Skip to main content

Add Sandbox Scan Result

POST 

/api/v30.00/sandbox

x-prisma-cloud-target-env: {"permission":"sandbox","saas":true,"self-hosted":true}
x-public: true

AddSandboxScanResult adds a sandbox scan result, the scan is augmented with geolocation data and returned to the client

Request

Body

    _id string

    ID is a unique scan identifier.

    collections string[]

    Collections to which this result applies.

    connection object[]

    Connection is a list of connection events detected during this scan.

  • Array [
  • countryCode string

    CountryCode is the country code for the network IP.

    ip string

    IP is the network IP.

    port integer

    Port is the network port.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    protocol string

    Protocol is the transport layer protocol (UDP / TCP).

    time date-time

    Time is the event time.

  • ]
  • dns object[]

    DNS is a list of DNS queries detected during this scan.

  • Array [
  • countryCode string

    CountryCode is the country code for the network IP.

    domainName string

    DomainName is the domain name for a DNS query.

    domainType string

    DomainType is the domain type for a DNS query.

    ip string

    IP is the network IP.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • entrypoint string

    Entrypoint is the command executed in the sandbox scan.

    filesystem object[]

    Filesystem is a list of filesystem events detected during this scan.

  • Array [
  • accessType sandbox.FilesystemAccessType

    Possible values: [open,modify,create]

    FilesystemAccessType represents a type of accessing a file

    path string

    Path is the file path.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • findings object[]

    Findings are the detected findings during scan.

  • Array [
  • description string

    Description is the finding description.

    events object[]

    Events are the events that lead to the finding detection.

  • Array [
  • description string

    Description describes what happened in the event.

    time date-time

    Time is the time of event detection.

  • ]
  • severity sandbox.FindingSeverity

    Possible values: [critical,high,medium,low]

    FindingSeverity represents a finding severity level

    time date-time

    Time is the detection time (time of triggering event).

    type sandbox.FindingType

    Possible values: [dropper,modifiedBinary,executableCreation,filelessExecutableCreation,wildFireMalware,verticalPortScan,cryptoMiner,suspiciousELFHeader,kernelModule,modifiedBinaryExecution,filelessExecution]

    FindingType represents a unique sandbox-detected finding type

  • ]
  • image object

    ImageInfo contains image information collected during image scan

    Secrets string[]

    Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.

    allCompliance object

    AllCompliance contains data regarding passed compliance checks

    compliance object[]

    Compliance are all the passed compliance checks.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • enabled boolean

    Enabled indicates whether passed compliance checks is enabled by policy.

    applications object[]

    Products in the image.

  • Array [
  • installedFromPackage boolean

    Indicates that the app was installed as an OS package.

    knownVulnerabilities integer

    Total number of vulnerabilities for this application.

    layerTime int64

    Image layer to which the application belongs - layer creation time.

    name string

    Name of the application.

    path string

    Path of the detected application.

    service boolean

    Service indicates whether the application is installed as a service.

    version string

    Version of the application.

  • ]
  • baseImage string

    Image’s base image name. Used when filtering the vulnerabilities by base images.

    binaries object[]

    Binaries in the image.

  • Array [
  • altered boolean

    Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

    cveCount integer

    Total number of CVEs for this specific binary.

    deps string[]

    Third-party package files which are used by the binary.

    functionLayer string

    ID of the serverless layer in which the package was discovered.

    md5 string

    Md5 hashset of the binary.

    missingPkg boolean

    Indicates if this binary is not related to any package (true) or not (false).

    name string

    Name of the binary.

    path string

    Relative path of the binary inside the container.

    pkgRootDir string

    Path for searching packages used by the binary.

    services string[]

    Names of services which use the binary.

    version string

    Version of the binary.

