Platform
Golden images, from your pipeline.
Primcoat is an API with a dashboard on top — not a dashboard with an API bolted on. Everything you can click, you can automate.
API-first, not API-also
The dashboard is a consumer of the same public API you use. If you can do it in the UI, you can do it from CI — there is no privileged internal endpoint doing the real work.
Async by default
Builds take minutes to hours. Triggering one returns a build ID immediately; you poll it or let a webhook tell you when it lands. Nothing blocks an HTTP connection for two hours.
Safe to retry
Write operations take an idempotency key, so a CI runner that retries on a network blip does not trigger a second build. Rate limits come back with a Retry-After header.
Typed from the spec
The OpenAPI 3.x specification is published and versioned. Client types are generated from it rather than maintained by hand, so the SDKs cannot drift from the API.
Trigger a build
A build request returns immediately with an ID and a queue position. You are never left guessing whether the call went through.
$ curl -X POST https://api.primcoat.app/v1/image-definitions/def_9f2/builds \
-H "Authorization: Bearer $PRIMCOAT_API_KEY" \
-H "Idempotency-Key: release-2026-07-13"
202 Accepted
{
"build_id": "bld_4c81",
"status": "queued",
"queue_position": 2,
"poll_url": "https://api.primcoat.app/v1/builds/bld_4c81"
}Get told when it lands
Subscribe to build events and Primcoat posts the result — including the compliance score, the critical CVE count, and the published artifact identifier in each cloud.
POST https://ci.example.com/hooks/primcoat
{
"event": "build.succeeded",
"build_id": "bld_4c81",
"compliance_score": 96.4,
"cve_count_critical": 0,
"artifacts": {
"aws": "ami-0a1b2c3d4e5f",
"azure": "corp-ubuntu-base-2026.07.13",
"sbom": "https://api.primcoat.app/v1/builds/bld_4c81/sbom"
}
}Core resources
Predictable REST paths, versioned under /v1/, with cursor-based pagination.
- /v1/image-definitions
- Define an OS, a policy, software, and publish targets.
- /v1/builds
- Trigger a build; read status, logs, and artifacts.
- /v1/builds/{id}/sbom
- Retrieve the bill of materials for a build.
- /v1/builds/{id}/scan-report
- Retrieve the CVE and compliance scan results.
- /v1/policies
- Manage hardening profiles and documented exceptions.
- /v1/software-packages
- Browse the certified integration catalog.
- /v1/publish-targets
- Manage the cloud destinations you publish to.
- /v1/channels
- Promote a build through dev, staging, and prod.
- /v1/artifacts
- Query the registry of every image you have built.
- /v1/webhooks
- Subscribe to build and promotion events.
Authentication
API keys are scoped per organization with fine-grained permissions — read, trigger builds, or administer. A CI runner that only needs to kick off a build does not need a key that can also delete a publish target.
Wire it into the pipeline you already have.
A versioned REST API, a published OpenAPI spec, generated SDKs, and webhooks.