Resolve Hosts
POST/api/v32.07/hosts/evaluate
x-prisma-cloud-target-env: {"permission":"monitorCI"}
Adds vulnerability data for the given host.
Request
- application/json
Body
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
images object[]
Images is the list of image to resolve.
Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.
Image identifier (image ID or repo:tag).
Agentless indicates that the host was scanned with the agentless scanner.
AISUUID is the unique instance ID in the agentless instance scanning system.
allCompliance object
AllCompliance contains data regarding passed compliance checks
compliance object[]
Compliance are all the passed compliance checks.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Enabled indicates whether passed compliance checks is enabled by policy.
Indicates that this image was scanned by an App-Embedded Defender.
applications object[]
Products in the image.
Indicates that the app was installed as an OS package.
Total number of vulnerabilities for this application.
Image layer to which the application belongs - layer creation time.
Name of the application.
OriginPackageName is the name of the app origin package.
Path of the detected application.
Service indicates whether the application is installed as a service.
Version of the application.
Image’s base image name. Used when filtering the vulnerabilities by base images.
binaries object[]
Binaries in the image.
Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).
Total number of CVEs for this specific binary.
Third-party package files which are used by the binary.
Represents the file's mode and permission bits.
ID of the serverless layer in which the package was discovered.
Md5 hashset of the binary.
Indicates if this binary is not related to any package (true) or not (false).
Name of the binary.
Path is the path of the binary.
Path for searching packages used by the binary.
Names of services which use the binary.
Version of the binary.
cloudMetadata object
CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)
Cloud account ID.
AWS execution environment (e.g. EC2/Fargate).
The name of the image the cloud managed host or container is based on.
labels object[]
Cloud provider metadata labels.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
Resource name.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Resource's region.
Unique ID of the resource.
Server-defined URL for the resource.
Instance type.
Azure unique vm ID.
VMImageID holds the VM instance's image ID.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
Cluster names.
Collections to which this result applies.
complianceDistribution object
Distribution counts the number of vulnerabilities per type
.
.
.
.
.
complianceIssues object[]
All the compliance issues.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Number of compliance issues.
Compliance risk score for the image.
Compressed indicates if this image seems to be compressed - currently only relevant for buildah images.
compressedLayerTimes object
CompressedLayerTimes represent the compressed layer times of the image apps and pkgs
.
pkgsTimes object[]
.
.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Specifies the time of creation for the latest version of the image.
CSA indicates the scan was performed by the CSA.
Full name of the distribution.
ECS cluster name.
Description of an error that occurred during image scan.
ImageScanResultErrCode represents the asset status error
externalLabels object[]
Kubernetes external labels of all containers running this image.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
files object[]
Files in the container.
Hash sum of the file using md5.
Path of the file.
Hash sum of the file using SHA-1.
Hash sum of the file using SHA256.
firewallProtection object
ProtectionStatus describes the status of the WAAS protection
Enabled indicates if WAAS proxy protection is enabled (true) or not (false).
Possible values: [,Observation,Protection
]
OutOfBandMode holds the app firewall out-of-band mode
Ports indicates http open ports associated with the container.
Supported indicates if WAAS protection is supported (true) or not (false).
TLSPorts indicates https open ports associated with the container.
unprotectedProcesses object[]
UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.
Port is the process port.
Process is the process name.
TLS is the port TLS indication.
Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.
foundSecrets object[]
FoundSecrets are secrets with metadata that were found in the secrets' scan. Requires json tag for reporting secrets from image scan.
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
history object[]
Docker image history.
Indicates if this layer originated from the base image (true) or not (false).
Date/time when the image layer was created.
Indicates if this instruction didn't create a separate layer (true) or not (false).
ID of the layer.
Docker file instruction and arguments used to create this layer.
Size of the layer (in bytes).
Holds the image tags.
vulnerabilities object[]
Vulnerabilities which originated from this layer.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
hostDevices object[]
Map from host network device name to IP address.
Network device IPv4 address.
Network device name.
HostRuntimeEnabled indicates if any runtime rule applies to the host.
Name of the host that was scanned.
hosts object
ImageHosts is a fast index for image scan results metadata per host
property name* shared.ImageHost
ImageHost holds information about image scan result per host
AccountID is the cloud account ID the image is associated with.
Agentless indicates if the image was scanned as part of an agentless scan.
AgentlessScanID is the ID of the agentless scan in which the result was received.
AIS indicates the scan was performed by AIS.