  • ]
  • cloudMetadata object

    CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

    accountID string

    Cloud account ID.

    awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

    image string

    Image name.

    labels object[]

    Cloud provider metadata labels.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • name string

    Instance name.

    provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider represents the cloud provider

    region string

    Instance region.

    resourceID string

    Unique ID of the resource.

    resourceURL string

    Server-defined URL for the resource.

    type string

    Instance type.

    vmID string

    Azure unique vm ID.

    vmImageID string

    VMImageID holds the VM image ID.

    clusterType common.ClusterType

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

    clusters string[]

    Cluster names.

    complianceDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    complianceIssues object[]

    All the compliance issues.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • complianceIssuesCount integer

    Number of compliance issues.

    complianceRiskScore float

    Compliance risk score for the image.

    creationTime date-time

    Specifies the time of creation for the latest version of the image.

    distro string

    Full name of the distribution.

    ecsClusterName string

    ECS cluster name.

    externalLabels object[]

    Kubernetes external labels of all containers running this image.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • files object[]

    Files in the container.

  • Array [
  • md5 string

    Hash sum of the file using md5.

    path string

    Path of the file.

    sha1 string

    Hash sum of the file using SHA-1.

    sha256 string

    Hash sum of the file using SHA256.

  • ]
  • firstScanTime date-time

    Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.

    history object[]

    Docker image history.

  • Array [
  • baseLayer boolean

    Indicates if this layer originated from the base image (true) or not (false).

    created int64

    Date/time when the image layer was created.

    emptyLayer boolean

    Indicates if this instruction didn't create a separate layer (true) or not (false).

    id string

    ID of the layer.

    instruction string

    Docker file instruction and arguments used to create this layer.

    sizeBytes int64

    Size of the layer (in bytes).

    tags string[]

    Holds the image tags.

    vulnerabilities object[]

    Vulnerabilities which originated from this layer.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • ]
  • hostDevices object[]

    Map from host network device name to IP address.

  • Array [
  • ip string

    Network device IPv4 address.

    name string

    Network device name.

  • ]
  • id string

    Image ID.

    image object

    Image represents a container image

    created date-time

    Date/time when the image was created.

    entrypoint string[]

    Combined entrypoint of the image (entrypoint + CMD).

    env string[]

    Image environment variables.

    healthcheck boolean

    Indicates if health checks are enabled (true) or not (false).

    history object[]

    Holds the image history.

  • Array [
  • baseLayer boolean

    Indicates if this layer originated from the base image (true) or not (false).

    created int64

    Date/time when the image layer was created.

    emptyLayer boolean

    Indicates if this instruction didn't create a separate layer (true) or not (false).

    id string

    ID of the layer.

    instruction string

    Docker file instruction and arguments used to create this layer.

    sizeBytes int64

    Size of the layer (in bytes).

    tags string[]

    Holds the image tags.

    vulnerabilities object[]

    Vulnerabilities which originated from this layer.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • ]
  • id string

    ID of the image.

    labels object

    Image labels.

    property name* string
    layers string[]

    Image filesystem layers.

    os string

    Image os type.

    repoDigest string[]

    Image repo digests.

    repoTags string[]

    Image repo tags.

    user string

    Image user.

    workingDir string

    Base working directory of the image.

    installedProducts object

    InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

    agentless boolean

    Agentless indicates whether the scan was performed with agentless approach.

    apache string

    Apache indicates the apache server version, empty in case apache not running.

    awsCloud boolean

    AWSCloud indicates whether AWS cloud is used.

    crio boolean

    CRI indicates whether the container runtime is CRI (and not docker).

    docker string

    Docker represents the docker daemon version.

    dockerEnterprise boolean

    DockerEnterprise indicates whether the enterprise version of Docker is installed.

    hasPackageManager boolean

    HasPackageManager indicates whether package manager is installed on the OS.

    k8sApiServer boolean

    K8sAPIServer indicates whether a kubernetes API server is running.

    k8sControllerManager boolean

    K8sControllerManager indicates whether a kubernetes controller manager is running.

    k8sEtcd boolean

    K8sEtcd indicates whether etcd is running.

    k8sFederationApiServer boolean

    K8sFederationAPIServer indicates whether a federation API server is running.

