Workload Protection API | IBM Cloud API Docs

Introduction

Last updated: 2023-04-19

In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to protect, monitor, and enhance forensic analysis of your pipeline and runtime components.

IBM Cloud Security and Compliance Center Workload Protection is available natively on IBM Cloud with an API and SDK that is maintained and provided by Sysdig.

For details about using IBM Cloud Security and Compliance Center Workload Protection, see the IBM Cloud docs.

Use the following syntax from a terminal to run a cURL command:

curl -X <METHOD> <ENDPOINT>/<API_URL> <-H HEADERS,> [-d DATA]

Where

<METHOD> indicates the type of REST API call that you want to make.
<ENDPOINT> indicates the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available. For more information, see Endpoints.
<API_URL> The API URL.
HEADERS add additional information such as information to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service.
DATA allows you to pass additional information that might be required.

The code examples on this tab use the client library that is provided for Python.

import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient

# Parse arguments.
def usage():
   print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
   print('ENDPOINT_URL: IBM Cloud endpoint URL (for example https://us-south.security-compliance-secure.cloud.ibm.com')
   print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
   print('INSTANCE_GUID: GUID of an Security and Compliance Center Workload Protection instance.')
   sys.exit(1)

if len(sys.argv) != 4:
   usage()

URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]


# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)

Endpoint URL

You can use public and private endpoints. To find out about the available endpoints, see REST API Endpoints.

The endpoint for the IBM Cloud Security and Compliance Center Workload Protection API is in the format: https://cloud.ibm.com.security-compliance-secure.cloud.ibm.com/api For example, the API endpoint for Dallas is: https://us-south.security-compliance-secure.cloud.ibm.com/api

Example request to a Dallas endpoint:

curl -X GET https://us-south.security-compliance-secure.cloud.ibm.com/api/alerts/<ALERT_ID> -H "Authorization: $AUTH_TOKEN" -H "IBMInstanceID: $GUID" -H "TeamID: $TEAM_ID" -H "content-type: application/json"

Replace <ALERT_ID>, AUTH_TOKEN, GUID and TEAM_ID in this example with the values for your particular API call.

Example request to a Dallas endpoint

import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
from sdcclient import IbmAuthHelper, SdMonitorClient

# Parse arguments.
def usage():
   print('usage: %s <ENDPOINT_URL> <API_KEY> <INSTANCE_GUID>' % sys.argv[0])
   print('ENDPOINT_URL: IBM Cloud endpoint URL (e.g. https://us-south.security-compliance-secure.cloud.ibm.com')
   print('API_KEY: IBM Cloud IAM API key. This key is used to retrieve an IAM access token.')
   print('INSTANCE_GUID: GUID of an IBM Cloud Monitoring instance.')
   sys.exit(1)

if len(sys.argv) != 4:
   usage()

URL = sys.argv[1]
APIKEY = sys.argv[2]
GUID = sys.argv[3]


# Instantiate the client
ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)

Authentication

Access to IBM Cloud Security and Compliance Center Workload Protection is controlled by using IBM Cloud Identity and Access Management (IAM), which provides a unified approach to managing user identities and access control across your IBM Cloud services and applications.

This API requires IBM Cloud Identity and Access Management (IAM) authentication. You must pass an IAM token in the Authorization header of the request. You can retrieve your IAM access token, which is prefixed with Bearer, by running the ibmcloud iam oauth-tokens command. You must also set the Account header to the unique ID for your IBM Cloud account. You can retrieve your Account ID by running the ibmcloud account show command.

To call each method, you must be assigned a role that includes the required IAM actions. Each method lists the associated action. For more information about IAM actions and how they map to roles, see Controlling access through IAM.

In a cURL command, add the following headers to authenticate with the IBM Cloud Security and Compliance Center Workload Protection service by using an IAM token:

-H "Authorization: $AUTH_TOKEN"
-H "IBMInstanceID: $GUID"
-H "TeamID: $TEAM_ID"

Where

IBMInstanceID indicates the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you want to target with the cURL command.

To get the GUID of the monitoring instance, run the following command: ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
Authorization indicates the IAM token that is used to authenticate with the IBM Cloud Monitoring service instance.

To get the IAM AUTH_TOKEN token, run the following command: ibmcloud iam oauth-tokens | awk '{print $4}'

For more information, see Getting the IAM API token.
TeamID indicates the GUID of a team.

To get the GUID, see Getting the ID of a team.

To use IBM Cloud IAM authentication with the Python client, you must specify an endpoint, an API key, and the GUID from your IBM Cloud Monitoring instance.

Complete the following steps from a terminal:

Get the GUID of your IBM Cloud Security and Compliance Center Workload Protection instance. Run the following command:
```
ibmcloud resource service-instance <NAME> --output json | jq -r '.[].guid'
```
Get the API key. Run the following command to generate a user API key:
```
ibmcloud iam api-key-create KEY_NAME
```
Get the endpoint for the region where the instance is available.
Add the following entries to your Python script:
```
from sdcclient import IbmAuthHelper, SdMonitorClient

URL = <ENDPOINT>
# For example: URL = 'https://us-south.security-compliance-secure.cloud.ibm.com'

APIKEY = <IAM_APIKEY>

GUID = <GUID>

ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
```
Where

<ENDPOINT> must be replaced with the endpoint where the IBM Cloud Security and Compliance Center Workload Protection instance is available.

<IAM_APIKEY> must be replaced with a valid IAM API key. Learn more.

<GUID> must be replaced with the GUID of the IBM Cloud Security and Compliance Center Workload Protection instance that you obtain in the previous step.

You can now use the sdclient to perform actions that will be authenticated by using IAM.

If you get the error 400 Client Error: Bad Request for url: https://iam.cloud.ibm.com/identity/token, check the API key. The value that you are passing is not valid.

Auditing

You can monitor API activity within your account by using the IBM Cloud Activity Tracker service. Whenever an API method is called, an event is generated that you can then track and audit from within Activity Tracker. The specific event type is listed for each individual method. For more information about how to track IBM Cloud Security and Compliance Center Workload Protection activity, see Auditing the events for IBM Cloud Security and Compliance Center Workload Protection.

Error handling

The IBM Cloud Security and Compliance Center Workload Protection service uses standard HTTP response codes to indicate whether a method completed successfully.

A 200 response always indicates success.
A 400 type response indicates a failure.
A 500 type response usually indicates an internal system error.

Table 1. HTTP error codes
HTTP Error Code	Description
`200`	Success
`201`	Success
`400`	Bad Request
`401`	Unauthorized
`403`	Forbidden
`404`	Not Found
`422`	Validation error, reason stated in the response body
`500`	Internal Server Error

Get the high-level compliance views for all zones.

GET /api/cspm/v1/compliance/views

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Successfully returned CSPM v1 Compliance Views.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Get the compliance results for a given filter.

GET /api/cspm/v1/compliance/requirements

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- name
  - Type: string
  - Example: name in ("1.5 - Exposing HostPort")
  - Description: The compliance requirements that will be included in the results.
- policy.name
  - Type: string
  - Example: policy.name in ("CIS Distribution Independent Linux Benchmark", "CIS Docker Benchmark")
  - Description: The compliance policies that will be included in the results.
- zone.name
  - Type: string
  - Example: zone.name="Entire Infrastructure"
  - Description: The zones that will be included in the results.
- pass
  - Type: boolean
  - Example: pass=false
  - Description: Show passing or failing requirements. If no value - will show both passing and failing requirements.
- severity
  - Type: Integer
  - Example: severity in (3, 2)
  - Description: Requirement severity. (1=low, 2=medium, 3=high)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false and policy.name in ("CIS Amazon Web Services Foundations Benchmark") and severity=3
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 10.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Compliance Results.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of Kubernetes resources and their compliance data for a specific control

GET /api/cspm/v1/kube/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
resourceKind
Required*
string
Resource kind ('workload', 'subject', 'role' or 'group')

Example: workload
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- clusterName
  - Type: string
  - Description: Cluster name.
- name
  - Type: string
  - Description: Resource name.
- namespace
  - Type: string
  - Description: Resource namespace.
- type
  - Type: string
  - Example: type="DaemonSet"
  - Description: Resource k8s type.
- labelValues
  - Type: string
  - Description: Resource labels.
- distributionName
  - Type: string
  - Description: Kubernetes Distribution Name.
  - Example: distributionName in ("Vanilla")
- distributionVersion
  - Type: string
  - Description: Kubernetes Distribution Version.
  - Example: distributionVersion in (1.23, 1.25)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Kubernetes resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of cluster analysis resources and their compliance data for a specific control

GET /api/cspm/v1/clusteranalysis/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
benchmarkType
Required*
integer
Type of benchmark to retrieve resources for (0-Linux, 1-Docker, 2-Kubernetes). Defaults to 0.