AppEmbedded indicates if the host is an app embedded host.
Cluster is the cluster on which the image is deployed.
CSA indicates if the image was scanned by CSA.
Modified is the last scan time.
Namespaces are the namespaces on which the image is deployed.
Image ID.
image object
Image represents a container image
Date/time when the image was created.
Combined entrypoint of the image (entrypoint + CMD).
Image environment variables.
Indicates if health checks are enabled (true) or not (false).
history object[]
Holds the image history.
Indicates if this layer originated from the base image (true) or not (false).
Date/time when the image layer was created.
Indicates if this instruction didn't create a separate layer (true) or not (false).
ID of the layer.
Docker file instruction and arguments used to create this layer.
Size of the layer (in bytes).
Holds the image tags.
vulnerabilities object[]
Vulnerabilities which originated from this layer.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
ID of the image.
labels object
Image labels.
Image filesystem layers.
Image os type.
Image repo digests.
Image repo tags.
Image user.
Base working directory of the image.
installedProducts object
InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange
Agentless indicates whether the scan was performed with agentless approach.
Apache indicates the apache server version, empty in case apache not running.
AWSCloud indicates whether AWS cloud is used.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
CRI indicates whether the container runtime is CRI (and not docker).
Docker represents the docker daemon version.
DockerEnterprise indicates whether the enterprise version of Docker is installed.
HasPackageManager indicates whether package manager is installed on the OS.
K8sAPIServer indicates whether a kubernetes API server is running.
K8sControllerManager indicates whether a kubernetes controller manager is running.
K8sEtcd indicates whether etcd is running.
K8sFederationAPIServer indicates whether a federation API server is running.
K8sFederationControllerManager indicates whether a federation controller manager is running.
K8sKubelet indicates whether kubelet is running.
K8sProxy indicates whether a kubernetes proxy is running.
K8sScheduler indicates whether the kubernetes scheduler is running.
Kubernetes represents the kubernetes version.
ManagedClusterVersion is the version of the managed Kubernetes service, e.g. AKS/EKS/GKE/etc.
Openshift indicates whether openshift is deployed.
OpenshiftVersion represents the running openshift version.
OSDistro specifies the os distribution.
Serverless indicates whether evaluated on a serverless environment.
SwarmManager indicates whether a swarm manager is running.
SwarmNode indicates whether the node is part of an active swarm.
instances object[]
Details about each occurrence of the image (tag + host).
.
.
.
.
.
.
IsARM64 indicates if the architecture of the image is aarch64.
Endpoint of the Kubernetes API server.
Image labels.
Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.
MalwareAnalyzedTime is the WildFire evaluator analyzing time shown as progress in UI and cannot to be overwritten by a new scan result.
Indicates if the image OS is covered in the IS (true) or not (false).
k8s namespaces of all the containers running this image.
Name of the OS distribution.
OS distribution release.
OS distribution version.
Indicates if the package manager is installed for the OS.
packages object[]
Packages which exist in the image.
pkgs object[]
List of packages.
Author is the package's author.
Indexes of the top binaries which use the package.
Names of the distro binary packages (packages which are built on the source of the package).
Total number of CVEs for this specific package.
DefaultGem indicates this is a gem default package (and not a bundled package).
files object[]
List of package-related files and their hashes. Only included when the appropriate scan option is set.
Hash sum of the file using md5.
Path of the file.
Hash sum of the file using SHA-1.
Hash sum of the file using SHA256.
ID of the serverless layer in which the package was discovered.
GoPkg indicates this is a Go package (and not module).
JarIdentifier holds an additional identification detail of a JAR package.
Image layer to which the package belongs (layer creation time).
License information for the package.
Name of the package.
OriginPackageName is the name of the third-party origin package.
OSPackage indicates that a python/java package was installed as an OS package.
Full package path (e.g., JAR or Node.js package path).
PURL is a package URL identifier for this package.
SecurityRepoPkg determines if this package is available in a security repository.
Symbols contains names of vulnerable functions that are linked in the executable binary, empty if the entire package is vulnerable.
Package version.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
PullDuration is the time it took to pull the image.
PushTime is the image push time to the registry.
RedHatNonRPMImage indicates whether the image is a Red Hat image with non-RPM content.
IBM cloud namespace to which the image belongs.
RegistryTags are the tags of the registry this image is stored.
RegistryType indicates the registry type where the image is stored.
Digests of the image. Used for content trust (notary). Has one digest per tag.
repoTag object
ImageTag represents an image repository and its associated tag or registry digest
Image digest (requires V2 or later registry).