    k8sFederationControllerManager boolean

    K8sFederationControllerManager indicates whether a federation controller manager is running.

    k8sKubelet boolean

    K8sKubelet indicates whether kubelet is running.

    k8sProxy boolean

    K8sProxy indicates whether a kubernetes proxy is running.

    k8sScheduler boolean

    K8sScheduler indicates whether the kubernetes scheduler is running.

    kubernetes string

    Kubernetes represents the kubernetes version.

    openshift boolean

    Openshift indicates whether openshift is deployed.

    openshiftVersion string

    OpenshiftVersion represents the running openshift version.

    osDistro string

    OSDistro specifies the os distribution.

    serverless boolean

    Serverless indicates whether evaluated on a serverless environment.

    swarmManager boolean

    SwarmManager indicates whether a swarm manager is running.

    swarmNode boolean

    SwarmNode indicates whether the node is part of an active swarm.

    isARM64 boolean

    IsARM64 indicates if the architecture of the image is aarch64.

    k8sClusterAddr string

    Endpoint of the Kubernetes API server.

    labels string[]

    Image labels.

    layers string[]

    Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.

    missingDistroVulnCoverage boolean

    Indicates if the image OS is covered in the IS (true) or not (false).

    namespaces string[]

    k8s namespaces of all the containers running this image.

    osDistro string

    Name of the OS distribution.

    osDistroRelease string

    OS distribution release.

    osDistroVersion string

    OS distribution version.

    packageCorrelationDone boolean

    PackageCorrelationDone indicates that the correlation to OS packages has been done.

    packageManager boolean

    Indicates if the package manager is installed for the OS.

    packages object[]

    Packages which exist in the image.

  • Array [
  • pkgs object[]

    List of packages.

  • Array [
  • binaryIdx int16[]

    Indexes of the top binaries which use the package.

    binaryPkgs string[]

    Names of the distro binary packages (packages which are built on the source of the package).

    cveCount integer

    Total number of CVEs for this specific package.

    files object[]

    List of package-related files and their hashes. Only included when the appropriate scan option is set.

  • Array [
  • md5 string

    Hash sum of the file using md5.

    path string

    Path of the file.

    sha1 string

    Hash sum of the file using SHA-1.

    sha256 string

    Hash sum of the file using SHA256.

  • ]
  • functionLayer string

    ID of the serverless layer in which the package was discovered.

    goPkg boolean

    GoPkg indicates this is a Go package (and not module).

    jarIdentifier string

    JarIdentifier holds an additional identification detail of a JAR package.

    layerTime int64

    Image layer to which the package belongs (layer creation time).

    license string

    License information for the package.

    name string

    Name of the package.

    osPackage boolean

    OSPackage indicates that a python/java package was installed as an OS package.

    path string

    Full package path (e.g., JAR or Node.js package path).

    version string

    Package version.

  • ]
  • pkgsType vuln.PackageType

    Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go]

    PackageType describes the package type

  • ]
  • pushTime date-time

    PushTime is the image push time to the registry.

    registryNamespace string

    IBM cloud namespace to which the image belongs.

    registryType string

    RegistryType indicates the registry type where the image is stored.

    repoDigests string[]

    Digests of the image. Used for content trust (notary). Has one digest per tag.

    repoTag object

    ImageTag represents an image repository and its associated tag or registry digest

    digest string

    Image digest (requires V2 or later registry).

    id string

    ID of the image.

    registry string

    Registry name to which the image belongs.

    repo string

    Repository name to which the image belongs.

    tag string

    Image tag.

    rhelRepos string[]

    RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    scanBuildDate string

    Scanner build date that published the image.

    scanVersion string

    Scanner version that published the image.

    startupBinaries object[]

    Binaries which are expected to run when the container is created from this image.