Example: 1
resourceKind
Required*
string
Resource kind ('host' or 'cluster')

Example: host
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- clusterName
  - Type: string
  - Description: Cluster name.
- name
  - Type: string
  - Description: Host name.
- nodeInfo.osName
  - Type: string
  - Description: Host operating system.
- nodeInfo.osImage
  - Type: string
  - Description: Host operating system image.
- distributionName
  - Type: string
  - Description: Kubernetes Distribution Name.
  - Example: distributionName in ("Vanilla")
- distributionVersion
  - Type: string
  - Description: Kubernetes Distribution Version.
  - Example: distributionVersion in (1.23, 1.25)
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Cluster Analysis resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the list of cloud resources and their compliance data for a specific control

GET /api/cspm/v1/cloud/resources

Request

Query Parameters

controlId
Required*
string
Control ID

Example: 21
providerType
Required*
string
Provider type to retrieve resources for (AWS, GCP or Azure)

Example: AWS
resourceKind
Required*
string
Resource kind

Example: AWS_S3_BUCKET
filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- zones.id
  - Type: integer
  - Example: zones.id=1
  - Description: Evaluated zone ID.
- zoneName
  - Type: string
  - Description: Zone name
- policyId
  - Type: integer
  - Example: policyId=1
  - Description: Evaluated policy ID.
- policyName
  - Type: string
  - Description: Policy name
- pass
  - Type: boolean
  - Example: pass=true
  - Description: Passing status of resource.
- accepted
  - Type: boolean
  - Example: accepted=true
  - Description: Return accepted resources.
- name
  - Type: string
  - Description: Resource name.
- account
  - Type: string
  - Description: Cloud Account that this resource belongs to.
- location
  - Type: string
  - Description: Region where this resource is located.
- organization
  - Type: string
  - Description: Organization that this resource belongs to.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: pass=false or accepted=true
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 Cloud resources.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Gets the CSPM controls for a given filter.

GET /api/cspm/v1/policy/controls/search

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
List of supported fields:
- name
  - Type: string
  - Description: Control name.
- description
  - Type: string
  - Description: Control description.
- severity
  - Type: Integer
  - Description: Requirement severity. (1=low, 2=medium, 3=high)
  - Example: severity in (3, 2)
- type
  - Type: string
  - Description: Host control type.
  - Example: type="Host"
- target
  - Type: string
  - Description: Control supported target. ("AKS", "AWS", "Azure", "Docker" ,"EKS", "Linux", "GCP", "GKE", "IKS", "MKE", "OCP4", "Vanilla")
  - Example: target in ("IKS")
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: type="host" and severity in (3, 2)
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 50.

Example: 50

Response

Response Body

Status Code

200
Successfully returned CSPM v1 controls.
401
Invalid or missing auth token.
403
Forbidden access to CSPM v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Search for Inventory Resources based on a given filter.

GET /api/cspm/v1/inventory/resources

Request

Query Parameters

filter
string
Query language expression for filtering results. Operators:
- and, or and not logical operators
- =, !=
- in
- contains and startsWith to check partial values of attributes
- exists to check if a field exists and not empty
List of supported fields:
- account
  - Type: string
  - Example: account in ("285211435247")
  - Description: The account that will be included in the results.
- cluster
  - Type: string
  - Example: cluster in ("cluster1")
  - Description: The kubernetes cluster that will be included in the results.
- externalDNS
  - Type: string
  - Example: externalDNS in ("ec2-102-34-15-23.compute-1.amazonaws.com")
  - Description: The external DNS that will be included in the results.
- distribution
  - Type: string
  - Example: distribution in ("gke", "vanilla")
  - Description: The kubernetes distribution that will be included in the results.
- labels
  - Type: string
  - Example: not labels exists
  - Description: The resource labels that will be included in the results.
- name
  - Type: string
  - Example: name starts with "acl"
  - Description: The names that will be included in the results.
- namespace
  - Type: string
  - Example: namespace contains "production"
  - Description: The namespace that will be included in the results.
- nodeType
  - Type: string
  - Example: nodeType="Worker"
  - Description: The nodeType that will be included in the results.
- osName
  - Type: string
  - Example: osName != "linux"
  - Description: The operating system that will be included in the results.
- organization
  - Type: string
  - Example: organization = "s-xqe92dwe61"
  - Description: The organization that will be included in the results.
- platform
  - Type: string
  - Example: platform = "AWS"
  - Description: The platform that will be included in the results.
- control.accepted
  - Type: string
  - Example: control.accepted exists
  - Description: Include (or Exclude) only resources with accepted results. Supported operators: exists and not exists.
- policy
  - Type: string
  - Example: policy in (“CIS Docker Benchmark”)
  - Description: Include resources that applied the selected policies. Supported operators: in, not in, exists, not exists.
- control.severity
  - Type: string
  - Example: control.severity in ("High")
  - Description: Include resources that have violated risks in the selected severities. Supported operators: in, not in.
- control.failed
  - Type: string
  - Example: control.failed in ("/etc/default/docker owned by root:root")
  - Description: Include resources that have violated the selected risks. Supported operators: in, not in, exists, not exists.
- policy.failed
  - Type: string
  - Example: policy.failed in ("PCI DSS (Payment Card Industry Data Security Standard) v3.2.1")
  - Description: Include resources that failed the selected policies. Supported operators: in, not in, exists, not exists.
- requirement.failed
  - Type: string
  - Example: requirement.failed in ("01.a Access Control Policy")
  - Description: Include resources that failed the selected requirements. Supported operators: in, not in, exists, not exists.
- policy.passed in ("CIS Kubernetes V1.20 Benchmark")
  - Type: string
  - Example: policy.passed in ("CIS Kubernetes V1.20 Benchmark")
  - Description: Include resources that passed the selected policies. Supported operators: in, not in, exists, not exists.
- project
  - Type: string
  - Example: project = "project1"
  - Description: The project that will be included in the results.
- region
  - Type: string
  - Example: region in ("europe-west1")
  - Description: The regions that will be included in the results.
- type
  - Type: string
  - Example: type = "Account"
  - Description: The resource types that will be included in the results.
- subscription
  - Type: string
  - Example: subscription = "Azure subscription 1"
  - Description: The Azure subscriptions that will be included in the results.
- version
  - Type: string
  - Example: version = "1.1"
  - Description: The versions that will be included in the results.
- zone
  - Type: string
  - Example: zone in ("zone1")
  - Description: The zones that will be included in the results.
Note: Whenever filtering for values with special characters, the values need to be encoded. When “ or \ are the special characters, they need to be escaped with \ and then encoded.
Example: platform = "AWS" and policy.failed in ("CIS Amazon Web Services Foundations Benchmark")
pageNumber
integer
Page number. Defaults to 1.

Example: 1
pageSize
integer
Page size. Defaults to 20.

Example: 20
fields
string
The desired fields to be returned from the query. Defaults to id,name,platform,type,configuration,keyvalueconfigs,labels,lastseen,metadata,zones,posturepolicysummary. Fields that are not specified will return empty (even if they have values).

Example: name,platform,posturecontrolsummary

Response

Response Body

Status Code

200
Successfully returned Inventory v1 resources.
401
Invalid or missing auth token.
403
Forbidden access to Inventory v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

Retrieve an Inventory Resource by its id

GET /api/cspm/v1/inventory/resources/{id}

Request

Path Parameters

id
Required*
string
The resource’s unique identifier

Example: 62e348b71acd7be14a4bdfcc

Query Parameters

fields
string
The desired fields to be returned from the query. Defaults to id,name,platform,type,configuration,keyvalueconfigs,labels,lastseen,metadata,zones,posturepolicysummary. Fields that are not specified will return empty (even if they have values).

Example: name,platform,posturecontrolsummary

Response

Response Body

Status Code

200
Successfully returned an Inventory v1 resource.
401
Invalid or missing auth token.
403
Forbidden access to Inventory v1.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.
503
Service is unavailable.

No Sample Response

This method does not specify any sample responses.

GET /api/reporting/v1/{domain}/{reportType}/config

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
reportType
Required*
string
The kind of report to generate

Allowable values: [vulnerabilities,policies]
Example: vulnerabilities

Response

Response Body

object

Status Code

200
Options available to define a report configuration

No Sample Response

This method does not specify any sample responses.

POST /api/reporting/v1/{domain}/{reportType}/preview

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
reportType
Required*
string
The kind of report to generate

Allowable values: [vulnerabilities,policies]
Example: vulnerabilities

Request Body

Required*

object

Configuration of a report generation

Response

Response Body

object[]

Status Code

200
The result preview for the requested report configuration
400
Bad Request

Example responses

Invalid report configuration

GET /api/reporting/v1/{domain}/schedules

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning

Response

Response Body

object[]

Schedule and configuration definition for a report generation

Status Code

200
The list of all saved schedules for report generation

No Sample Response

This method does not specify any sample responses.

POST /api/reporting/v1/{domain}/schedules

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
The created schedule for report generation
400
Bad Request

Example responses

Invalid report configuration

POST /api/reporting/v1/{domain}/schedules/{scheduleId}/run

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

202
Generation of requested report accepted
400
Bad Request
403
Generation of requested report is either forbidden or disabled
404
Requested report generation schedule not found
429
Report generation is either already running or will be running shortly

Example responses

Invalid request payload
Report generation forbidden or disabled
Report generation schedule not found
Report generation already running

GET /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Configuration for the requested schedule for report generation
404
Requested report generation schedule not found

Example responses

Report generation schedule not found

PUT /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Request Body

Required*

object

Schedule and configuration definition for a report generation

Response

Response Body

object

Schedule and configuration definition for a report generation

Status Code

200
Updated configuration for the requested schedule for report generation
400
Bad Request
404
Requested report generation schedule not found

Example responses

Invalid report configuration
Report generation schedule not found

DELETE /api/reporting/v1/{domain}/schedules/{scheduleId}

Request

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
scheduleId
Required*
string
The ID of the schedule for report generation

Example: schedule-1hDkklCWc5UtuFhwCaZkbFNY5ZV

Response

Status Code

204
Schedule for report generation removed

No Sample Response

This method does not specify any sample responses.

