Skip to main content

Get Container Scan Results

GET 
/api/v30.00/containers
x-prisma-cloud-target-env: {"permission":"monitorImages","saas":true,"self-hosted":true}
x-public: true

Retrieves container scan reports.

You can view the container scan reports in Console under Monitor > Compliance > Containers.

Note: The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds.

Refer to the following available options for the fields query parameters:

  • labels
  • externalLabels
  • cluster
  • hostname
  • image

cURL Request

Refer to the following example cURL command that retrieves a scan report for all containers:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/containers"

Refer to the following example cURL command that retrieves a scan report for a container with the collection <COLLECTION ID>:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/containers?collections=<COLLECTION ID>"

The name query is synonymous with the filter containers text field in the Console UI.

A successful response returns the container scan reports.

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

    search string

    Retrieves the result for a search term.

    sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

    reverse boolean

    Sorts the result in reverse order.

    collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

    provider string[]

    Scopes the query by cloud provider.

    accountIDs string[]

    Filters the result based on cloud account IDs.

    resourceIDs string[]

    Scopes the query by resource ID.

    region string[]

    Scopes the query by cloud region.

    fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

    hostname string[]

    Hosts is used to filter containers by host.

    image string[]

    Images is used to filter containers by image name.

    imageId string[]

    ImageIDs is used to filter containers by image ids.

    id string[]

    IDs is used to filter container by container ID.

    profileId string[]

    ProfileIDs is used to filter container by runtime profile ID.

    namespaces string[]

    Namespaces are the namespaces to filter.

    firewallSupported boolean

    FirewallSupported is used to fetch containers with app firewall supported.

    clusters string[]

    Clusters is used to filter containers by cluster name.

    complianceIDs int[]

    ComplianceIDs is used to filter containers by compliance IDs.

    agentless boolean

    Agentless indicates that we should return only containers that were scanned by an agentless scanner.

Responses

Schema
  • Array [
    • _id string

    ID is the container ID.

    agentless boolean

    Agentless indicates if the result was received by an agentless scanner.

    agentlessScanID integer

    AgentlessScanID is the ID of the agentless scan in which the result was received.

    collections string[]

    Collections are collections to which this container applies.

    firewallProtection object

    ProtectionStatus describes the status of the WAAS protection

    enabled boolean

    Enabled indicates if WAAS proxy protection is enabled (true) or not (false).

    outOfBandMode waas.OutOfBandMode

    Possible values: [,Observation,Protection]

    OutOfBandMode holds the app firewall out-of-band mode

    ports int[]

    Ports indicates http open ports associated with the container.

    supported boolean

    Supported indicates if WAAS protection is supported (true) or not (false).

    tlsPorts int[]

    TLSPorts indicates https open ports associated with the container.

    unprotectedProcesses object[]

    UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.

  • Array [
    • port integer

    Port is the process port.

    process string

    Process is the process name.

    tls boolean

    TLS is the port TLS indication.

  • ]
    • hostname string

    Hostname is the hostname on which the container is deployed.

    info object

    ContainerInfo contains all information gathered on a specific container

    allCompliance object

    AllCompliance contains data regarding passed compliance checks

    compliance object[]

    Compliance are all the passed compliance checks.

  • Array [
    • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
    • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
    • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
    • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
    • enabled boolean

    Enabled indicates whether passed compliance checks is enabled by policy.

    app string

    App is the app that is hosted in the container.

    cloudMetadata object

    CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

    accountID string

    Cloud account ID.

    awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

    image string

    Image name.

    labels object[]

    Cloud provider metadata labels.

  • Array [
    • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
    • name string

    Instance name.

    provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider represents the cloud provider

    region string

    Instance region.

    resourceID string

    Unique ID of the resource.

    resourceURL string

    Server-defined URL for the resource.

    type string

    Instance type.

    vmID string

    Azure unique vm ID.

    vmImageID string

    VMImageID holds the VM image ID.

    cluster string

    Cluster is the provided cluster name.

    clusterType common.ClusterType

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

    complianceDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    complianceIssues object[]

    ComplianceIssues are all the container compliance issues.

