Vulnerability Advisor for IBM Cloud Container Registry

Introduction

Vulnerability Advisor checks the security status of container images that are provided by IBM®, third parties, or added to your organization's registry namespace.

For more information about Vulnerability Advisor, see Managing image security with Vulnerability Advisor.

For more information about IBM Cloud Container Registry, see About IBM Cloud Container Registry.

For more information about IBM Cloud Kubernetes Service, see Getting started with IBM Cloud Kubernetes Service.

Endpoint URL

The endpoint for the Vulnerability Advisor for IBM Cloud Container Registry API is in the format: https://<registry_dns_name>/va/api/v3 For example, the API endpoint for Dallas is: https://us.icr.io/va/api/v3 To find out about the available IBM Cloud Container Registry DNS names, see Regions.

Error handling

The Vulnerabiliy Advisor service uses standard HTTP response codes to indicate whether a method completed successfully. A 200 response always indicates success. A 400 type response indicates a failure, and a 500 type response usually indicates an internal system error.

Authentication

Access to IBM Cloud Container Registry and Vulnerability Advisor is controlled by using IBM Cloud Identity and Access Management (IAM), which provides a unified approach to managing user identities and access control across your IBM Cloud services and applications.

This API requires IBM Cloud Identity and Access Management (IAM) authentication. You must pass an IAM token in the Authorization header of the request. You can retrieve your IAM access token, which is prefixed with Bearer, by running the ibmcloud iam oauth-tokens command. You must also set the Account header to the unique ID for your IBM Cloud account. You can retrieve your Account ID by running the ibmcloud account show command.

To call each method, you must be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Managing access for IBM Cloud Container Registry.

Event tracking

You can monitor API activity within your account by using the IBM Cloud Activity Tracker with LogDNA service. Whenever an API method is called, an event is generated that you can then track and audit from within Activity Tracker with LogDNA. The specific event type is listed for each individual method. For more information about how to track IBM Cloud Container Registry activity, see Auditing the events for Container Registry.

For more information about IAM actions and Activity Tracker actions by API method, see IAM and Activity Tracker actions by API .

Vulnerability report status codes

The following table shows the vulnerability report status codes.

Table 1. Vulnerability report status codes
Code Description
OK No security issues were found in the image.
FAIL The scan found one or more potential security issues or vulnerabilities in the image that are outside the scope of all exemptions.
WARN The scan found one or more potential security issues or vulnerabilities in the image. However all of the issues are within the scope of one or more exemptions.
UNSUPPORTED The scan found no supported operating system (OS) distribution and no active configuration issues in the image.
INCOMPLETE The image is being scanned and the final vulnerability status is not determined.
UNSCANNED A vulnerability assessment for the image could not be found.

Methods

Get the vulnerability assessment for all images

Get the vulnerability assessment for the list of registry images that belong to a specific account.

GET /va/api/v3/report/account

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Query Parameters

  • The name of the repository for which you want to see the vulnerability assessments for the images in that repository. For example: us.icr.io/namespace/image

  • When set to true, the returned list will contain IBM public images as well as the account images. If not set, or set to false, the list will only contain the account images.

  • When set to false, the returned list will not contain the private account images. If not set, or set to true, the list will contain the private account images.

Response

Status Code

  • The returned list might contain unscanned results for images in your account that haven't yet been scanned. Try again later. If this issue persists, contact support for help; see https://cloud.ibm.com/docs/get-support?topic=get-support-using-avatar