GET /api/reporting/v1/{domain}/reports/{fileId}

Request

Custom Headers

Accept
string
Allowable values: [text/csv,application/json,application/pdf]

Path Parameters

domain
Required*
string
The data domain of the report. The only supported value is scanning

Allowable values: [scanning]
Example: scanning
fileId
Required*
string
The ID of the generated report ready for download

Example: 1ueqXHvmzvtwJV2lFr8z8wdydu

Response

Response Body

string

Status Code

200
Report content
307
Requested report available for download at another location
404
Requested report not found

Example responses

Report not found

Returns all cluster names for the customer

GET /api/v1/networkTopology/clusters

Request

Query Parameters

from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

string[]

Cluster names

Status Code

200
Indicates the requested cluster names were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns all namespace names for the cluster

GET /api/v1/networkTopology/namespaces

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object[]

Status Code

200
Indicates the requested namespaces were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns a map of owner type to a list of owner selectors

GET /api/v1/networkTopology/owners

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object[]

Status Code

200
Indicates the requested map of owner type to a list of owner selectors were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns an overview of ingress networking traffic

GET /api/v1/networkTopology/ingressSummaries

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested overview of ingress networking traffic was successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns an overview of egress networking traffic

GET /api/v1/networkTopology/egressSummaries

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested overview of egress networking traffic was successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns the unresolved ips for a time range and pod owner

GET /api/v1/networkTopology/ingressUnresolvedIps

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested ingress unresolved ips were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns the unresolved ips for a time range and pod owner

GET /api/v1/networkTopology/egressUnresolvedIps

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster
namespace
Required*
string
The name of a kubernetes namespace
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Status Code

200
Indicates the requested egress unresolved ips were successfully returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Creates a communication topology graph around the specified owner

GET /api/v1/networkTopology/ownerTopology

Request

Query Parameters

namespace
Required*
string
The name of a kubernetes namespace
cluster
Required*
string
The name of a kubernetes cluster
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Response

Response Body

object

Owner communication topology graph

Status Code

200
Indicates the requested topology graph is sucessfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the topology feature on the backend is available.

GET /api/v1/networkTopology/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the topology feature is available

No Sample Response

This method does not specify any sample responses.

Returns sorted list of unique workload label key values

GET /api/v1/networkTopology/workloadLabelKeys

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster

Response

Response Body

string[]

Array of kubernetes labels

Status Code

200
Indicates the requested list was returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Returns sorted list of unique namespace label key values

GET /api/v1/networkTopology/namespaceLabelKeys

Request

Query Parameters

cluster
Required*
string
The name of a kubernetes cluster

Response

Response Body

string[]

Array of kubernetes labels

Status Code

200
Indicates the requested list was returned
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Creates a Kubernetes Network Policy

POST /api/v1/networkSecurity/namespaces/{namespaceName}/simulatedPolicies

Request

Path Parameters

namespaceName
Required*
string
The name of a kubernetes namespace

Request Body

Required*

object

Response

Response Body

string

The text of a proposed Kubernetes Network Policy

Status Code

200
Indicates the requested KNP was successfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Creates a communication topology graph around the specified owner; if KNP spec is provided, marks communication edges as 'blocked' if they are blocked by the KNP

POST /api/v1/networkSecurity/networkPolicyOverlayOwnerTopology

Request

Query Parameters

namespace
Required*
string
The name of a kubernetes namespace
cluster
Required*
string
The name of a kubernetes cluster
name
Required*
string
The name of a pod owner
kind
Required*
string
Specifies how to group pods

Allowable values: [Service,Deployment,StatefulSet,DaemonSet,Pod,Namespace]
from
Required*
integer
A unix timestamp in seconds of specifying the initial time of a range
to
Required*
integer
A unix timestamp in seconds of specifying the end time of a range

Request Body

object

Response

Response Body

object

Owner communication topology graph

Status Code

200
Indicates the requested topology graph is sucessfully created
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
The user successfully authenticated but has insufficient permissions. More information about 403 can be found at https://httpstatuses.com/403

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the network security feature on the backend is available.

GET /api/v1/networkSecurity/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the network security feature is available

No Sample Response

This method does not specify any sample responses.

Retrieve the list of captures

GET /api/v1/captures

Request

Query Parameters

ids
integer
Represents the id of a particular capture. Can be used multiple times in the same request to fetch multiple captures
offset
integer
Indicates the distance between the true starting point and the index of the first returned capture
limit
integer
sort
string
An enum of allowable fields to sort a list of captures

Allowable values: [date_requested,duration,name,size,status]
dir
string
An enum of ways to order a sorted collection of values

Allowable values: [asc,desc]
filter
string
from
integer
Unix time of when to start looking for captures in microseconds
to
integer
Unix time of when to stop looking for captures in microseconds
source
string
An enum of Sysdig products

Allowable values: [sdc,sds]
scopeFilter
string
Limit the results to only captures matching a scope expression

Example: kubernetes.cluster.name != null
metrics
string
Examples:
View
aggregations
string
Examples:
View
forceSync
boolean
annotations
string
token
string
Uniquely identifies a capture and correlates the capture to a request. Must match the following regex ([a-z0-9]){8}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){4}-([a-z0-9]){12}

Example: 960d9da0-cc79-4079-932a-544e193ab385

Response

Response Body

object

A list of captures and associated metadata

Status Code

200
The array representing the captures
400
Indicates a query param was invalid

No Sample Response

This method does not specify any sample responses.

Create a capture

POST /api/v1/captures

Request

Request Body

Required*

object

Metadata to create a capture

Response

Response Body

object

Status Code

200
Successfully created a capture
400
Indicates the request body was invalid

No Sample Response

This method does not specify any sample responses.

Delete captures

DELETE /api/v1/captures

Request

Query Parameters

ids
integer
Represents the id of a particular capture. Can be used multiple times in the same request to delete multiple captures
source
string
Indicates that only captures belonging to either the monitor or secure product should be considered for deletion. Defaults to SDC if not specified

Allowable values: [sdc,sds]
statuses
string
Indicates that only captures with a particular status should be considered for deletion. Can be used multiple times in the same request

Allowable values: [requested,filtering,capturing,done,error,uploading,uploadingError,uploaded]

Response

Response Body

object

Status Code

200
The number of captures deleted

No Sample Response

This method does not specify any sample responses.

Get a capture

GET /api/v1/captures/{captureId}

Request

Path Parameters

captureId
Required*
integer

Response

Response Body

object

Status Code

200
Successfully retrieved a capture
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

Update a capture

PUT /api/v1/captures/{captureId}

Request

Path Parameters

captureId
Required*
integer

Request Body

Required*

object

Contains system calls and other operating system events

Response

Response Body

object

Contains system calls and other operating system events

Status Code

200
Successfully updated a capture
400
Indicates the request body was invalid

No Sample Response

This method does not specify any sample responses.

Download a capture

GET /api/v1/captures/{captureId}/download

Request

Path Parameters

captureId
Required*
integer

Response

Status Code

302
Redirects to a location for downloading
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

Stop a capture

POST /api/v1/captures/{captureId}/stop

Request

Path Parameters

captureId
Required*
integer

Response

Response Body

object

Status Code

200
Successfully stopped the capture
404
The capture could not be found

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/vulnSummary

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Response

Response Body

object

Status Code

200
A map of vulnType -> (map of severity -> count)

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/vulnSummaryDirect

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6

Response

Response Body

object

Status Code

200
A map of vulnType -> (map of severity -> count)

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/vulnSummaryDirect

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b

Response

Response Body

object

Status Code

200
A map of vulnType -> (map of severity -> count)

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/vuln/{vtype}

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
vtype
Required*
string
The type of vulnerabilities to retrieve

Allowable values: [os,non-os]

Query Parameters

filter
string
If specified, only vulnerabilities that contain this substring will be retrieved
sort
string
Sorting method. Defaults to descendent.

Allowable values: [desc,asc]
sortBy
string
Field used to alphabetically sort by. Defaults to severity.

Allowable values: [vuln,fix,severity,package,url,feed,feed_group,package_name,package_version,package_type,package_cpe,package_pat]
filters
string
A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved

Allowable values: [Unknown,Negligible,Low,Medium,High,Critical]
hasFix
boolean
If specified, only vulnerabilities with an available fix will be retrieved
cmpDigest
string
If specified, the vulnerabilities in the response will contain a comparison status relative to the image specified by this parameter. A total count of all comparison statuses will also be returned.
cmpFilter
string
If specified, only vulnerabilities matching this comparison status will be returned. If not specified, all vulnerabilities will be returned.

Allowable values: [New,Fixed,Shared]
offset
integer
If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
includeVulnExceptions
boolean
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
imageTag
string
The image's tag. Required when "includeVulnExceptions" is set to true.
bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The retrieved vulnerabilities

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/vulnDirect/{vtype}

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest
vtype
Required*
string
The type of vulnerabilities to retrieve

Allowable values: [os,non-os,all]

Query Parameters

filter
string
If specified, only vulnerabilities that contain this substring will be retrieved
sort
string
Sorting method. Defaults to descendent.

Allowable values: [desc,asc]
sortBy
string
Field used to alphabetically sort by. Defaults to severity.

