Make your first API call
Get a free API key at api.attestd.io/portal/login, then set export ATTESTD_KEY=<your-key> before running the examples below. The free tier includes 1,000 calls per month (no credit card required.)
1. Query a product version
Pass a product slug and version string as query parameters. The response is always JSON.
curl "https://api.attestd.io/v1/check?product=log4j&version=2.14.1" \
-H "Authorization: Bearer $ATTESTD_KEY"2. Read the response
Log4j 2.14.1 is Log4Shell. You should see risk_state: "critical" with actively_exploited: true.
{
"product": "log4j",
"version": "2.14.1",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"active_exploitation",
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "2.16.0",
"confidence": 0.94,
"cve_ids": ["CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"],
"last_updated": "2026-02-23T18:21:30Z"
}3. Try a safe version
nginx 1.27.4 has no known relevant vulnerabilities. The response will have risk_state: "none".
curl "https://api.attestd.io/v1/check?product=nginx&version=1.27.4" \
-H "Authorization: Bearer $ATTESTD_KEY"4. Use the Python SDK
Install the SDK, then call client.check(). The SDK handles retries, parses the response into a typed dataclass, and raises named exceptions for auth errors and rate limits.
pip install attestdimport attestd
client = attestd.Client(api_key="<your-api-key>")
result = client.check("nginx", "1.27.4")
print(result.risk_state) # "none"
print(result.actively_exploited) # False
print(result.cve_ids) # []
# Blocking check
if result.risk_state in ("critical", "high"):
raise SystemExit(f"Deployment blocked: {result.risk_state} risk in nginx {result.version}")5. Check PyPI and npm packages for supply chain threats
Attestd monitors 52 PyPI and 70 npm packages for malicious publishes. When you query a monitored package, the response includes a supply_chain object alongside CVE data.
For example, checking LiteLLM:
curl "https://api.attestd.io/v1/check?product=litellm&version=1.82.7" \
-H "Authorization: Bearer $ATTESTD_KEY"Notice the supply_chain object:
{
"product": "litellm",
"version": "1.82.7",
"supported": true,
"risk_state": "none",
"risk_factors": [],
"actively_exploited": false,
"remote_exploitable": false,
"authentication_required": true,
"patch_available": false,
"fixed_version": null,
"confidence": 0.95,
"cve_ids": [],
"supply_chain": {
"compromised": true,
"sources": ["osv", "registry"],
"malware_type": "malicious_package",
"description": "Malicious version published by attacker impersonating the litellm maintainer",
"advisory_url": "https://osv.dev/MAL-2024-2961",
"compromised_at": "2024-11-05T10:00:00Z",
"removed_at": "2024-11-05T18:30:00Z"
},
"last_updated": "2026-02-23T18:21:30Z"
}If supply_chain.compromised is true, block deployment immediately. See the Supply Chain Integrity guide for all monitored packages and detailed semantics.
6. CVE-covered products
Attestd currently covers 72 infrastructure products — databases, web servers, runtimes, container tools, and Kubernetes components. Use the exact API slug for each product (e.g. log4j, nginx, runc). Attestd returns supported: false for anything not in the set. An unsupported product is not a safety signal — it means Attestd is not tracking it yet.
- → Product Coverage (all 72 products, API slugs, notable CVEs, and version format notes)
- → Response Field Reference (semantics of every field, including supply_chain signals)
- → Supply Chain Integrity (52 PyPI + 70 npm packages, malware detection sources)
- → Account & Portal Guide (API key management, scoping, billing)
- → SDK Reference (AsyncClient, error types, and the testing module)
- → CI/CD Integration (GitHub Actions and GitLab CI examples)