ID of the image.
Registry name to which the image belongs.
Repository name to which the image belongs.
Image tag.
RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
Scanner build date that published the image.
ScanDuration is the total time it took to scan the image.
ScanID is the ID of the scan.
Specifies the time of the last scan of the image.
Scanner version that published the image.
secretScanMetrics object
SecretScanMetrics represents metrics collected during secret scan
FailedScans represents number of failed scans caused by scanner errors.
FoundSecrets represents number of detected secrets.
ScanTime represents cumulative secret scan time in microseconds.
ScanTimeouts represents number of failed scans caused by timeout.
ScannedFileSize represents accumulated size of scanned files.
ScannedFiles represents number of text files scanned for secrets.
TotalBytes represents accumulated file size.
TotalFiles represents number of files read for secrets.
TotalTime represents the total time in microseconds.
typesCount object
TypesCount represents distribution of secrets by its type.
startupBinaries object[]
Binaries which are expected to run when the container is created from this image.
Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).
Total number of CVEs for this specific binary.
Third-party package files which are used by the binary.
Represents the file's mode and permission bits.
ID of the serverless layer in which the package was discovered.
Md5 hashset of the binary.
Indicates if this binary is not related to any package (true) or not (false).
Name of the binary.
Path is the path of the binary.
Path for searching packages used by the binary.
Names of services which use the binary.
Version of the binary.
Stopped indicates whether the host was running during the agentless scan.
tags object[]
Tags associated with the given image.
Image digest (requires V2 or later registry).
ID of the image.
Registry name to which the image belongs.
Repository name to which the image belongs.
Image tag.
SHA256 of the image's last layer that is the last element of the Layers field.
trustResult object
ImageResult represents an aggregated image trust result
groups object[]
Trust groups which apply to the image.
Name of the group.
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
Image names or IDs (e.g., docker.io/library/ubuntu:16.04 / SHA264@...).
Filesystem layers. The image is trusted if its layers have a prefix of the trusted groups layer in the same order.
Specifies the date and time when the rule was last modified.
Name of the rule.
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
hostsStatuses object[]
Image trust status on each host. Can be set to "trusted" or "untrusted".
Host name.
Possible values: [trusted,untrusted
]
Status is the trust status for an image
Possible values: [trusted,untrusted
]
Status is the trust status for an image
Indicates if the image is a Twistlock image (true) or not (false).
Possible values: [image,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo
]
ScanType displays the components for an ongoing scan
vulnerabilities object[]
CVE vulnerabilities of the image.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Total number of vulnerabilities.
vulnerabilityDistribution object
Distribution counts the number of vulnerabilities per type
.
.
.
.
.
Image's CVE risk score.
wildFireUsage object
Usage holds wildfire usage stats, period for the usage varies with context
Bytes is the total number of bytes uploaded to the WildFire API.
Queries is the number of queries to the WildFire API.
Uploads is the number of uploads to the WildFire API.
Responses
- 200
- default
ResolveImagesResp represents the images resolution API output
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- ]
images object[]
Images is the list of images that were resolved.
Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.
Image identifier (image ID or repo:tag).
Agentless indicates that the host was scanned with the agentless scanner.
AISUUID is the unique instance ID in the agentless instance scanning system.
allCompliance object
AllCompliance contains data regarding passed compliance checks
compliance object[]
Compliance are all the passed compliance checks.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Enabled indicates whether passed compliance checks is enabled by policy.
Indicates that this image was scanned by an App-Embedded Defender.
applications object[]
Products in the image.
Indicates that the app was installed as an OS package.
Total number of vulnerabilities for this application.
Image layer to which the application belongs - layer creation time.
Name of the application.
OriginPackageName is the name of the app origin package.
Path of the detected application.
Service indicates whether the application is installed as a service.
Version of the application.
Image’s base image name. Used when filtering the vulnerabilities by base images.
binaries object[]
Binaries in the image.
Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).
Total number of CVEs for this specific binary.
Third-party package files which are used by the binary.
Represents the file's mode and permission bits.
ID of the serverless layer in which the package was discovered.
Md5 hashset of the binary.
Indicates if this binary is not related to any package (true) or not (false).
Name of the binary.
Path is the path of the binary.
Path for searching packages used by the binary.
Names of services which use the binary.
Version of the binary.
cloudMetadata object
CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)
Cloud account ID.
AWS execution environment (e.g. EC2/Fargate).
