Sonatype Lifecycle Public REST API — Policy Waivers
Sonatype Lifecycle Public REST API — Policy Waivers. 10 operations. Lead operation: Policy Waivers. Self-contained Naftiko capability covering one Sonatype business surface.
Addwaivertotransitivepolicyviolationsbyownerstagecomponent — Use this method to add a waiver for all transitive violations for a given component, detected in the latest scan at the stage specified.
Gettransitivepolicywaiversbyappscancomponent — Use this method to retrieve all waivers on policy violations due to transitive dependencies for a specific component detected in a specific scan. Any one of the input parameters, i.e. componentIdentifier, packageUrl or hash is required. If
Addwaivertotransitivepolicyviolationsbyappscancomponent — Use this method to create a policy waiver on a transitive component detected during the specified scan. NOTE: Any one of the input parameters, i.e. component identifier, packageUrl or hash is required. If more than one is provided, the syst
Requestpolicywaiver — Deprecated since IQ Server 1.192. Triggers a 'Waiver Request' webhook event. Deprecated because the webhook event is now integrated into the policy waiver request process. Please use `api/v2/policyWaiverRequests{ownerType}/policyViolation/{
Getpolicywaivers — Use this method to retrieve waiver details for all policy waivers for the scope specified. You can specify the scope by using the parameters ownerType and ownerId.
/v1/api/v2/policywaivers/{ownertype}/{ownerid}
POST
Addbulkpolicywaivers — Use this method to create policy waivers for multiple policy violations.
/v1/api/v2/policywaivers/{ownertype}/{ownerid}
POST
Addpolicywaiverbypolicyviolationid — Use this method to create a policy waiver.
Use this method to add a waiver for all transitive violations for a given component, detected in the latest scan at the stage specified.
read-only
use-this-method-retrieve-all
Use this method to retrieve all waivers on policy violations due to transitive dependencies for a specific component detected in a specific scan. Any one of the input parameters, i.e. componentIdentifier, packageUrl or hash is required. If
read-onlyidempotent
use-this-method-create-policy
Use this method to create a policy waiver on a transitive component detected during the specified scan. NOTE: Any one of the input parameters, i.e. component identifier, packageUrl or hash is required. If more than one is provided, the syst
deprecated-since-iq-server-1-192
Deprecated since IQ Server 1.192. Triggers a 'Waiver Request' webhook event. Deprecated because the webhook event is now integrated into the policy waiver request process. Please use `api/v2/policyWaiverRequests{ownerType}/policyViolation/{
use-this-method-retrieve-waiver
Use this method to retrieve waiver details for all policy waivers for the scope specified. You can specify the scope by using the parameters ownerType and ownerId.
read-onlyidempotent
use-this-method-create-policy-2
Use this method to create policy waivers for multiple policy violations.
use-this-method-create-policy-3
Use this method to create a policy waiver.
use-this-method-delete-waiver
Use this method to delete a waiver, specified by the policyWaiverId.
idempotent
use-this-method-retrieve-waiver-2
Use this method to retrieve waiver details for the waiverId specified.
read-onlyidempotent
use-this-method-update-existing
Use this method to update an existing policy waiver.
naftiko: 1.0.0-alpha2
info:
label: Sonatype Lifecycle Public REST API — Policy Waivers
description: 'Sonatype Lifecycle Public REST API — Policy Waivers. 10 operations. Lead operation: Policy Waivers. Self-contained
Naftiko capability covering one Sonatype business surface.'
tags:
- Sonatype
- Policy Waivers
created: '2026-05-19'
modified: '2026-05-19'
binds:
- namespace: env
keys:
SONATYPE_API_KEY: SONATYPE_API_KEY
capability:
consumes:
- type: http
namespace: lifecycle-policy-waivers
baseUri: ''
description: Sonatype Lifecycle Public REST API — Policy Waivers business capability. Self-contained, no shared references.