  • Array [
  • altered boolean

    Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

    cveCount integer

    Total number of CVEs for this specific binary.

    deps string[]

    Third-party package files which are used by the binary.

    functionLayer string

    ID of the serverless layer in which the package was discovered.

    md5 string

    Md5 hashset of the binary.

    missingPkg boolean

    Indicates if this binary is not related to any package (true) or not (false).

    name string

    Name of the binary.

    path string

    Relative path of the binary inside the container.

    pkgRootDir string

    Path for searching packages used by the binary.

    services string[]

    Names of services which use the binary.

    version string

    Version of the binary.

  • ]
  • tags object[]

    Tags associated with the given image.

  • Array [
  • digest string

    Image digest (requires V2 or later registry).

    id string

    ID of the image.

    registry string

    Registry name to which the image belongs.

    repo string

    Repository name to which the image belongs.

    tag string

    Image tag.

  • ]
  • topLayer string

    SHA256 of the image's last layer that is the last element of the Layers field.

    twistlockImage boolean

    Indicates if the image is a Twistlock image (true) or not (false).

    vulnerabilities object[]

    CVE vulnerabilities of the image.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • vulnerabilitiesCount integer

    Total number of vulnerabilities.

    vulnerabilityDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    vulnerabilityRiskScore float

    Image's CVE risk score.

    imageName string

    ImageName is the image name (e.g. registry/repo:tag).

    listening object[]

    Listening is a list of listening events detected during this scan.

  • Array [
  • port integer

    Port is the network port.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • pass boolean

    Pass indicates if the scan passed or failed.

    procs object[]

    Procs are the different detected process during this scan.

  • Array [
  • command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

  • ]
  • riskScore double

    RiskScore is the weighted total risk score.

    scanDuration int64

    ScanDuration is the provided scan duration in nanoseconds.

    scanTime date-time

    Start is the scan start time.

    suspiciousFiles object[]

    SuspiciousFiles are suspicious files detected during scan.

  • Array [
  • containerPath string

    ContainerPath is the path of the file in the running container.

    created boolean

    Created indicates if the file was created during runtime.

    md5 string

    MD5 is the file MD5 hash.

    path string

    Path is the path to the copy of the file.

  • ]

Responses

ScanResult represents sandbox scan results

Schema
    _id string

    ID is a unique scan identifier.

    collections string[]

    Collections to which this result applies.

    connection object[]

    Connection is a list of connection events detected during this scan.

  • Array [
  • countryCode string

    CountryCode is the country code for the network IP.

    ip string

    IP is the network IP.

    port integer

    Port is the network port.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    protocol string

    Protocol is the transport layer protocol (UDP / TCP).

    time date-time

    Time is the event time.

  • ]
  • dns object[]

    DNS is a list of DNS queries detected during this scan.

  • Array [
  • countryCode string

    CountryCode is the country code for the network IP.

    domainName string

    DomainName is the domain name for a DNS query.

    domainType string

    DomainType is the domain type for a DNS query.

    ip string

    IP is the network IP.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • entrypoint string

    Entrypoint is the command executed in the sandbox scan.

    filesystem object[]

    Filesystem is a list of filesystem events detected during this scan.

  • Array [
  • accessType sandbox.FilesystemAccessType

    Possible values: [open,modify,create]

    FilesystemAccessType represents a type of accessing a file

    path string

    Path is the file path.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • findings object[]

    Findings are the detected findings during scan.

  • Array [
  • description string

    Description is the finding description.

    events object[]

    Events are the events that lead to the finding detection.

  • Array [
  • description string

    Description describes what happened in the event.

    time date-time

    Time is the time of event detection.

  • ]
  • severity sandbox.FindingSeverity

    Possible values: [critical,high,medium,low]

    FindingSeverity represents a finding severity level

    time date-time

    Time is the detection time (time of triggering event).

    type sandbox.FindingType

    Possible values: [dropper,modifiedBinary,executableCreation,filelessExecutableCreation,wildFireMalware,verticalPortScan,cryptoMiner,suspiciousELFHeader,kernelModule,modifiedBinaryExecution,filelessExecution]

    FindingType represents a unique sandbox-detected finding type

  • ]
  • image object

    ImageInfo contains image information collected during image scan

    Secrets string[]

    Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.

    allCompliance object

    AllCompliance contains data regarding passed compliance checks

    compliance object[]

    Compliance are all the passed compliance checks.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • enabled boolean

    Enabled indicates whether passed compliance checks is enabled by policy.

    applications object[]

    Products in the image.