  • Array [
    • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
    • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
    • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
    • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
    • complianceIssuesCount integer

    .

    complianceRiskScore float

    ComplianceRiskScore is the container's compliance risk score.

    externalLabels object[]

    ExternalLabels is the external labels e.g., kubernetes namespace labels.

  • Array [
    • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
    • id string

    ID is the container id.

    image string

    Image is the canonical image name.

    imageID string

    ImageID is the image id.

    imageName string

    Deprecated: The image name as stated in the docker run command.

    infra boolean

    Infra represents any container that belongs to the infrastructure.

    installedProducts object

    InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

    agentless boolean

    Agentless indicates whether the scan was performed with agentless approach.

    apache string

    Apache indicates the apache server version, empty in case apache not running.

    awsCloud boolean

    AWSCloud indicates whether AWS cloud is used.

    crio boolean

    CRI indicates whether the container runtime is CRI (and not docker).

    docker string

    Docker represents the docker daemon version.

    dockerEnterprise boolean

    DockerEnterprise indicates whether the enterprise version of Docker is installed.

    hasPackageManager boolean

    HasPackageManager indicates whether package manager is installed on the OS.

    k8sApiServer boolean

    K8sAPIServer indicates whether a kubernetes API server is running.

    k8sControllerManager boolean

    K8sControllerManager indicates whether a kubernetes controller manager is running.

    k8sEtcd boolean

    K8sEtcd indicates whether etcd is running.

    k8sFederationApiServer boolean

    K8sFederationAPIServer indicates whether a federation API server is running.

    k8sFederationControllerManager boolean

    K8sFederationControllerManager indicates whether a federation controller manager is running.

    k8sKubelet boolean

    K8sKubelet indicates whether kubelet is running.

    k8sProxy boolean

    K8sProxy indicates whether a kubernetes proxy is running.

    k8sScheduler boolean

    K8sScheduler indicates whether the kubernetes scheduler is running.

    kubernetes string

    Kubernetes represents the kubernetes version.

    openshift boolean

    Openshift indicates whether openshift is deployed.

    openshiftVersion string

    OpenshiftVersion represents the running openshift version.

    osDistro string

    OSDistro specifies the os distribution.

    serverless boolean

    Serverless indicates whether evaluated on a serverless environment.

    swarmManager boolean

    SwarmManager indicates whether a swarm manager is running.

    swarmNode boolean

    SwarmNode indicates whether the node is part of an active swarm.

    labels string[]

    Labels are the container labels (https://docs.docker.com/engine/userguide/labels-custom-metadata/).

    name string

    Name is the container name.

    namespace string

    Namespace is the k8s deployment namespace.

    network object

    ContainerNetwork contains details about the container network (ports, IPs, type etc...)

    ports object[]

    Ports are the ports details associated with the container.

  • Array [
    • container integer

    Container is the mapped port inside the container.

    host integer

    Host is the host port number.

    hostIP string

    HostIP is the host IP.

    listening boolean

    Listening indicates whether the port is in listening mode.

    nat boolean

    NAT indicates the port is exposed using NAT.

  • ]
    • networkSettings object

    DockerNetworkInfo contains network-related information about a container

    ipAddress string

    IPAddress is the container IP.

    macAddress string

    MacAddress is the container MAC.

    networks object[]

    Networks are the networks the container is connected to.

  • Array [
    • ipAddress string

    IPAddress is the container IP.

    macAddress string

    MacAddress is the container MAC.

    name string

    Name is the network name.

  • ]
    • ports object[]

    Ports are the container network binding that are externally mapped.

  • Array [
    • containerPort string

    ContainerPort is the mapped port inside the container.

    hostIP string

    HostIP is the host IP.

    hostPort integer

    HostPort is the host port.

  • ]
    • processes object[]

    Processes are the processes that are running inside the container.

  • Array [
    • name string

    Name is a process name.

  • ]
    • profileID string

    ProfileID is the container profile id.

    sizeBytes int64

    .

    startTime date-time

    StartTime is the starting time of the container.

    runtimeEnabled boolean

    RuntimeEnabled indicates if any runtime rule applies to the container.

    scanTime date-time

    ScanTime is the container scan time.

  • ]
Loading...