Allowable values: [vuln,fix,severity,package,url,feed,feed_group,package_name,package_version,package_type,package_cpe,package_pat]
filters
string
A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved

Allowable values: [Unknown,Negligible,Low,Medium,High,Critical]
hasFix
boolean
If specified, only vulnerabilities with an available fix will be retrieved
offset
integer
If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
includeVulnExceptions
boolean
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
imageTag
string
The image's tag. Required when "includeVulnExceptions" is set to true.
bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The retrieved vulnerabilities

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/vulnDirect/{vtype}

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
vtype
Required*
string
The type of vulnerabilities to retrieve

Allowable values: [os,non-os,all]

Query Parameters

filter
string
If specified, only vulnerabilities that contain this substring will be retrieved
sort
string
Sorting method. Defaults to descendent.

Allowable values: [desc,asc]
sortBy
string
Field used to alphabetically sort by. Defaults to severity.

Allowable values: [vuln,fix,severity,package,url,feed,feed_group,package_name,package_version,package_type,package_cpe,package_pat]
filters
string
A comma-separated list of severities. If specified, only vulnerabilities of these severities will be retrieved

Allowable values: [Unknown,Negligible,Low,Medium,High,Critical]
hasFix
boolean
If specified, only vulnerabilities with an available fix will be retrieved
offset
integer
If specified, a 0-based index on the vulnerabilities list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.
includeVulnExceptions
boolean
If specified, returns also the set of vulnerability exception lists where the vulnerability is contained and when it will expire.
imageTag
string
The image's tag. Required when "includeVulnExceptions" is set to true.
bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The retrieved vulnerabilities

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/vulnexceptions

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6

Query Parameters

tag
Required*
string
The image's tag
withItems
boolean
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.

Response

Response Body

object[]

Status Code

200
The associated vulnerability exception lists
404
Image digest not found

Example responses

Image not found

GET /api/scanning/v1/images/by_id/{imageId}/vulnexceptions

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b

Query Parameters

tag
Required*
string
The image's tag
withItems
boolean
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.

Response

Response Body

object[]

Status Code

200
The associated vulnerability exception lists
404
Image digest not found

Example responses

Image not found

GET /api/scanning/v1/images/{imageDigest}/content/{ctype}

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
ctype
Required*
string
The type of content to retrieve

Allowable values: [os,files,npm,gem,python,java]

Query Parameters

filter
string
If specified, only content entries that contain this substring will be retrieved
sort
string
Sorting method

Allowable values: [asc,desc]
sortBy (for java type)
string
Field used to alphabetically sort by. Defaults to package

Allowable values: [package,implementation-version,specification-version,maven-version,location,type,origin]
sortBy (for files type)
string
Field used to alphabetically sort by. Defaults to filename

Allowable values: [filename,gid,linkdest,mode,sha256,size,type,uid]
sortBy (for os,npm,gem,python types)
string
Field used to alphabetically sort by. Defaults to package

Allowable values: [package,version,size,type,origin,license,location]
offset
integer
If specified, a 0-based index on the content list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.

Response

Response Body

object

Status Code

200
The retrieved content

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/content/{ctype}

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
ctype
Required*
string
The type of content to retrieve

Allowable values: [os,files,npm,gem,python,java]

Query Parameters

filter
string
If specified, only content entries that contain this substring will be retrieved
sort
string
Sorting method

Allowable values: [asc,desc]
sortBy (for java type)
string
Field used to alphabetically sort by. Defaults to package

Allowable values: [package,implementation-version,specification-version,maven-version,location,type,origin]
sortBy (for files type)
string
Field used to alphabetically sort by. Defaults to filename

Allowable values: [filename,gid,linkdest,mode,sha256,size,type,uid]
sortBy (for os,npm,gem,python types)
string
Field used to alphabetically sort by. Defaults to package

Allowable values: [package,version,size,type,origin,license,location]
offset
integer
If specified, a 0-based index on the content list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.

Response

Response Body

object

Status Code

200
The retrieved content

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/checkSummary

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Query Parameters

tag
Required*
string
The image full tag
at
date-time
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned

Response

Response Body

object

Status Code

200
The policy evaluation summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/checkSummary

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b

Query Parameters

tag
Required*
string
The image full tag
at
date-time
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned

Response

Response Body

object

Status Code

200
The policy evaluation summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/checkSummary/{policyId}

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6
policyId
Required*
string
The targeted policy ID

Query Parameters

tag
Required*
string
The image full tag
at
date-time
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned

Response

Response Body

object

Status Code

200
The policy evaluation policy summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/checkSummary/{policyId}

Request

Path Parameters

imageId
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b
policyId
Required*
string
The targeted policy ID

Query Parameters

tag
Required*
string
The image full tag
at
date-time
The RFC-3339 timestamp of the evaluation. If not specified, the most recent evaluation will be returned

Response

Response Body

object

Status Code

200
The policy evaluation policy summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/{imageDigest}/policyEvaluation

Request

Path Parameters

imageDigest
Required*
string
The targeted image digest

Possible values: length ≥ 1
Example: sha256:7492c1f615e3651629bd6c61777e9660caa3819cf3561a47d1d526dfeee02cf6

Query Parameters

tag
Required*
string
The image full tag

Response

Response Body

object

Status Code

200
The policy evaluation summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/images/by_id/{imageId}/policyEvaluation

Request

Path Parameters

imageId
Required*
string
The targeted imageID

Possible values: length ≥ 1
Example: d4d4f50f871a02502debe52927b7c5769a1b9ed2f4a06ea0e3c3623ba089511b

Query Parameters

tag
Required*
string
The image full tag

Response

Response Body

object

Status Code

200
The policy evaluation summary

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/policies

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object[]

Status Code

200
List of all the policies in the targeted policy bundle

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/policies

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created policy

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/auditPolicies

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

string[]

Status Code

200
List of all the default audit policies IDs in the targeted policy bundle

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/policies/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The policy with the given id
404
Policy not found

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/policies/{id}

Request

Path Parameters

id
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated policy
404
Policy not found

No Sample Response

This method does not specify any sample responses.

DELETE /api/scanning/v1/policies/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Status Code

204
Policy deleted
404
Policy not found

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/registryDisplayNames

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
List of all registry display name mappings

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/whitelists

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.
withItems
boolean
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.

Response

Response Body

object[]

Status Code

200
All the vulnerability exception lists in the targeted policy bundle

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/whitelists

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created vulnerability exception list
400
Bad Request
409
Conflict

Example responses

Missing field name

Status 409

A vulnerability exception list with the given name already exists

GET /api/scanning/v1/whitelists/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The vulnerability exception list with the given id
404
Vulnerability exception list not found

Example responses

Vulnerability exception list not found

PUT /api/scanning/v1/whitelists/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated vulnerability exception list
400
Bad Request
404
Policy not found
409
Conflict

Example responses

Missing field name
Vulnerability exception list not found

Status 409

A vulnerability exception list with the given name already exists

DELETE /api/scanning/v1/whitelists/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Status Code

204
Vulnerability exception list deleted

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/vulnexceptions

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.
withItems
boolean
Include or not "items" in the response. Useful when there are a lot of vulnerability exception lists.

Response

Response Body

object[]

Status Code

200
All the vulnerability exception lists in the targeted policy bundle

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/vulnexceptions

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created vulnerability exception list
400
Bad Request
409
Conflict

Example responses

Missing field name

Status 409

A vulnerability exception list with the given name already exists

GET /api/scanning/v1/vulnexceptions/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The vulnerability exception list with the given id
404
Vulnerability exception list not found

Example responses

Vulnerability exception list not found

PUT /api/scanning/v1/vulnexceptions/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated vulnerability exception list
400
Bad Request
404
Policy not found
409
Conflict

Example responses

Missing field name
Vulnerability exception list not found

Status 409

A vulnerability exception list with the given name already exists

DELETE /api/scanning/v1/vulnexceptions/{id}

Request

Path Parameters

id
Required*
string

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Status Code

204
Vulnerability exception list deleted

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/vulnexceptions/{id}/vulnerabilities

Request

Path Parameters

id
Required*
string
The vulnerability exception list identifier

Query Parameters

bundleId
Required*
string
Target bundle. If not specified, the currently active bundle will be used.

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Vulnerability added to exception list
400
Bad request
404
Vulnerability exception list not found
409
Conflict

Example responses

Bad request
Vulnerability exception list not found

Status 409

Vulnerability already exists in the exception list

GET /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}

Request

Path Parameters

id
Required*
string
The vulnerability exception list identifier
vulnId
Required*
string
The vulnerability identifier

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
Fetched vulnerability details
404
Vulnerability exception list or vulnerability item not found

Example responses

Vulnerability exception list not found

PUT /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}

Request

Path Parameters

id
Required*
string
The vulnerability exception list identifier
vulnId
Required*
string
The vulnerability identifier

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Updated vulnerability details
400
Bad request
404
Vulnerability exception list or vulnerability item not found

Example responses

Bad request
Vulnerability exception list not found

DELETE /api/scanning/v1/vulnexceptions/{id}/vulnerabilities/{vulnId}

Request

Path Parameters

id
Required*
string
The vulnerability exception list identifier
vulnId
Required*
string
The vulnerability identifier

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Status Code

204
Vulnerability removed

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/vulnerabilities/{id}

Request

Path Parameters

id
Required*
string
The vulnerability identifier

Response

Response Body

object

Status Code

200
Fetched vulnerability details
404
Vulnerability not found

Example responses

Vulnerability not found

GET /api/scanning/v1/mappings

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
List of all the mappings in the targeted policy bundle
404
Bundle not found

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/mappings

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated mapping list
404
Bundle not found

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/whitelistedImages

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The list of whitelisted image names

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/whitelistedImages

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated list of whitelisted image names

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/blacklistedImages

Request

Query Parameters

bundleId
string
Target bundle. If not specified, the currently active bundle will be used.