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "assessments": {
        "us.icr.io/birds/grebe:crested": {
          "id": "12345678-130f-423f-a521-16f787651234",
          "scan_time": 1594050648,
          "status": "UNSUPPORTED",
          "vulnerabilities": [],
          "configuration_issues": []
        },
        "us.icr.io/birds/woodpecker:green": {
          "id": "12345678-130f-423f-a521-16f787654321",
          "scan_time": 1594148866,
          "status": "WARN",
          "vulnerabilities": [
            {
              "cve_id": "CVE-2019-99999",
              "summary": "This is a CVE.",
              "cve_exempt": true,
              "exempt_status": "exempt",
              "security_notice_count": 1,
              "exempt_security_notice_count": 0,
              "total_security_notice_count": 1,
              "security_notices": [
                {
                  "notice_id": "ALPINE-CVE-2019-99999",
                  "notice": "",
                  "notice_exempt": false,
                  "summary": "This is a summary.",
                  "vulnerable_packages": [
                    {
                      "description": "Description of vulnerability to package",
                      "corrective_action": "Upgrade the offending packahe",
                      "fix_version": "0.0.1",
                      "installed_version": "0.0.0",
                      "package_name": "package"
                    }
                  ]
                }
              ]
            }
          ],
          "configuration_issues": []
        }
      }
    }

Get vulnerability assessment status for all images

Get the vulnerability assessment status for the list of registry images that belong to a specific account.

GET /va/api/v3/report/account/status

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Query Parameters

  • The name of the repository for which you want to see the vulnerability assessments for the images in that repository. For example: us.icr.io/namespace/image

  • When set to true, the returned list will contain IBM public images as well as the account images. If not set, or set to false, the list will only contain the account images.

  • When set to false, the returned list will not contain the private account images. If not set, or set to true, the list will contain the private account images.

Response

Status Code

  • The returned list might contain unscanned results for images in your account that haven't yet been scanned. Try again later. If this issue persists, contact support for help; see https://cloud.ibm.com/docs/get-support?topic=get-support-using-avatar

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "images": [
        {
          "name": "us.icr.io/birds/woodpecker:green",
          "created_time": 1515532258,
          "status": "FAIL",
          "scan_time": 1594031816,
          "issue_count": 2,
          "exempt_issue_count": 1,
          "vulnerability_count": 2,
          "exempt_vulnerability_count": 1,
          "configuration_issue_count": 0,
          "exempt_configuration_issue_count": 0
        },
        {
          "name": "us.icr.io/birds/grebe:crested",
          "created_time": 1546305670,
          "status": "UNSUPPORTED",
          "scan_time": 1594389126,
          "issue_count": 0,
          "exempt_issue_count": 0,
          "vulnerability_count": 0,
          "exempt_vulnerability_count": 0,
          "configuration_issue_count": 0,
          "exempt_configuration_issue_count": 0
        }
      ]
    }

Get vulnerability status

Get the overall vulnerability status for a registry image.

GET /va/api/v3/report/image/status/{name}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • Name of the image, for example: us.icr.io/namespace/repository:tag.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • Your image hasn't been scanned yet. Try again later. If this issue persists, contact support for help; see https://cloud.ibm.com/docs/get-support?topic=get-support-using-avatar

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "name": "us.icr.io/birds/woodpecker:green",
      "created_time": 1515532258,
      "status": "FAIL",
      "scan_time": 1594031816,
      "issue_count": 2,
      "exempt_issue_count": 1,
      "vulnerability_count": 2,
      "exempt_vulnerability_count": 1,
      "configuration_issue_count": 0,
      "exempt_configuration_issue_count": 0
    }

Get vulnerability assessment status

Get the vulnerability assessment for a registry image.

GET /va/api/v3/report/image/{name}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • Name of the image, for example: us.icr.io/namespace/repository:tag.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • Your image hasn't been scanned yet. Try again later. If this issue persists, contact support for help; see https://cloud.ibm.com/docs/get-support?topic=get-support-using-avatar

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "id": "12345678-130f-423f-a521-16f787654321",
      "scan_time": 1594148866,
      "status": "WARN",
      "vulnerabilities": [
        {
          "cve_id": "CVE-2019-99999",
          "summary": "This is a CVE.",
          "cve_exempt": true,
          "exempt_status": "exempt",
          "security_notice_count": 1,
          "exempt_security_notice_count": 0,
          "total_security_notice_count": 1,
          "security_notices": [
            {
              "notice_id": "ALPINE-CVE-2019-99999",
              "notice": "",
              "notice_exempt": false,
              "summary": "This is a summary.",
              "vulnerable_packages": [
                {
                  "description": "Description of vulnerability to package",
                  "corrective_action": "Upgrade the offending packahe",
                  "fix_version": "0.0.1",
                  "installed_version": "0.0.0",
                  "package_name": "package"
                }
              ]
            }
          ]
        }
      ],
      "configuration_issues": []
    }

List account level exemptions

List the exemptions that are specified with account level scope.