The name of the image the cloud managed host or container is based on.
labels object[]
Cloud provider metadata labels.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
Resource name.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Resource's region.
Unique ID of the resource.
Server-defined URL for the resource.
Instance type.
Azure unique vm ID.
VMImageID holds the VM instance's image ID.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
Cluster names.
Collections to which this result applies.
complianceDistribution object
Distribution counts the number of vulnerabilities per type
.
.
.
.
.
complianceIssues object[]
All the compliance issues.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Number of compliance issues.
Compliance risk score for the image.
Compressed indicates if this image seems to be compressed - currently only relevant for buildah images.
compressedLayerTimes object
CompressedLayerTimes represent the compressed layer times of the image apps and pkgs
.
pkgsTimes object[]
.
.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Specifies the time of creation for the latest version of the image.
CSA indicates the scan was performed by the CSA.
Full name of the distribution.
ECS cluster name.
Description of an error that occurred during image scan.
ImageScanResultErrCode represents the asset status error
externalLabels object[]
Kubernetes external labels of all containers running this image.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
files object[]
Files in the container.
Hash sum of the file using md5.
Path of the file.
Hash sum of the file using SHA-1.
Hash sum of the file using SHA256.
firewallProtection object
ProtectionStatus describes the status of the WAAS protection
Enabled indicates if WAAS proxy protection is enabled (true) or not (false).
Possible values: [,Observation,Protection
]
OutOfBandMode holds the app firewall out-of-band mode
Ports indicates http open ports associated with the container.
Supported indicates if WAAS protection is supported (true) or not (false).
TLSPorts indicates https open ports associated with the container.
unprotectedProcesses object[]
UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.
Port is the process port.
Process is the process name.
TLS is the port TLS indication.
Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.
foundSecrets object[]
FoundSecrets are secrets with metadata that were found in the secrets' scan. Requires json tag for reporting secrets from image scan.
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
history object[]
Docker image history.
Indicates if this layer originated from the base image (true) or not (false).
Date/time when the image layer was created.
Indicates if this instruction didn't create a separate layer (true) or not (false).
ID of the layer.
Docker file instruction and arguments used to create this layer.
Size of the layer (in bytes).
Holds the image tags.
vulnerabilities object[]
Vulnerabilities which originated from this layer.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
hostDevices object[]
Map from host network device name to IP address.
Network device IPv4 address.
Network device name.
HostRuntimeEnabled indicates if any runtime rule applies to the host.
Name of the host that was scanned.
hosts object
ImageHosts is a fast index for image scan results metadata per host
property name* shared.ImageHost
ImageHost holds information about image scan result per host
AccountID is the cloud account ID the image is associated with.
Agentless indicates if the image was scanned as part of an agentless scan.
AgentlessScanID is the ID of the agentless scan in which the result was received.
AIS indicates the scan was performed by AIS.
AppEmbedded indicates if the host is an app embedded host.
Cluster is the cluster on which the image is deployed.
CSA indicates if the image was scanned by CSA.
Modified is the last scan time.
Namespaces are the namespaces on which the image is deployed.
Image ID.
image object
Image represents a container image
Date/time when the image was created.
Combined entrypoint of the image (entrypoint + CMD).
Image environment variables.
Indicates if health checks are enabled (true) or not (false).
history object[]
Holds the image history.
Indicates if this layer originated from the base image (true) or not (false).
Date/time when the image layer was created.
Indicates if this instruction didn't create a separate layer (true) or not (false).
ID of the layer.
Docker file instruction and arguments used to create this layer.
Size of the layer (in bytes).
Holds the image tags.
vulnerabilities object[]
Vulnerabilities which originated from this layer.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
ID of the image.
labels object
Image labels.
Image filesystem layers.
Image os type.
Image repo digests.
Image repo tags.
Image user.
Base working directory of the image.
installedProducts object
InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange
Agentless indicates whether the scan was performed with agentless approach.
Apache indicates the apache server version, empty in case apache not running.
AWSCloud indicates whether AWS cloud is used.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
CRI indicates whether the container runtime is CRI (and not docker).
Docker represents the docker daemon version.
DockerEnterprise indicates whether the enterprise version of Docker is installed.
HasPackageManager indicates whether package manager is installed on the OS.
K8sAPIServer indicates whether a kubernetes API server is running.
K8sControllerManager indicates whether a kubernetes controller manager is running.
K8sEtcd indicates whether etcd is running.