Response

Response Body

object

Status Code

200
The list of blacklisted image names

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/blacklistedImages

Request

Request Body

Required*

object

Response

Response Body

string[]

Status Code

200
The updated list of blacklisted image names

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/alerts

Request

Query Parameters

limit
integer
Maximum number of alerts in the response
cursor
string
An opaque string representing the current position in the list of alerts

Response

Response Body

object

Status Code

200
The list of requested alerts

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/alerts

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created alert

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/alerts/{id}

Request

Path Parameters

id
Required*
string

Response

Response Body

object

Status Code

200
The scanning alert with the given id
404
Alert not found

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/alerts/{id}

Request

Path Parameters

id
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The updated alert
404
Alert not found

No Sample Response

This method does not specify any sample responses.

DELETE /api/scanning/v1/alerts/{id}

Request

Path Parameters

id
Required*
string

Response

Status Code

204
Alert deleted
404
Alert not found

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/query/containers

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The list of requested runtime images

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/reports

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The report was generated successfully for given conditions.
404
The API was not found

No Sample Response

This method does not specify any sample responses.

POST /api/scanning/v1/reports/csv

Request

Request Body

Required*

object

Response

Response Body

string

Status Code

200
The download request was received successfully.
404
The result was not found

No Sample Response

This method does not specify any sample responses.

Fetches all scanning results

GET /api/scanning/v1/results

Request

Query Parameters

filter
string
If specified, only scan results that contain this substring will be retrieved
sort
string
Sorting method. Defaults to descending.

Allowable values: [desc,asc]
sortBy
string
Field used to alphabetically sort by. Defaults to scanDate.

Allowable values: [repository,tag,digest,scanDate]
registry
string
A comma-separated list of registry display names. If specified, only scan results from these registries will be retrieved
offset
integer
If specified, a 0-based index on the scan results list. Only entries >= offset will be retrieved. Defaults to 0. If filter is also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
limit
integer
If specified, a limit on the number of entries retrieved. If filter is also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved.

Response

Response Body

object

Status Code

200
an array of scan results matching the provided filters.
400
An invalid request was provided
500
Internal server error, not due to request parameters

No Sample Response

This method does not specify any sample responses.

GET /api/scanning/v1/retention/policy

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The retention policy
500
Unable to retrieve retention policy for the customer

No Sample Response

This method does not specify any sample responses.

PUT /api/scanning/v1/retention/policy

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The retention policy was successfully updated
400
The retention policy was not updated
500
Internal server error, not due to request parameters

No Sample Response

This method does not specify any sample responses.

Get the vulnerability feeds metadata information

GET /api/scanning/v1/system/feeds

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Metadata on a single feed based on what the engine finds from querying the endpoints

Status Code

200
success
500
Internal Error

No Sample Response

This method does not specify any sample responses.

Retrieves the list of events that match a filter given a specified time range or cursor. The pair from and to and the cursor parameter are mutually exclusive. If you supply a from and to you must not supply a cursor and vice-versa. If you supply a cursor then the prev field inside the response is set if and only if there are events before the first event returned, while the next field inside the response is set if and only if there are events after the last event returned. If, instead, you supply the from and to pair then the prev and next fields inside the response are always set, because in that case there is no efficient way for the backend to verify if next and prev events actually exist. For this reason, the best way to use this API is to supply the from and to pair at the first request and then use the prev and next cursors to fetch events before and after the events returned. Please, do note that if you supply from and to and receive the prev and next cursors, any subsequent request made by supplying that next or prev cursor will return results that are not filtered by the from and to you provided in the first request. Finally, the difference between from and to cannot be greater than 2 weeks.

GET /api/v1/secureEvents

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
cursor
string
Cursor is a string used to retrieve data given a specific context. The context can either be events feed before a certain event, after it or its surrounding. See the prev, next and cursor fields inside the response for further details.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the eventsFeedFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
limit
number
Limit the number of events to return.

Possible values: 1 ≤ value ≤ 999
Default: 100
Example: 50
specialCategory
string
How to handle special events categories, like the policy simulation (advisor).
- exclude_simulation excludes events with category simulation
- only_simulation returns only events with category simulation
Allowable values: [exclude_simulation,only_simulation]
Default: exclude_simulation
Example: exclude_simulation

Response

Response Body

object

Status Code

200
The secure events feed.
400
The request is invalid.
422
Attempting to retrieve a secure events feed by using a filter that contains unsupported metrics.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the secureEvents feature on the backend is available.

GET /api/v1/secureEvents/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The supported secure events filters.

No Sample Response

This method does not specify any sample responses.

Verify if there are new/legacy events in the store.

GET /api/v1/secureEvents/hasEvents

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Whether or not there are new/legacy events.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves the whitelist of supported secure events scope filters that can be used inside the filter parameter while retrieving the secure events feed.

GET /api/v1/secureEvents/filters

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

List of supported scope filters

Status Code

200
The supported secure events scope filters.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves an event with a given id.

GET /api/v1/secureEvents/{eventId}

Request

Path Parameters

eventId
Required*
string
The event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Response

Response Body

object

Status Code

200
Event with the given id.
404
The event could not be found.
500
The server encountered an unexpected condition that prevented it from fulfilling the request.

No Sample Response

This method does not specify any sample responses.

Retrieves the count of events that match a filter given a specified time range (from <= to). Parameters from and to are required.

GET /api/vi/secureEvents/count

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the eventsFeedFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1

Response

Response Body

object

Status Code

200
The scanning and secure events count by severity.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves the top column value and counts of policy events that match a filter, specified time range (from <= to), and number of rows to return for all columns. Parameters from and to are required.

GET /api/vi/secureEvents/topStats

Request

Query Parameters

from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the eventsFeedFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
rows
number
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.

Possible values: value ≥ 5
Default: 5
Example: 10

Response

Response Body

object

Status Code

200
The count stats of policy events for all columns.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves the top column value and counts of policy events that match a filter, specified time range (from <= to), and number of rows to return for all columns. Parameters from, to, and metric are required.

GET /api/vi/secureEvents/timeSeries

Request

Query Parameters

metric
Required*
string
The metric to query timeseries for. Valid values are either user or severity.

Example: severity
from
int64
From, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
to
int64
To, expressed in nanoseconds. The difference between from and to cannot be greater than 2 weeks.

Possible values: value ≥ 0
Example: 1546300800000000000
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring. Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1")) This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type. The list of supported fields can be retrieved through the eventsFeedFilters endpoint. In addition to those fields, also these fields are supported:
- severity as numeric value in the [0, 7] range
- category as string value
- originator as string value (either policy or scanning)
- name as string value
- freeText as string value
- source as string value
- agentId as numeric value
- containerId as string value
- machineId as string value
- ruleName as string value
- ruleType as numeric value
- ruleSubType as numeric value
- policyId as numeric value
- alertName as string value
- trigger as string value
- image.id as string value
- image.registry as string value
- image.repo as string value
- image.tag as string value
- image.digest as string value
Example: agent.id=1
rows
number
Describes how many rows of counts should be returned for each column category. Will be either 5 or 10.

Possible values: value ≥ 5
Default: 5
Example: 10

Response

Response Body

object

Status Code

200
The time series stats of runtime policy events for the specified columns.
400
The query parameters are missing or invalid
403
The provided access token is invalid

No Sample Response

This method does not specify any sample responses.

Retrieves a summary of the audit events in a time range grouped by a series of metrics.

GET /api/v2/activityAudit/summary

Request

Query Parameters

from
number
From, expressed in nanoseconds.

Example: 1546300800000000000
to
number
To, expressed in nanoseconds.

Example: 1546300800000000000
scopeFilter
string
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.

This are the supported scope filters where applicable are:
- agent.tag.*
- container.image.id
- container.image.repo
- container.image.tag
- container.image.digest
- container.label.io.kubernetes.container.name
- container.label.io.kubernetes.pod.name
- container.label.io.kubernetes.pod.namespace
- container.label.maintainer
- container.name
- host.hostName
- host.mac
- kubernetes.workload.name
- kubernetes.workload.type
- kubernetes.cluster.name
- kubernetes.cronJob.name
- kubernetes.daemonSet.name
- kubernetes.deployment.name
- kubernetes.job.name
- kubernetes.namespace.label.field.cattle.io/projectId
- kubernetes.namespace.label.project
- kubernetes.namespace.name
- kubernetes.node.name
- kubernetes.pod.name
- kubernetes.replicaSet.name
- kubernetes.service.name
- kubernetes.statefulSet.name
- aws.region
- aws.fargate.task.arn
- aws.fargate.cluster.arn
- aws.availabilityZone
- aws.accountId
- aws.user
- gcp.user
- gcp.projectId
Example: host.hostName="ip-127-0-0-1"
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1"))
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.