resources:
- name: api-v2-policyWaivers-transitive-ownerType-ownerId-stages-stageId
path: /api/v2/policyWaivers/transitive/{ownerType}/{ownerId}/stages/{stageId}
operations:
- name: addwaivertotransitivepolicyviolationsbyownerstagecomponent
method: POST
description: Use this method to add a waiver for all transitive violations for a given component, detected in the
latest scan at the stage specified.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Indicates the scope of the waiver that will be created.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above. E.g. applicationId for ownerType 'application'
or organizationId for ownerType 'organization'.
required: true
- name: stageId
in: path
type: string
description: Enter the stageId corresponding to the evaluation stage at which you want to create a waiver. Possible
values are 'develop', 'source', 'build', 'stage-release',
required: true
- name: componentIdentifier
in: query
type: string
description: Enter the component identifier and coordinates of the component for which you want to waive the transitive
violations.
- name: packageUrl
in: query
type: string
description: Enter the package URL of the component for which you want to waive the transitive violations.
- name: hash
in: query
type: string
description: Enter the hash for the component for which you want to waive the transitive violations
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-v2-policyWaivers-transitive-ownerType-ownerId-scanId
path: /api/v2/policyWaivers/transitive/{ownerType}/{ownerId}/{scanId}
operations:
- name: gettransitivepolicywaiversbyappscancomponent
method: GET
description: 'Use this method to retrieve all waivers on policy violations due to transitive dependencies for a specific
component detected in a specific scan. Any one of the input parameters, i.e. componentIdentifier, packageUrl or
hash is required. If '
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Enter the ownerType to specify the scope. The response will contain the policy violations that are
within the scope specified.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above.
required: true
- name: scanId
in: path
type: string
description: Enter the scanId (reportId) of the scan for which you want to retrieve the waivers on transitive policy
violations occurring due the dependencies of a component
required: true
- name: componentIdentifier
in: query
type: string
description: Enter the component identifier for the component for which you want to retrieve the waivers on transitive
policy violations, for the specified scanId.
- name: packageUrl
in: query
type: string
description: Enter the package URL for the component for which you want to retrieve the waivers on transitive policy
violations, for the specified scanId.
- name: hash
in: query
type: string
description: Enter the hash for the component for which you want to retrieve the waivers on transitive policy violations,
for the specified scanId.
- name: addwaivertotransitivepolicyviolationsbyappscancomponent
method: POST
description: 'Use this method to create a policy waiver on a transitive component detected during the specified scan.
NOTE: Any one of the input parameters, i.e. component identifier, packageUrl or hash is required. If more than one
is provided, the syst'
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Indicates the scope of the waiver that will be created.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above.
required: true
- name: scanId
in: path
type: string
description: Enter the scanId (reportId) of the evaluation report that shows the transitive component.
required: true
- name: componentIdentifier
in: query
type: string
description: Enter the component identifier of the transitive component on which you want to create a policy waiver.
- name: packageUrl
in: query
type: string
description: Enter the package URL of the transitive component on which you want to create a policy waiver.
- name: hash
in: query
type: string
description: Enter the hash of the transitive component on which you want to create a policy waiver.
- name: body
in: body
type: object
description: Request body (JSON).
required: false
- name: api-v2-policyWaivers-waiverRequests-policyViolationId
path: /api/v2/policyWaivers/waiverRequests/{policyViolationId}
operations:
- name: requestpolicywaiver
method: POST
description: Deprecated since IQ Server 1.192. Triggers a 'Waiver Request' webhook event. Deprecated because the webhook
event is now integrated into the policy waiver request process. Please use `api/v2/policyWaiverRequests{ownerType}/policyViolation/{
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: policyViolationId
in: path
type: string
description: Enter the policyViolationId for which you want to trigger the waiver request event.
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: false
- name: api-v2-policyWaivers-ownerType-ownerId
path: /api/v2/policyWaivers/{ownerType}/{ownerId}
operations:
- name: getpolicywaivers
method: GET
description: Use this method to retrieve waiver details for all policy waivers for the scope specified. You can specify
the scope by using the parameters ownerType and ownerId.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Enter the ownerType to specify the scope. The response will contain waivers that are within the scope
specified.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above.
required: true
- name: addbulkpolicywaivers
method: POST
description: Use this method to create policy waivers for multiple policy violations.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Indicates the scope of the waiver. Possible values are application, organization, repository, repository_manager,
repository_container.
required: true
- name: ownerId
in: path
type: string
description: Enter the id for the ownerType provided above. E.g. applicationId if the ownerType is application.