GET /va/api/v3/exempt/image

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • [
      {
        "issue_type": "cve",
        "issue_id": "CVE-2019-99999",
        "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
        "scope": {
          "scope_type": "image",
          "namespace": "",
          "repository": "",
          "tag": ""
        }
      }
    ]

Get an account level exemption

Get details of an exemption that is specified with account level scope.

GET /va/api/v3/exempt/image/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "issue_type": "cve",
      "issue_id": "CVE-2019-99999",
      "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
      "scope": {
        "scope_type": "image",
        "namespace": "",
        "repository": "",
        "tag": ""
      }
    }

Create or update an account level exemption

Create or update an exemption that is specified with account level scope.

POST /va/api/v3/exempt/image/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • Created

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "issue_type": "cve",
      "issue_id": "CVE-2019-99999",
      "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
      "scope": {
        "scope_type": "image",
        "namespace": "",
        "repository": "",
        "tag": ""
      }
    }

Delete an account level exemption

Delete an exemption that is specified with account level scope.

DELETE /va/api/v3/exempt/image/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • Exemption not found.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

No Sample Response

This method does not specify any sample responses.

List resource exemptions

List the exemptions that are specified for a resource (account, registry namespace, repository, or image).

GET /va/api/v3/exempt/image/{resource}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • IBM Cloud Registry resource (namespace, namespace/repository, namespace/repository:tag, or namespace/repository@sha256:hash)

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • [
      {
        "issue_type": "cve",
        "issue_id": "CVE-2019-99999",
        "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
        "scope": {
          "scope_type": "image",
          "namespace": "birds",
          "repository": "",
          "tag": ""
        }
      }
    ]

Get details of a resource exemption

Get an exemption that is specified for a resource (account, registry namespace, repository, or image).

GET /va/api/v3/exempt/image/{resource}/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • IBM Cloud Registry resource (namespace, namespace/repository, namespace/repository:tag, or namespace/repository@sha256:hash)

    Constraints: Value must match regular expression .*

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "issue_type": "cve",
      "issue_id": "CVE-2019-99999",
      "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
      "scope": {
        "scope_type": "image",
        "namespace": "birds",
        "repository": "",
        "tag": ""
      }
    }

Create or update a resource exemption

Create or update an exemption that is specified for a resource (account, registry namespace, repository, or image).

POST /va/api/v3/exempt/image/{resource}/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • IBM Cloud Registry resource (namespace, namespace/repository, namespace/repository:tag, or namespace/repository@sha256:hash)

    Constraints: Value must match regular expression .*

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • Created

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "issue_type": "cve",
      "issue_id": "CVE-2019-99999",
      "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
      "scope": {
        "scope_type": "image",
        "namespace": "birds",
        "repository": "",
        "tag": ""
      }
    }

Delete a resource exemption

Delete an exemption that is specified for a resource (account, registry namespace, repository, or image).

DELETE /va/api/v3/exempt/image/{resource}/issue/{issueType}/{issueID}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • IBM Cloud Registry resource (namespace, namespace/repository, namespace/repository:tag, or namespace/repository@sha256:hash)

    Constraints: Value must match regular expression .*

  • Exemption type, e.g. 'cve' or 'sn' or 'configuration'. See /va/api/v3/exempt/types for more details.

  • Exemption ID, e.g. 'CVE-2018-9999'. See /va/api/v3/exempt/types for more details.

    Constraints: Value must match regular expression .*

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • Exemption not found.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

No Sample Response

This method does not specify any sample responses.

List the types of exemption

List the types of exemption.