  • Array [
  • installedFromPackage boolean

    Indicates that the app was installed as an OS package.

    knownVulnerabilities integer

    Total number of vulnerabilities for this application.

    layerTime int64

    Image layer to which the application belongs - layer creation time.

    name string

    Name of the application.

    path string

    Path of the detected application.

    service boolean

    Service indicates whether the application is installed as a service.

    version string

    Version of the application.

  • ]
  • baseImage string

    Image’s base image name. Used when filtering the vulnerabilities by base images.

    binaries object[]

    Binaries in the image.

  • Array [
  • altered boolean

    Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

    cveCount integer

    Total number of CVEs for this specific binary.

    deps string[]

    Third-party package files which are used by the binary.

    functionLayer string

    ID of the serverless layer in which the package was discovered.

    md5 string

    Md5 hashset of the binary.

    missingPkg boolean

    Indicates if this binary is not related to any package (true) or not (false).

    name string

    Name of the binary.

    path string

    Relative path of the binary inside the container.

    pkgRootDir string

    Path for searching packages used by the binary.

    services string[]

    Names of services which use the binary.

    version string

    Version of the binary.

  • ]
  • cloudMetadata object

    CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

    accountID string

    Cloud account ID.

    awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

    image string

    Image name.

    labels object[]

    Cloud provider metadata labels.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • name string

    Instance name.

    provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider represents the cloud provider

    region string

    Instance region.

    resourceID string

    Unique ID of the resource.

    resourceURL string

    Server-defined URL for the resource.

    type string

    Instance type.

    vmID string

    Azure unique vm ID.

    vmImageID string

    VMImageID holds the VM image ID.

    clusterType common.ClusterType

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

    clusters string[]

    Cluster names.

    complianceDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    complianceIssues object[]

    All the compliance issues.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • complianceIssuesCount integer

    Number of compliance issues.

    complianceRiskScore float

    Compliance risk score for the image.

    creationTime date-time

    Specifies the time of creation for the latest version of the image.

    distro string

    Full name of the distribution.

    ecsClusterName string

    ECS cluster name.

    externalLabels object[]

    Kubernetes external labels of all containers running this image.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • files object[]

    Files in the container.

  • Array [
  • md5 string

    Hash sum of the file using md5.

    path string

    Path of the file.

    sha1 string

    Hash sum of the file using SHA-1.

    sha256 string

    Hash sum of the file using SHA256.

  • ]
  • firstScanTime date-time

    Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.

    history object[]

    Docker image history.

  • Array [
  • baseLayer boolean

    Indicates if this layer originated from the base image (true) or not (false).

    created int64

    Date/time when the image layer was created.

    emptyLayer boolean

    Indicates if this instruction didn't create a separate layer (true) or not (false).

    id string

    ID of the layer.

    instruction string

    Docker file instruction and arguments used to create this layer.

    sizeBytes int64

    Size of the layer (in bytes).

    tags string[]

    Holds the image tags.

    vulnerabilities object[]

    Vulnerabilities which originated from this layer.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • ]
  • hostDevices object[]

    Map from host network device name to IP address.

  • Array [
  • ip string

    Network device IPv4 address.

    name string

    Network device name.

  • ]
  • id string

    Image ID.

    image object

    Image represents a container image

    created date-time

    Date/time when the image was created.

    entrypoint string[]

    Combined entrypoint of the image (entrypoint + CMD).

    env string[]

    Image environment variables.

    healthcheck boolean

    Indicates if health checks are enabled (true) or not (false).

    history object[]

    Holds the image history.