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-v2-policyWaivers-ownerType-ownerId-policyViolationId
path: /api/v2/policyWaivers/{ownerType}/{ownerId}/{policyViolationId}
operations:
- name: addpolicywaiverbypolicyviolationid
method: POST
description: Use this method to create a policy waiver.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Indicates the scope of the waiver. Possible values are application, organization, repository, repository_manager,
repository_container.
required: true
- name: ownerId
in: path
type: string
description: Enter the id for the ownerType provided above. E.g. applicationId if the ownerType is application.
required: true
- name: policyViolationId
in: path
type: string
description: Enter the policyViolationId for the policy on which you want to create a waiver. Use the Policy Violation
REST API or Reports REST API to obtain the policyViola
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-v2-policyWaivers-ownerType-ownerId-policyWaiverId
path: /api/v2/policyWaivers/{ownerType}/{ownerId}/{policyWaiverId}
operations:
- name: deletepolicywaiver
method: DELETE
description: Use this method to delete a waiver, specified by the policyWaiverId.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Enter the ownerType to specify the scope. A waiver corresponding to the policyWaiverId provided and
within the scope specified will be deleted.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above.
required: true
- name: policyWaiverId
in: path
type: string
description: Enter the policyWaiverId to be deleted.
required: true
- name: getpolicywaiver
method: GET
description: Use this method to retrieve waiver details for the waiverId specified.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Enter the ownerType to specify the scope. The response will contain the details for waivers within
the scope.
required: true
- name: ownerId
in: path
type: string
description: Enter the corresponding id for the ownerType specified above.
required: true
- name: policyWaiverId
in: path
type: string
description: Enter the policyWaiverId for which you want to retrieve the waiver details.
required: true
- name: updatepolicywaiver
method: PUT
description: Use this method to update an existing policy waiver.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: ownerType
in: path
type: string
description: Indicates the scope of the policy waiver. Possible values are application, organization, repository,
repository_manager, and repository_container.
required: true
- name: ownerId
in: path
type: string
description: Enter the id for the `ownerType` provided above. E.g. `applicationId` if the `ownerType` is application.
required: true
- name: policyWaiverId
in: path
type: string
description: Enter the id for the policy waiver.
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: true
authentication:
type: bearer
token: '{{env.SONATYPE_API_KEY}}'
exposes:
- type: rest
namespace: lifecycle-policy-waivers-rest
port: 8080
description: REST adapter for Sonatype Lifecycle Public REST API — Policy Waivers. One Spectral-compliant resource per
consumed operation, prefixed with /v1.
resources:
- path: /v1/api/v2/policywaivers/transitive/{ownertype}/{ownerid}/stages/{stageid}
name: api-v2-policywaivers-transitive-ownertype-ownerid-stages-stageid
description: REST surface for api-v2-policyWaivers-transitive-ownerType-ownerId-stages-stageId.
operations:
- method: POST
name: addwaivertotransitivepolicyviolationsbyownerstagecomponent
description: Use this method to add a waiver for all transitive violations for a given component, detected in the
latest scan at the stage specified.
call: lifecycle-policy-waivers.addwaivertotransitivepolicyviolationsbyownerstagecomponent
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
stageId: rest.stageId
componentIdentifier: rest.componentIdentifier
packageUrl: rest.packageUrl
hash: rest.hash
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/v2/policywaivers/transitive/{ownertype}/{ownerid}/{scanid}
name: api-v2-policywaivers-transitive-ownertype-ownerid-scanid
description: REST surface for api-v2-policyWaivers-transitive-ownerType-ownerId-scanId.
operations:
- method: GET
name: gettransitivepolicywaiversbyappscancomponent
description: 'Use this method to retrieve all waivers on policy violations due to transitive dependencies for a specific
component detected in a specific scan. Any one of the input parameters, i.e. componentIdentifier, packageUrl or
hash is required. If '
call: lifecycle-policy-waivers.gettransitivepolicywaiversbyappscancomponent
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
scanId: rest.scanId
componentIdentifier: rest.componentIdentifier
packageUrl: rest.packageUrl
hash: rest.hash
outputParameters:
- type: object
mapping: $.