These are the supported fields:
- id
- agentid
- clientipv4
- clientport
- cmdline
- comm
- command
- container
- containerid
- container.id
- count
- cwd
- direction
- directory
- errorcode
- filename
- groups
- l4protocol
- loginshelldistance
- loginshellid
- name
- namespace
- permissions
- pid
- ppid
- processname
- resource
- rxtimestamp
- serveripv4
- serverport
- sourceaddresses
- stages
- subresource
- timestamp
- tty
- uid
- user
- useragent
- anomaly
Example: pid=1
types
string
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example: commands,connections
segment
boolean
Whether or not to segment the results with a distance between points depending on the distance between from and to.

Default: false

Response

Response Body

object

Status Code

200
The summary of audit events.
400
The request is invalid.

Example responses

Status 200

[
  {
    "values": {
      "command": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "connection": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "fileaccess": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ],
      "kubernetes": [
        [
          1569065400000000000,
          36
        ],
        [
          1569065460000000000,
          36
        ],
        [
          1569065520000000000,
          36
        ],
        [
          1569065580000000000,
          36
        ]
      ]
    },
    "step": 60000000000
  }
]

Retrieves a list of audit events in a time range filters. The pair from and to and the cursor parameter are mutually exclusive. If you supply a from and to you must not supply a cursor and vice-versa.

GET /api/v2/activityAudit/events

Request

Query Parameters

from
number
From, expressed in nanoseconds.

Example: 1546300800000000000
to
number
To, expressed in nanoseconds.

Example: 1546300800000000000
cursor
string
Cursor is a string used to retrieve data given a specific context. The context can either be audit events before a certain event, after it or its surrounding.

Example: LTltNGUybXIwdWkzZThhMjE1bjRn
limit
number
Limit the number of results to return.

Possible values: 1 ≤ value ≤ 9999
Default: 100
Example: 100
scopeFilter
string
Metrics query language expression for filtering results based on the scope. In order the events to be filtered by this attributes, this attributes should be present on the labels field of the event. If the attributes are not present, it will not be possible to filter the event.

This are the supported scope filters where applicable are:
- agent.tag.*
- container.image.id
- container.image.repo
- container.image.tag
- container.image.digest
- container.label.io.kubernetes.container.name
- container.label.io.kubernetes.pod.name
- container.label.io.kubernetes.pod.namespace
- container.label.maintainer
- container.name
- host.hostName
- host.mac
- kubernetes.workload.name
- kubernetes.workload.type
- kubernetes.cluster.name
- kubernetes.cronJob.name
- kubernetes.daemonSet.name
- kubernetes.deployment.name
- kubernetes.job.name
- kubernetes.namespace.label.field.cattle.io/projectId
- kubernetes.namespace.label.project
- kubernetes.namespace.name
- kubernetes.node.name
- kubernetes.pod.name
- kubernetes.replicaSet.name
- kubernetes.service.name
- kubernetes.statefulSet.name
- aws.region
- aws.fargate.task.arn
- aws.fargate.cluster.arn
- aws.availabilityZone
- aws.accountId
- aws.user
- gcp.user
- gcp.projectId
Example: host.hostName="ip-127-0-0-1"
filter
string
Query language expression for filtering results. It is a subset of the full metrics query language used in monitoring.

Operators:
- and, or and not logical operators (i.e. pid = 1 and ppid = 2)
- =, !=, >, >=, < and <= comparison operators (i.e. pid = 1)
- in to check inclusion in a list of values (i.e. pid in (1, 2) or clientipv4 in ("127.0.0.1", "192.168.0.1"))
This query language does not support the full set of metrics supported in the monitor query language, but instead supports a set of fields proper to each audit events type.

These are the supported fields:
- id
- agentid
- clientipv4
- clientport
- cmdline
- comm
- command
- container
- containerid
- container.id
- count
- cwd
- direction
- directory
- errorcode
- filename
- groups
- l4protocol
- loginshelldistance
- loginshellid
- name
- namespace
- permissions
- pid
- ppid
- processname
- resource
- rxtimestamp
- serveripv4
- serverport
- sourceaddresses
- stages
- subresource
- timestamp
- tty
- uid
- user
- useragent
- anomaly
Example: pid=1
types
string
The event types to filter. A comma separated list of one or more of the following supported values:
- kubernetes
- commands
- connections
- fileaccesses
Example: commands,connections

Response

Response Body

object

Status Code

200
The list of audit events.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Retrieves an audit event of a specified type with a given id.

GET /api/v2/activityAudit/events/{type}/{eventId}

Request

Path Parameters

type
Required*
string
The event type.

Allowable values: [commands,connections,fileaccesses,kubernetes]
Example: command
eventId
Required*
string
The audit event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Query Parameters

metrics
string
JSON list of metrics used to enrich results. If no metrics is passed the audit events returned will not have a metrics field populated. The metrics attributes are directly fetched from the metadata service, so please refer to it for the full list of supported metrics.

Example: ["host.hostName","container.id"]

Response

Response Body

One of

Represents a command execution.

Status Code

200
Audit event with the given type and id.
404
The event could not be found.

No Sample Response

This method does not specify any sample responses.

Retrieves a trace of all the audit events related to the traceable event in case it is a long running task. The audit events returned are all the commands, connections etc collected during the duration of the traceable event. If the event has not completed yet, the time range considered is up until the current time.

GET /api/v2/activityAudit/events/{type}/{eventId}/trace

Request

Path Parameters

type
Required*
string
The event type.

Allowable values: [commands,connections,fileaccesses,kubernetes]
Example: command
eventId
Required*
string
The audit event id.

Example: 15cbf54e34df95404caad1c988cf7c42

Query Parameters

limit
number
Limit the number of results to return.

Possible values: 1 ≤ value ≤ 9999
Default: 100
Example: 100

Response

Response Body

object

Status Code

200
All the events associated with this traceable event.
400
The request is invalid.
404
The event could not be found.
422
The audit event requested does not support tracing.

No Sample Response

This method does not specify any sample responses.

Retrieves a list of all the supported forwarding targets.

GET /api/v1/eventsForwarding/supported

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string[]

Status Code

200
List of supported forwarding targets.
400
The request is invalid.

Example responses

[ "syslog", "splunk" ]

Retrieves a list of all the supported forwarding channels.

GET /api/v1/eventsForwarding/channels

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string[]

Status Code

200
List of supported forwarding channels.
400
The request is invalid.

Example responses

[ "POLICY_EVENTS" ]

Retrieves a list of forwarding integrations for the customer making the request.

GET /api/v1/eventsForwarding/integrations

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Represents a command execution.

Status Code

200
The list of integrations.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Creates a forwarding integration for the customer.

POST /api/v1/eventsForwarding/integrations

Request

Request Body

Required*

object

The content of the integration to create.

Examples:

View

Response

Status Code

201
The creation of the integration was successful.
400
The request is invalid.

No Sample Response

This method does not specify any sample responses.

Retrieves a forwarding rule given its id.

GET /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Response

Response Body

object

Represents a command execution.

Status Code

200
The forwarding integration with a given id.
404
The integration could not be found.

Example responses

Status 200

{
  "id": 1,
  "name": "Forward to Syslog",
  "customerId": 1,
  "type": "syslog",
  "enabled": true,
  "channels": [
    "POLICY_EVENTS"
  ],
  "connectionInfo": {
    "ServiceURL": "syslog-address",
    "ServicePort": 514
  }
}

Updates an integration given its id. The PATCH payload can be any combination of the following fields having the value to change. None of the connectionInfo fields are required for patching.

PATCH /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Request Body

Required*

object

The content of the integration to update.

Examples:

View

Response

Status Code

204
The integration was successfully updated.
404
The integration could not be found.

No Sample Response

This method does not specify any sample responses.

Delete an integration given its id.

DELETE /api/v1/eventsForwarding/integrations/{integrationId}

Request

Path Parameters

integrationId
Required*
integer
The forwarding integration id.

Example: 1

Response

Status Code

201
The integration was successfully deleted.
404
The integration could not be found.

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile groups for a customer

GET /api/v1/profiling/profileGroups

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of profile groups for a customer
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile group given a id for a customer

GET /api/v1/profiling/profileGroups/{profileGroupId}

Request

Path Parameters

profileGroupId
Required*
integer
The id of the profile group

Response

Response Body

object

Status Code

200
The profile group for the given profileGroupId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profiles for a given profileGroupId

GET /api/v1/profiling/profileGroups/{profileGroupId}/profiles

Request

Path Parameters

profileGroupId
Required*
integer
The id of the profile group

Query Parameters

scoreMin
integer
If specified, only profiles with a confidence score at least this amount will be retrieved. Defaults to 0
status
string
A comma-separated list of statuses. If specified, only profiles with these statuses will be retrieved. Defaults to ['FINALIZED','LEARNING']

Allowable values: [FINALIZED,LEARNING]
filter
string
If specified, filter to only include profiles where the profile name or image name (registry/repository:tag@hash) contains this string. Defaults to empty string
sortBy
string
Field used to sort. Defaults to score. Profiles with status:'FINALIZED' will always appear above status:'LEARNING', for all values of sortBy except sortBy:'status', sortMethod:'asc'.

Allowable values: [score,profileName,status,createdOn]
limit
integer
If specified, a limit on the number of entries retrieved. If any filters are also specified, the limit will be applied on the filtered list. limit must be >= 1 and if it overflows the list all entries will be retrieved. Defaults to length of list
offset
integer
If specified, a 0-based index on the profiles list. Only entries >= offset will be retrieved. Defaults to 0. If any filters are also specified, this index will be applied on the filtered list. An empty list will be retrieved if this index overflows the list.
sortMethod
string
Sorting method. Defaults to desc.