  • Array [
  • baseLayer boolean

    Indicates if this layer originated from the base image (true) or not (false).

    created int64

    Date/time when the image layer was created.

    emptyLayer boolean

    Indicates if this instruction didn't create a separate layer (true) or not (false).

    id string

    ID of the layer.

    instruction string

    Docker file instruction and arguments used to create this layer.

    sizeBytes int64

    Size of the layer (in bytes).

    tags string[]

    Holds the image tags.

    vulnerabilities object[]

    Vulnerabilities which originated from this layer.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • ]
  • id string

    ID of the image.

    labels object

    Image labels.

    property name* string
    layers string[]

    Image filesystem layers.

    os string

    Image os type.

    repoDigest string[]

    Image repo digests.

    repoTags string[]

    Image repo tags.

    user string

    Image user.

    workingDir string

    Base working directory of the image.

    installedProducts object

    InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

    agentless boolean

    Agentless indicates whether the scan was performed with agentless approach.

    apache string

    Apache indicates the apache server version, empty in case apache not running.

    awsCloud boolean

    AWSCloud indicates whether AWS cloud is used.

    crio boolean

    CRI indicates whether the container runtime is CRI (and not docker).

    docker string

    Docker represents the docker daemon version.

    dockerEnterprise boolean

    DockerEnterprise indicates whether the enterprise version of Docker is installed.

    hasPackageManager boolean

    HasPackageManager indicates whether package manager is installed on the OS.

    k8sApiServer boolean

    K8sAPIServer indicates whether a kubernetes API server is running.

    k8sControllerManager boolean

    K8sControllerManager indicates whether a kubernetes controller manager is running.

    k8sEtcd boolean

    K8sEtcd indicates whether etcd is running.

    k8sFederationApiServer boolean

    K8sFederationAPIServer indicates whether a federation API server is running.

    k8sFederationControllerManager boolean

    K8sFederationControllerManager indicates whether a federation controller manager is running.

    k8sKubelet boolean

    K8sKubelet indicates whether kubelet is running.

    k8sProxy boolean

    K8sProxy indicates whether a kubernetes proxy is running.

    k8sScheduler boolean

    K8sScheduler indicates whether the kubernetes scheduler is running.

    kubernetes string

    Kubernetes represents the kubernetes version.

    openshift boolean

    Openshift indicates whether openshift is deployed.

    openshiftVersion string

    OpenshiftVersion represents the running openshift version.

    osDistro string

    OSDistro specifies the os distribution.

    serverless boolean

    Serverless indicates whether evaluated on a serverless environment.

    swarmManager boolean

    SwarmManager indicates whether a swarm manager is running.

    swarmNode boolean

    SwarmNode indicates whether the node is part of an active swarm.

    isARM64 boolean

    IsARM64 indicates if the architecture of the image is aarch64.

    k8sClusterAddr string

    Endpoint of the Kubernetes API server.

    labels string[]

    Image labels.

    layers string[]

    Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.

    missingDistroVulnCoverage boolean

    Indicates if the image OS is covered in the IS (true) or not (false).

    namespaces string[]

    k8s namespaces of all the containers running this image.

    osDistro string

    Name of the OS distribution.

    osDistroRelease string

    OS distribution release.

    osDistroVersion string

    OS distribution version.

    packageCorrelationDone boolean

    PackageCorrelationDone indicates that the correlation to OS packages has been done.

    packageManager boolean

    Indicates if the package manager is installed for the OS.

    packages object[]

    Packages which exist in the image.

  • Array [
  • pkgs object[]

    List of packages.

  • Array [
  • binaryIdx int16[]

    Indexes of the top binaries which use the package.

    binaryPkgs string[]

    Names of the distro binary packages (packages which are built on the source of the package).

    cveCount integer

    Total number of CVEs for this specific package.

    files object[]

    List of package-related files and their hashes. Only included when the appropriate scan option is set.

  • Array [
  • md5 string

    Hash sum of the file using md5.

    path string

    Path of the file.

    sha1 string

    Hash sum of the file using SHA-1.

    sha256 string

    Hash sum of the file using SHA256.