- method: POST
name: addwaivertotransitivepolicyviolationsbyappscancomponent
description: 'Use this method to create a policy waiver on a transitive component detected during the specified scan.
NOTE: Any one of the input parameters, i.e. component identifier, packageUrl or hash is required. If more than one
is provided, the syst'
call: lifecycle-policy-waivers.addwaivertotransitivepolicyviolationsbyappscancomponent
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
scanId: rest.scanId
componentIdentifier: rest.componentIdentifier
packageUrl: rest.packageUrl
hash: rest.hash
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/v2/policywaivers/waiverrequests/{policyviolationid}
name: api-v2-policywaivers-waiverrequests-policyviolationid
description: REST surface for api-v2-policyWaivers-waiverRequests-policyViolationId.
operations:
- method: POST
name: requestpolicywaiver
description: Deprecated since IQ Server 1.192. Triggers a 'Waiver Request' webhook event. Deprecated because the webhook
event is now integrated into the policy waiver request process. Please use `api/v2/policyWaiverRequests{ownerType}/policyViolation/{
call: lifecycle-policy-waivers.requestpolicywaiver
with:
policyViolationId: rest.policyViolationId
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/v2/policywaivers/{ownertype}/{ownerid}
name: api-v2-policywaivers-ownertype-ownerid
description: REST surface for api-v2-policyWaivers-ownerType-ownerId.
operations:
- method: GET
name: getpolicywaivers
description: Use this method to retrieve waiver details for all policy waivers for the scope specified. You can specify
the scope by using the parameters ownerType and ownerId.
call: lifecycle-policy-waivers.getpolicywaivers
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
outputParameters:
- type: object
mapping: $.
- method: POST
name: addbulkpolicywaivers
description: Use this method to create policy waivers for multiple policy violations.
call: lifecycle-policy-waivers.addbulkpolicywaivers
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/v2/policywaivers/{ownertype}/{ownerid}/{policyviolationid}
name: api-v2-policywaivers-ownertype-ownerid-policyviolationid
description: REST surface for api-v2-policyWaivers-ownerType-ownerId-policyViolationId.
operations:
- method: POST
name: addpolicywaiverbypolicyviolationid
description: Use this method to create a policy waiver.
call: lifecycle-policy-waivers.addpolicywaiverbypolicyviolationid
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
policyViolationId: rest.policyViolationId
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/v2/policywaivers/{ownertype}/{ownerid}/{policywaiverid}
name: api-v2-policywaivers-ownertype-ownerid-policywaiverid
description: REST surface for api-v2-policyWaivers-ownerType-ownerId-policyWaiverId.
operations:
- method: DELETE
name: deletepolicywaiver
description: Use this method to delete a waiver, specified by the policyWaiverId.
call: lifecycle-policy-waivers.deletepolicywaiver
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
policyWaiverId: rest.policyWaiverId
outputParameters:
- type: object
mapping: $.
- method: GET
name: getpolicywaiver
description: Use this method to retrieve waiver details for the waiverId specified.
call: lifecycle-policy-waivers.getpolicywaiver
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
policyWaiverId: rest.policyWaiverId
outputParameters:
- type: object
mapping: $.
- method: PUT
name: updatepolicywaiver
description: Use this method to update an existing policy waiver.
call: lifecycle-policy-waivers.updatepolicywaiver
with:
ownerType: rest.ownerType
ownerId: rest.ownerId
policyWaiverId: rest.policyWaiverId
body: rest.body
outputParameters:
- type: object
mapping: $.
