"s60-vulnerability-scanning"` and put the package name in `inv_pkg_name` so the platform does not treat every package as a separate application.
`inv_pkg_name`	(Optional) Package name. Use this when `app_name` is a fixed scanner identifier (e.g. `"s60-vulnerability-scanning"`); the portal uses this for display in package lists.
`inv_pkg_version_normalised`	Primary version field: parsed/canonical form for comparison and grouping (e.g. `"2.7.14"`, `"8.5.0"`).
`inv_pkg_version_raw`	(Optional) Exactly what the host reports (e.g. `2.7.14build2`, `v8.11.0-beta`).
`inv_cpe`	(Optional) CPE identifier for vulnerability feeds.
`inv_purl`	(Optional) Package URL (purl) for vulnerability feeds.
`vendor`	(Optional) Package vendor or publisher (e.g. `"Ubuntu"`), when derivable from dpkg/rpm.
`inv_pkg_ecosystem`	Package ecosystem; e.g. `"deb"`, `"rpm"`.
`inv_pkg_source`	How the package was enumerated; e.g. `"dpkg"`, `"rpm"`, `"sbom"`.

Optional fields from SBOM / vulnerability scanning

When sending inventory from SBOM or vulnerability scanning (e.g. CycloneDX), you may include these so the platform can store and return them for SBOM reconstruction and vulnerability matching. The metrics API returns only fields requested in query_group_by_fields; include these when you need hashes, licenses, or component metadata in query results.

Field	Description
`inv_pkg_arch`	Package architecture (e.g. `"x86_64"`, `"noarch"`), often from purl.
`sbom_bom_ref`	CycloneDX component `bom-ref`.
`sbom_comp_type`, `sbom_component_type`	Component type (e.g. `"library"`, `"application"`).
`sbom_supplier_name`	Supplier name from SBOM.
`sbom_os_family`, `sbom_os_version`, `sbom_os_major`	OS context from the scan.
`sbom_pkgtype`	Package type (e.g. `"rocky"`, `"deb"`) for grouping.
`hash_alg`, `hash_content`	First hash (e.g. MD5).
`hash_alg2`..`hash_alg5`, `hash_content2`..`hash_content5`	Additional hashes when present.
`lic_expression`, `lic_id`, `lic_name`	First license.
`lic_expression2`..`lic_expression5`, `lic_id2`..`lic_id5`	Additional licenses when present.
`trivy_pkg_id`, `trivy_pkg_type`, `trivy_src_name`, `trivy_src_version`, `trivy_src_release`, `trivy_src_epoch`, `trivy_file_path`	Trivy/SBOM tool properties (optional; used when reconstructing CycloneDX).

Example (traditional inventory: package name in app_name)

{
  "type": "endpoint",
  "operation": "inventory-package-present",
  "outcome": "success",
  "host_name": "au-nsw-gbl1-gecko-svr1",
  "inv_scan_id": "s60-e2e-scan-20260216-001",
  "app_name": "apt",
  "inv_pkg_version_normalised": "2.7.14",
  "inv_pkg_version_raw": "2.7.14build2",
  "inv_cpe": "cpe:2.3:a:canonical:apt:2.7.14:*:*:*:*:*:*:*",
  "inv_purl": "pkg:deb/ubuntu/apt@2.7.14?arch=amd64",
  "vendor": "Ubuntu",
  "inv_pkg_ecosystem": "deb",
  "inv_pkg_source": "dpkg"
}

Example (vulnerability/SBOM scanning: fixed app_name + inv_pkg_name)

When sending inventory from vulnerability or SBOM scanning, use a fixed app_name and put the package name in inv_pkg_name so the platform groups these under one “application” and uses inv_pkg_name for display. Use a generic inv_pkg_source (e.g. "sbom"); do not expose tool names in data fields.

{
  "type": "endpoint",
  "operation": "inventory-package-present",
  "outcome": "success",
  "host_name": "rocky-server-01",
  "inv_scan_id": "s60-e2e-scan-20260216-001",
  "app_name": "s60-vulnerability-scanning",
  "inv_pkg_name": "NetworkManager-libnm",
  "inv_pkg_version_normalised": "1.42.2",
  "inv_pkg_version_raw": "1:1.42.2-1.el9",
  "inv_purl": "pkg:rpm/rocky/NetworkManager-libnm@1.42.2-1.el9?arch=x86_64&distro=rocky-9.2&epoch=1",
  "inv_pkg_ecosystem": "rpm",
  "inv_pkg_source": "sbom"
}

Order and correlation

Post one software-scan-completed per scan run (include host_name and inv_scan_id).
Post one inventory-package-present per package for that run, using the same host_name and inv_scan_id.
Reuse a stable scan ID format (e.g. s60-e2e-scan-YYYYMMDD-001) or generate a UUID per run; the platform uses (host_name, inv_scan_id) to group packages with the correct scan for features like “latest packages per host.”

For querying discovered hosts and package lists via the API, see the metrics API (e.g. data_type=events_detail, query=operation = 'software-scan-completed' or operation = 'inventory-package-present').