  • ]
  • functionLayer string

    ID of the serverless layer in which the package was discovered.

    goPkg boolean

    GoPkg indicates this is a Go package (and not module).

    jarIdentifier string

    JarIdentifier holds an additional identification detail of a JAR package.

    layerTime int64

    Image layer to which the package belongs (layer creation time).

    license string

    License information for the package.

    name string

    Name of the package.

    osPackage boolean

    OSPackage indicates that a python/java package was installed as an OS package.

    path string

    Full package path (e.g., JAR or Node.js package path).

    version string

    Package version.

  • ]
  • pkgsType vuln.PackageType

    Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go]

    PackageType describes the package type

  • ]
  • pushTime date-time

    PushTime is the image push time to the registry.

    registryNamespace string

    IBM cloud namespace to which the image belongs.

    registryType string

    RegistryType indicates the registry type where the image is stored.

    repoDigests string[]

    Digests of the image. Used for content trust (notary). Has one digest per tag.

    repoTag object

    ImageTag represents an image repository and its associated tag or registry digest

    digest string

    Image digest (requires V2 or later registry).

    id string

    ID of the image.

    registry string

    Registry name to which the image belongs.

    repo string

    Repository name to which the image belongs.

    tag string

    Image tag.

    rhelRepos string[]

    RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    scanBuildDate string

    Scanner build date that published the image.

    scanVersion string

    Scanner version that published the image.

    startupBinaries object[]

    Binaries which are expected to run when the container is created from this image.

  • Array [
  • altered boolean

    Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

    cveCount integer

    Total number of CVEs for this specific binary.

    deps string[]

    Third-party package files which are used by the binary.

    functionLayer string

    ID of the serverless layer in which the package was discovered.

    md5 string

    Md5 hashset of the binary.

    missingPkg boolean

    Indicates if this binary is not related to any package (true) or not (false).

    name string

    Name of the binary.

    path string

    Relative path of the binary inside the container.

    pkgRootDir string

    Path for searching packages used by the binary.

    services string[]

    Names of services which use the binary.

    version string

    Version of the binary.

  • ]
  • tags object[]

    Tags associated with the given image.

  • Array [
  • digest string

    Image digest (requires V2 or later registry).

    id string

    ID of the image.

    registry string

    Registry name to which the image belongs.

    repo string

    Repository name to which the image belongs.

    tag string

    Image tag.

  • ]
  • topLayer string

    SHA256 of the image's last layer that is the last element of the Layers field.

    twistlockImage boolean

    Indicates if the image is a Twistlock image (true) or not (false).

    vulnerabilities object[]

    CVE vulnerabilities of the image.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

    binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string
    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • ]
  • vulnerabilitiesCount integer

    Total number of vulnerabilities.

    vulnerabilityDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    vulnerabilityRiskScore float

    Image's CVE risk score.

    imageName string

    ImageName is the image name (e.g. registry/repo:tag).

    listening object[]

    Listening is a list of listening events detected during this scan.

  • Array [
  • port integer

    Port is the network port.

    process object

    ProcessEvent represents a process event during sandbox scan

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    time date-time

    Time is the event time.

  • ]
  • pass boolean

    Pass indicates if the scan passed or failed.

    procs object[]

    Procs are the different detected process during this scan.

  • Array [
  • command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    parent object

    ProcessInfo holds process information

    command string

    Command is the command line.

    md5 string

    MD5 is the md5 hash for the process binary.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

    path string

    Path is the binary path.

    time date-time

    Time is the process start time.

    user string

    User is the username/id.

  • ]
  • riskScore double

    RiskScore is the weighted total risk score.

    scanDuration int64

    ScanDuration is the provided scan duration in nanoseconds.

    scanTime date-time

    Start is the scan start time.

    suspiciousFiles object[]

    SuspiciousFiles are suspicious files detected during scan.

  • Array [
  • containerPath string

    ContainerPath is the path of the file in the running container.

    created boolean

    Created indicates if the file was created during runtime.

    md5 string

    MD5 is the file MD5 hash.

    path string

    Path is the path to the copy of the file.

  • ]
Loading...