- type: mcp
namespace: lifecycle-policy-waivers-mcp
port: 9090
transport: http
description: MCP adapter for Sonatype Lifecycle Public REST API — Policy Waivers. One tool per consumed operation, routed
inline through this capability's consumes block.
tools:
- name: use-this-method-add-waiver
description: Use this method to add a waiver for all transitive violations for a given component, detected in the latest
scan at the stage specified.
hints:
readOnly: true
destructive: false
idempotent: false
call: lifecycle-policy-waivers.addwaivertotransitivepolicyviolationsbyownerstagecomponent
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
stageId: tools.stageId
componentIdentifier: tools.componentIdentifier
packageUrl: tools.packageUrl
hash: tools.hash
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: use-this-method-retrieve-all
description: 'Use this method to retrieve all waivers on policy violations due to transitive dependencies for a specific
component detected in a specific scan. Any one of the input parameters, i.e. componentIdentifier, packageUrl or hash
is required. If '
hints:
readOnly: true
destructive: false
idempotent: true
call: lifecycle-policy-waivers.gettransitivepolicywaiversbyappscancomponent
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
scanId: tools.scanId
componentIdentifier: tools.componentIdentifier
packageUrl: tools.packageUrl
hash: tools.hash
outputParameters:
- type: object
mapping: $.
- name: use-this-method-create-policy
description: 'Use this method to create a policy waiver on a transitive component detected during the specified scan.
NOTE: Any one of the input parameters, i.e. component identifier, packageUrl or hash is required. If more than one
is provided, the syst'
hints:
readOnly: false
destructive: false
idempotent: false
call: lifecycle-policy-waivers.addwaivertotransitivepolicyviolationsbyappscancomponent
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
scanId: tools.scanId
componentIdentifier: tools.componentIdentifier
packageUrl: tools.packageUrl
hash: tools.hash
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: deprecated-since-iq-server-1-192
description: Deprecated since IQ Server 1.192. Triggers a 'Waiver Request' webhook event. Deprecated because the webhook
event is now integrated into the policy waiver request process. Please use `api/v2/policyWaiverRequests{ownerType}/policyViolation/{
hints:
readOnly: false
destructive: false
idempotent: false
call: lifecycle-policy-waivers.requestpolicywaiver
with:
policyViolationId: tools.policyViolationId
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: use-this-method-retrieve-waiver
description: Use this method to retrieve waiver details for all policy waivers for the scope specified. You can specify
the scope by using the parameters ownerType and ownerId.
hints:
readOnly: true
destructive: false
idempotent: true
call: lifecycle-policy-waivers.getpolicywaivers
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
outputParameters:
- type: object
mapping: $.
- name: use-this-method-create-policy-2
description: Use this method to create policy waivers for multiple policy violations.
hints:
readOnly: false
destructive: false
idempotent: false
call: lifecycle-policy-waivers.addbulkpolicywaivers
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: use-this-method-create-policy-3
description: Use this method to create a policy waiver.
hints:
readOnly: false
destructive: false
idempotent: false
call: lifecycle-policy-waivers.addpolicywaiverbypolicyviolationid
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
policyViolationId: tools.policyViolationId
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: use-this-method-delete-waiver
description: Use this method to delete a waiver, specified by the policyWaiverId.
hints:
readOnly: false
destructive: true
idempotent: true
call: lifecycle-policy-waivers.deletepolicywaiver
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
policyWaiverId: tools.policyWaiverId
outputParameters:
- type: object
mapping: $.
- name: use-this-method-retrieve-waiver-2
description: Use this method to retrieve waiver details for the waiverId specified.
hints:
readOnly: true
destructive: false
idempotent: true
call: lifecycle-policy-waivers.getpolicywaiver
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
policyWaiverId: tools.policyWaiverId
outputParameters:
- type: object
mapping: $.
- name: use-this-method-update-existing
description: Use this method to update an existing policy waiver.
hints:
readOnly: false
destructive: false
idempotent: true
call: lifecycle-policy-waivers.updatepolicywaiver
with:
ownerType: tools.ownerType
ownerId: tools.ownerId
policyWaiverId: tools.policyWaiverId
body: tools.body
outputParameters:
- type: object
mapping: $.