Skip to content

Platform

Golden images, from your pipeline.

Primcoat is an API with a dashboard on top — not a dashboard with an API bolted on. Everything you can click, you can automate.

API-first, not API-also

The dashboard is a consumer of the same public API you use. If you can do it in the UI, you can do it from CI — there is no privileged internal endpoint doing the real work.

Async by default

Builds take minutes to hours. Triggering one returns a build ID immediately; you poll it or let a webhook tell you when it lands. Nothing blocks an HTTP connection for two hours.

Safe to retry

Write operations take an idempotency key, so a CI runner that retries on a network blip does not trigger a second build. Rate limits come back with a Retry-After header.

Typed from the spec

The OpenAPI 3.x specification is published and versioned. Client types are generated from it rather than maintained by hand, so the SDKs cannot drift from the API.

Trigger a build

A build request returns immediately with an ID and a queue position. You are never left guessing whether the call went through.

$ curl -X POST https://api.primcoat.app/v1/image-definitions/def_9f2/builds \
    -H "Authorization: Bearer $PRIMCOAT_API_KEY" \
    -H "Idempotency-Key: release-2026-07-13"

202 Accepted
{
  "build_id": "bld_4c81",
  "status": "queued",
  "queue_position": 2,
  "poll_url": "https://api.primcoat.app/v1/builds/bld_4c81"
}

Get told when it lands

Subscribe to build events and Primcoat posts the result — including the compliance score, the critical CVE count, and the published artifact identifier in each cloud.

POST https://ci.example.com/hooks/primcoat
{
  "event": "build.succeeded",
  "build_id": "bld_4c81",
  "compliance_score": 96.4,
  "cve_count_critical": 0,
  "artifacts": {
    "aws":   "ami-0a1b2c3d4e5f",
    "azure": "corp-ubuntu-base-2026.07.13",
    "sbom":  "https://api.primcoat.app/v1/builds/bld_4c81/sbom"
  }
}

Core resources

Predictable REST paths, versioned under /v1/, with cursor-based pagination.

/v1/image-definitions
Define an OS, a policy, software, and publish targets.
/v1/builds
Trigger a build; read status, logs, and artifacts.
/v1/builds/{id}/sbom
Retrieve the bill of materials for a build.
/v1/builds/{id}/scan-report
Retrieve the CVE and compliance scan results.
/v1/policies
Manage hardening profiles and documented exceptions.
/v1/software-packages
Browse the certified integration catalog.
/v1/publish-targets
Manage the cloud destinations you publish to.
/v1/channels
Promote a build through dev, staging, and prod.
/v1/artifacts
Query the registry of every image you have built.
/v1/webhooks
Subscribe to build and promotion events.

Authentication

API keys are scoped per organization with fine-grained permissions — read, trigger builds, or administer. A CI runner that only needs to kick off a build does not need a key that can also delete a publish target.

Wire it into the pipeline you already have.

A versioned REST API, a published OpenAPI spec, generated SDKs, and webhooks.