Allowable values: [desc,asc]

Response

Response Body

object

Status Code

200
The profiles for a given profileGroupId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401

No Sample Response

This method does not specify any sample responses.

This endpoint returns the profile matching a given profileId

GET /api/v1/profiling/profiles/{profileId}

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Status Code

200
The profile for a given profileId
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
404
The requested resource was not found. More information about 404 can be found at https://httpstatuses.com/404
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to reset a profile given a profileId

POST /api/v1/profiling/profiles/{profileId}/actions/reset

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Profile reset action response

Status Code

200
The ActionsProfileResponse containing time when profile was reset
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to remove a profile given a profileId

POST /api/v1/profiling/profiles/{profileId}/actions/remove

Request

Path Parameters

profileId
Required*
string

Response

Response Body

object

Profile reset action response

Status Code

200
The ActionsProfileResponse containing time when profile was removed
400
Indicates a parameter, header or another quality of the request was malformed. More information about 400 can be found at https://httpstatuses.com/400
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
500
Generic error from API

No Sample Response

This method does not specify any sample responses.

This endpoint can be used to get status of Profiling API

GET /api/v1/profiling/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

string

Status Code

200
The ActionsProfileResponse containing time when profile was removed
401
The user failed to authenticate. More information about 401 can be found at https://httpstatuses.com/401
403
API Access Forbidden

No Sample Response

This method does not specify any sample responses.

Updates a default falco list

PUT /api/settings/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Request Body

object

Examples:

View

Response

Response Body

object

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

Updates multiple default falco lists

PUT /api/settings/falco/lists

Request

Request Body

object

Examples:

View

Response

Response Body

object[]

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

Save a new falcolist

POST /api/secure/falco/lists

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved falco list
400
The provided falco list is not valid

No Sample Response

This method does not specify any sample responses.

GET /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Response

Response Body

object

Status Code

200
The falco list with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The falco list with the given id
400
The provided falcolist is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/falco/lists/{listId}

Request

Path Parameters

listId
Required*
integer

Response

Response Body

object

Status Code

200
The falco list that was just deleted

No Sample Response

This method does not specify any sample responses.

Returns the list of falco lists in the system. These are grouped by name and do not necessarily represent individual falco list objects, as multiple falco lists can have the same name.

GET /api/secure/falco/lists/summaries

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of falco lists grouped by name.

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all falco lists having the given name. This is used to show how a base list is modified by later lists that override/append to the list.

GET /api/secure/falco/lists/groups

Request

Query Parameters

name
Required*
string

Response

Response Body

object[]

Status Code

200
An array of lists

No Sample Response

This method does not specify any sample responses.

Get the default falco rules files e.g. the set of falco rules managed by sysdig.

GET /api/settings/falco/defaultRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The default falco rules files.

No Sample Response

This method does not specify any sample responses.

Get the newest default falco rules files e.g. the set of falco rules managed by sysdig.

GET /api/settings/falco/newestDefaultRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The newest falco rules files.

No Sample Response

This method does not specify any sample responses.

Get the custom falco rules files e.g. the set of falco rules managed by a customer.

GET /api/settings/falco/customRulesFiles

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The custom falco rules files.

No Sample Response

This method does not specify any sample responses.

Set the current custom falco rules files. This content is always validated by passing the current default rules files plus the submitted customer rules files and any Secure UI generated rules to the open source falco executable to verify that falco can read the combination of files. The backend should choose the variant that has the greatest required_engine_version for each file, and then run open source falco with the -d option to verify the files. As knowing the current value of the version field is required to successfully update the rules file, in order to update the rules content you must first do a GET and update the content property. The version property in the response will be incremented on success.

PUT /api/settings/falco/customRulesFiles

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The custom falco rules files
400
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Get the custom falco rules file matching the filename

GET /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Response

Response Body

object

Status Code

200
The custom falco rules file
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404

No Sample Response

This method does not specify any sample responses.

Update the custom falco rules file matching the filename

PUT /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The custom falco rules file
400
The provided falco rules content was either not falco compliant, causes a rule to be deleted that is still used by a policy, or has non null default policies
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Delete the specified falco rules file

DELETE /api/settings/falco/customRulesFiles/{filename}

Request

Path Parameters

filename
Required*
string

Response

Response Body

object

Status Code

200
The deleted policy
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

Save a new security policy.

POST /api/v2/policies

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created policy
400
The submitted policy was invalid

No Sample Response

This method does not specify any sample responses.

Returns information about policies configured by the current customer. Policies can be filtered by priority and scope.

GET /api/v2/policies

Request

Query Parameters

offset
number
limit
number
Example: 10
filter
string
string to look for in policy names/descriptions

Example: Write below
severity
number
finds policies that correspond to a numeric value representing a severity. The query param can be repeated to look for multiple severities

Example: 3
policyType
string
finds policies of a certain type

Example: list_matching
managed
boolean
finds policies that are managed by sysdig

Possible values: allows empty value

Response

Response Body

object[]

Status Code

200
An array of policies

No Sample Response

This method does not specify any sample responses.

GET /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Response

Response Body

object

Status Code

200
The requested policy

No Sample Response

This method does not specify any sample responses.

PUT /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The requested policy
400
The updated policy was invalid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

DELETE /api/v2/policies/{id}

Request

Path Parameters

id
Required*
string

Response

Response Body

object

Status Code

200
The deleted policy

No Sample Response

This method does not specify any sample responses.

Save a new security policy and rules in a transaction. If the policy or any of the rules fail validation, the operation is canceled (no policy or rule is created) and an error response is returned.

POST /api/v2/policies/batch

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The newly created policy and rules
400
A submitted policy or rule was invalid

No Sample Response

This method does not specify any sample responses.

Save a new rule

POST /api/secure/rules

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved rule
400
The provided rule is not valid

No Sample Response

This method does not specify any sample responses.

GET /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Response

Response Body

object

Status Code

200
The rule with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The rule with the given id
400
The provided rule is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/rules/{ruleId}

Request

Path Parameters

ruleId
Required*
integer

Response

Response Body

object

Status Code

200
The rule that was deleted

No Sample Response

This method does not specify any sample responses.

Returns the list of rules in the system. These are grouped by name and do not necessarily represent individual rule objects, as multiple rules can have the same name.

GET /api/secure/rules/summaries

Request

Query Parameters

policyType
string
A name for a non overlapping subset of policies that share common characteristics. The enums falco and list_matching correspond to the FalcoSource enum syscall, k8s_audit corresponds to k8s_audit, and the others will map to a future enum value once OSS Falco decides a name

Allowable values: [falco,list_matching,k8s_audit,aws_cloudtrail,gcp_auditlog,azure_platformlogs,drift,machine_learning,falco_cloud_awscloudtrail]

Response

Response Body

object[]

Status Code

200
An array of rules grouped by name.

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all rules having the given name. This is used to show how a base rule is modified by later rules that override/append to the rule. If there are multiple rules with the same name of different types, rule type must be specified.

GET /api/secure/rules/groups

Request

Query Parameters

name
Required*
string
type
string

Response

Response Body

object[]

Status Code

200
An array of rules

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all rules matching a list of given names. This is used to show how a base rule is modified by later rules that override/append to the rule. This API would be faster than making calls to "#/api/secure/rules/groups" with one rule name at a time

GET /api/policies/v3/rules/groups

Request

Query Parameters

names
Required*
string[]

Response

Response Body

object[][]

Status Code

200
A wrapper object containing array of rule groups, where outside array size will be the same size as the valid rule names passed in query params and these will be sorted by the name. Each rule group will contain base rule followed by appends and will be ordered by rule origin ["Secure UI", "Sysdig", "Profiling", "Tuner"]
400
Indicates the names field is either missing or is empty

No Sample Response

This method does not specify any sample responses.

Retrieve a map of rule names to their corresponding policies that use them. The accept header will include "lite" to indicate the lightweight response of the endpoint should be returned e.g. 'application/xhtml+xml; lite' and return the full representation if not requested

GET /api/secure/rules/policyMappings

Request

Query Parameters

origin
string
A string naming the entity that created this rule. This, combined with the version identifier, corresponds to the "Published by" field in the UI. The origin should be "Secure UI" for objects created by the Secure UI, "Sysdig" for objects provided by Sysdig, and "Customer" for objects provided programmatically by the customer.

Allowable values: [Secure UI,Sysdig,Customer,Profiling,K8s Policy Advisor,Compliance,Tuner]
Example: Secure UI

Response

Response Body

One of

Status Code

200
An array of policies

No Sample Response

This method does not specify any sample responses.

Retrieves every tag associated with a runtime rule irrespective of whether or not that rule is used by a policy

GET /api/secure/rules/tags

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The array representing all the tags

No Sample Response

This method does not specify any sample responses.

Save a new macro

POST /api/secure/falco/macros

Request

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The saved FalcoMacro
400
The provided FalcoMacro was invalid

No Sample Response

This method does not specify any sample responses.

GET /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Response

Response Body

object

Status Code

200
The macro with the given id

No Sample Response

This method does not specify any sample responses.