GET /va/api/v3/exempt/types

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • [
      {
        "identifier": "cve",
        "display_name": "CVE",
        "validation_regex": "^(?:CVE-(?:\\d){4}-(?:\\d){4,})$"
      },
      {
        "identifier": "sn",
        "display_name": "Security Notice",
        "validation_regex": "^(?:(?:RHSA-(?:\\d){4}:(?:\\d){4})|(?:DSA-(?:\\d){3,}-(?:\\d){1,})|(?:usn-(?:\\d){1,}-(?:\\d){1,})|(?:ALPINE-(?:CVE-(?:\\d){4}-(?:\\d){4,})))$"
      },
      {
        "identifier": "configuration",
        "display_name": "Configuration Issue",
        "validation_regex": "^(?:(?:system_configuration:Linux\\.(?:\\d){1,2}-\\d-[a-z])|(?:application_configuration:(?:(?:[a-zA-Z/](?:(?:(?:[a-zA-Z0-9-_/])+)?[a-zA-Z0-9])?)(?:\\.(?:[a-zA-Z/](?:(?:(?:[a-zA-Z0-9-_/])+)?[a-zA-Z0-9])?))+)))$"
      }
    ]

List all exemptions

List all of the exemptions in the given account.

GET /va/api/v3/exemptions/account

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • [
      {
        "issue_type": "cve",
        "issue_id": "CVE-2019-99999",
        "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
        "scope": {
          "scope_type": "image",
          "namespace": "",
          "repository": "",
          "tag": ""
        }
      },
      {
        "issue_type": "cve",
        "issue_id": "CVE-2019-11111",
        "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff",
        "scope": {
          "scope_type": "image",
          "namespace": "birds",
          "repository": "",
          "tag": ""
        }
      }
    ]

Delete all exemptions

Delete all of the exemptions in the given account.

POST /va/api/v3/exemptions/deleteAll

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "number_of_exemptions_deleted": 2
    }

List image exemptions

List all of the exemptions for an image.

GET /va/api/v3/exemptions/image/{resource}

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

Path Parameters

  • IBM Cloud Registry resource (namespace, namespace/repository, namespace/repository:tag, or namespace/repository@sha256:hash)

    Constraints: Value must match regular expression .*

Query Parameters

  • Include scope on returned exemptions

    Default: false

Response

Status Code

  • OK. If the includeScope query parameter is set to true this endpoint will return a list of exemptions that have an additional field 'scope' that describes the level at which the exemption is set (namespace, repository, tag)

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • [
      {
        "issue_type": "cve",
        "issue_id": "CVE-2019-99999",
        "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff"
      }
    ]

List exemptions for images

List the exemptions for the given list of images.

POST /va/api/v3/exemptions/images

Request

Custom Headers

  • The unique ID for your IBM Cloud account. Run 'ibmcloud cr info' to get the ID of the target account.

  • The preferred language code for this request.

List of images

Example:

Response

Status Code

  • OK

  • A required header is missing. Add the header to the request and try again.

  • You are not authorized to view the requested resource, or your IBM Cloud bearer token is invalid. Run 'ibmcloud iam oauth-tokens' to retrieve your access token and try again. If this issue persists, contact your administrator to confirm that you have access to this resource.

  • You don't have authorization to access the specified namespace. Run 'ibmcloud cr namespaces' to list your namespaces. Check that your image is in one of your namespaces.

  • An internal server error occurred

  • This service is unavailable at the moment. Try again later.

  • Unable to authenticate with IBM Cloud. Try again later.

Example responses
  • {
      "us.icr.io/birds/woodpecker:green": [
        {
          "issue_type": "cve",
          "issue_id": "CVE-2019-99999",
          "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff"
        }
      ],
      "us.icr.io/birds/grebe:crested": [
        {
          "issue_type": "cve",
          "issue_id": "CVE-2019-11111",
          "account_id": "79c6d1c71fb1cbedc38ffc251ba2ffff"
        }
      ]
    }