PUT /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
The macro with the given id
400
The updated macro is not valid
404
Resource with the specified ID could not be found. More information about 404 can be found at https://httpstatuses.com/404
409
The user must first perform a GET request to get the current version of the resource. The user must then compare the remote version with the local expected version and merge any updates from remote if needed and then update the local version to match the remote version. More information about 409 can be found at https://httpstatuses.com/409

No Sample Response

This method does not specify any sample responses.

DELETE /api/secure/falco/macros/{macroId}

Request

Path Parameters

macroId
Required*
integer

Response

Response Body

object

Status Code

200
The macro that was just deleted

No Sample Response

This method does not specify any sample responses.

Returns the list of macros in the system. These are grouped by name and do not necessarily represent individual macro objects, as multiple macros can have the same name.

GET /api/secure/falco/macros/summaries

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object[]

Status Code

200
An array of macros grouped by name.

No Sample Response

This method does not specify any sample responses.

Retrieve a group of all falco macros having the given name. This is used to show how a base macro is modified by later macros that override/append to the macro.

GET /api/secure/falco/macros/groups

Request

Query Parameters

name
Required*
string

Response

Response Body

object[]

Status Code

200
An array of macros

No Sample Response

This method does not specify any sample responses.

Returns what falco filters are available to customer to configure falco rules

GET /api/settings/falco/filters

Request

Query Parameters

eventSource
string
when provided only falco filters corresponding to the specified event source will be included in the response

Allowable values: [syscall,k8s_audit,aws_cloudtrail,gcp_auditlog,azure_platformlogs]

Response

Response Body

object[]

Status Code

200
The falco filters available to customer to configure falco rules

No Sample Response

This method does not specify any sample responses.

The policy tuner service records this customer as enabled such that a tune will be run for this customer during the next run cycle

POST /api/v1/secure/policyTuner/enable

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
Success
400
Sysdig has not enabled tuning for this customer

No Sample Response

This method does not specify any sample responses.

The policy tuner service records this customer as disabled such that a tune will not be run for this customer during the next run cycle

POST /api/v1/secure/policyTuner/disable

Request

No Request Parameters

This method does not accept any request parameters.

Response

Status Code

200
Success

No Sample Response

This method does not specify any sample responses.

The policy tuner immediately runs tuning for the customer

POST /api/v1/secure/policyTuner/tuneNow

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
The generated tuner FalcoRulesFile
400
Sysdig has not enabled tuning for this customer

No Sample Response

This method does not specify any sample responses.

Checks if tuning is enabled

GET /api/v1/secure/policyTuner/tuningEnabled

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates whether tuning is enabled or disabled

No Sample Response

This method does not specify any sample responses.

Retrieves a 200 to double check if the policy tuner feature on the backend is available.

GET /api/v1/secure/policyTuner/status

Request

No Request Parameters

This method does not accept any request parameters.

Response

Response Body

object

Status Code

200
Indicates the policy tuner feature is available

No Sample Response

This method does not specify any sample responses.

Returns a list of exceptions to exclude the events matching a set of parameters

POST /api/v1/secure/policyTuner/excludeEvents

Request

Query Parameters

start
Required*
integer
The timestamp in seconds in which the events to be excluded begin
end
Required*
integer
The timestamp in seconds in which the events to be excluded end
filter
string
limit
integer
The number of suggested exclusion proposals to return in the responses. The request will be rejected if it is greater than 10 or less than 1.

Response

Response Body

object

Status Code

200
Indicates the service was able to successfully find a list of exceptions to exclude the provided events
400
Returned if the start param occurs after the end or if the parameters are of the wrong data type or the limit is out of range

No Sample Response

This method does not specify any sample responses.

Adds a provided set of exceptions to the tuner file

POST /api/v1/secure/policyTuner/exceptions

Request

Request Body

Required*

object

Response

Status Code

200
Indicates the new exceptions were successfully added to the tuner file
400
Indicates one of the fields in the request body was missing, the wrong data type, or the exception values did not match the expected form of the exception

No Sample Response

This method does not specify any sample responses.

Creates a new Integration for a customer.

POST /api/ticketing/v1/integrations/{provider}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Integration is successfully created.
400
Invalid input, integration could not be created.
401
Invalid credentials or missing auth token.
403
Account is forbidden (inactive/expired customer).
404
Invalid provider specified.
409
Integration already exists.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetch all integrations for a customer.

GET /api/ticketing/v1/integrations/{provider}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira

Response

Response Body

object[]

Status Code

200
List of all integrations for a customer.
401
Invalid credentials or missing auth token.
404
Invalid provider specified.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetch a single integration Information by id.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Response

Response Body

object

Status Code

200
Description of a specific integration.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Update an Integration for a customer.

PUT /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Request Body

Required*

object

Response

Response Body

object

Status Code

200
Integration is successfully updated.
400
Integration could not be modified.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Delete an Integration for a customer.

DELETE /api/ticketing/v1/integrations/{provider}/{integration_id}

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer

Response

Response Body

object

Status Code

200
Integration is successfully deleted.
401
Invalid credentials or missing auth token.
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the projects information needed for creating a ticket. The projectIDs, issueIDs, and list of assignable users are fetched for a valid integration.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}/projects

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer
index of the integration

Response

Response Body

object[]

Jira project object

Status Code

200
List all jira projects for an integration.
400
Project could not be fetched.
403
Account is forbidden (inactive/expired customer).
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Fetches the projects information needed for creating a ticket. The list of assignable and issue types users are fetched to help create a ticket.

GET /api/ticketing/v1/integrations/{provider}/{integration_id}/project/{project_id}/projectMeta

Request

Path Parameters

provider
Required*
string
The ticket management provider.

Example: jira
integration_id
Required*
integer
index of the integration
project_id
Required*
integer
index of jira project id

Query Parameters

assignee
string
A query string that is matched against user attributes, such as displayName, and emailAddress, to find relevant assignable users.

Response

Response Body

object

Status Code

200
Project metadata
400
Project could not be fetched.
403
Account is forbidden (inactive/expired customer).
404
Integration could not be found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts

Request

Query Parameters

organizationId
string
provider
string
Allowable values: [PROVIDER_UNSPECIFIED,PROVIDER_AWS,PROVIDER_AZURE,PROVIDER_GCP]

Response

Response Body

object

Status Code

200
OK
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts

Request

Request Body

Required*

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Response

Status Code

204
There is no information.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

PUT /api/cloudauth/v1/accounts/{accountId}

Request

Path Parameters

accountId
Required*
string

Request Body

Required*

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Response

Response Body

object

CloudAccount captures a snapshot of basic metadata fields associated with a cloud.

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}/components

Request

Path Parameters

accountId
Required*
string

Response

Response Body

object

Status Code

200
OK
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

POST /api/cloudauth/v1/accounts/{accountId}/components

Request

Path Parameters

accountId
Required*
string

Request Body

Required*

object

AccountComponent captures a cloud resource within an account

Response

Response Body

object

AccountComponent captures a cloud resource within an account

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

GET /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL]
componentInstance
Required*
string

Response

Response Body

object

AccountComponent captures a cloud resource within an account

Status Code

200
OK
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

DELETE /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL]
componentInstance
Required*
string

Response

Status Code

204
There is no information.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

PUT /api/cloudauth/v1/accounts/{accountId}/components/{componentType}/{componentInstance}

Request

Path Parameters

accountId
Required*
string
componentType
Required*
string
Allowable values: [COMPONENT_UNSPECIFIED,COMPONENT_CLOUD_CONNECTOR,COMPONENT_TRUSTED_ROLE,COMPONENT_EVENT_BRIDGE,COMPONENT_SERVICE_PRINCIPAL]
componentInstance
Required*
string

Request Body

Required*

object

AccountComponent captures a cloud resource within an account

Response

Response Body

object

AccountComponent captures a cloud resource within an account

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

update/enable a feature

PUT /api/cloudauth/v1/accounts/{accountId}/features/{featureType}

Request

Path Parameters

accountId
Required*
string
featureType
Required*
string
Allowable values: [FEATURE_UNSPECIFIED,FEATURE_SECURE_THREAT_DETECTION,FEATURE_SECURE_CONFIG_POSTURE,FEATURE_SECURE_IDENTITY_ENTITLEMENT,FEATURE_MONITOR_CLOUD_METRICS]

Request Body

Required*

object

AccountFeature captures a sysdig feature enabled on a cloud account

Response

Response Body

object

AccountFeature captures a sysdig feature enabled on a cloud account

Status Code

200
OK
400
The given request is invalid.
401
Invalid or missing auth token.
404
The requested entity was not found.
500
The server encountered an unexpected condition.

No Sample Response

This method does not specify any sample responses.

Introduction

Endpoint URL

Authentication

Auditing

Error handling

Methods

Compliance Views

Request

No Request Parameters

Response

Response Body

data

zoneId

zoneName

policies

id

name

passingScore

requirementsHistory

date

failedRequirements

requirementPassingScore

failedControls

resourceViolationSummary

highSeverity

mediumSeverity

lowSeverity

acceptedCount

Status Code

200

401

403

500

503

No Sample Response

Compliance Results

Request

Query Parameters

filter

pageNumber

pageSize

Response

Response Body

data

requirementId

name

description

severity

pass

failedControls

highSeverityCount

mediumSeverityCount

lowSeverityCount

acceptedCount

policyId

policyName

controls

id

name

description

pass

severity

isManual

objectsCount

lastUpdate

acceptedCount

resourceKind

resourceApiEndpoint

supportedDistributions

name

min_version

max_version

zone

id

name

totalCount

Status Code

200

401

403