K8sFederationAPIServer indicates whether a federation API server is running.
K8sFederationControllerManager indicates whether a federation controller manager is running.
K8sKubelet indicates whether kubelet is running.
K8sProxy indicates whether a kubernetes proxy is running.
K8sScheduler indicates whether the kubernetes scheduler is running.
Kubernetes represents the kubernetes version.
ManagedClusterVersion is the version of the managed Kubernetes service, e.g. AKS/EKS/GKE/etc.
Openshift indicates whether openshift is deployed.
OpenshiftVersion represents the running openshift version.
OSDistro specifies the os distribution.
Serverless indicates whether evaluated on a serverless environment.
SwarmManager indicates whether a swarm manager is running.
SwarmNode indicates whether the node is part of an active swarm.
instances object[]
Details about each occurrence of the image (tag + host).
.
.
.
.
.
.
IsARM64 indicates if the architecture of the image is aarch64.
Endpoint of the Kubernetes API server.
Image labels.
Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.
MalwareAnalyzedTime is the WildFire evaluator analyzing time shown as progress in UI and cannot to be overwritten by a new scan result.
Indicates if the image OS is covered in the IS (true) or not (false).
k8s namespaces of all the containers running this image.
Name of the OS distribution.
OS distribution release.
OS distribution version.
Indicates if the package manager is installed for the OS.
packages object[]
Packages which exist in the image.
pkgs object[]
List of packages.
Author is the package's author.
Indexes of the top binaries which use the package.
Names of the distro binary packages (packages which are built on the source of the package).
Total number of CVEs for this specific package.
DefaultGem indicates this is a gem default package (and not a bundled package).
files object[]
List of package-related files and their hashes. Only included when the appropriate scan option is set.
Hash sum of the file using md5.
Path of the file.
Hash sum of the file using SHA-1.
Hash sum of the file using SHA256.
ID of the serverless layer in which the package was discovered.
GoPkg indicates this is a Go package (and not module).
JarIdentifier holds an additional identification detail of a JAR package.
Image layer to which the package belongs (layer creation time).
License information for the package.
Name of the package.
OriginPackageName is the name of the third-party origin package.
OSPackage indicates that a python/java package was installed as an OS package.
Full package path (e.g., JAR or Node.js package path).
PURL is a package URL identifier for this package.
SecurityRepoPkg determines if this package is available in a security repository.
Symbols contains names of vulnerable functions that are linked in the executable binary, empty if the entire package is vulnerable.
Package version.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
PullDuration is the time it took to pull the image.
PushTime is the image push time to the registry.
RedHatNonRPMImage indicates whether the image is a Red Hat image with non-RPM content.
IBM cloud namespace to which the image belongs.
RegistryTags are the tags of the registry this image is stored.
RegistryType indicates the registry type where the image is stored.
Digests of the image. Used for content trust (notary). Has one digest per tag.
repoTag object
ImageTag represents an image repository and its associated tag or registry digest
Image digest (requires V2 or later registry).
ID of the image.
Registry name to which the image belongs.
Repository name to which the image belongs.
Image tag.
RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
Scanner build date that published the image.
ScanDuration is the total time it took to scan the image.
ScanID is the ID of the scan.
Specifies the time of the last scan of the image.
Scanner version that published the image.
secretScanMetrics object
SecretScanMetrics represents metrics collected during secret scan
FailedScans represents number of failed scans caused by scanner errors.
FoundSecrets represents number of detected secrets.
ScanTime represents cumulative secret scan time in microseconds.
ScanTimeouts represents number of failed scans caused by timeout.
ScannedFileSize represents accumulated size of scanned files.
ScannedFiles represents number of text files scanned for secrets.
TotalBytes represents accumulated file size.
TotalFiles represents number of files read for secrets.
TotalTime represents the total time in microseconds.
typesCount object
TypesCount represents distribution of secrets by its type.
startupBinaries object[]
Binaries which are expected to run when the container is created from this image.
Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).
Total number of CVEs for this specific binary.
Third-party package files which are used by the binary.
Represents the file's mode and permission bits.
ID of the serverless layer in which the package was discovered.
Md5 hashset of the binary.
Indicates if this binary is not related to any package (true) or not (false).
Name of the binary.
Path is the path of the binary.
Path for searching packages used by the binary.
Names of services which use the binary.
Version of the binary.
Stopped indicates whether the host was running during the agentless scan.
tags object[]
Tags associated with the given image.
Image digest (requires V2 or later registry).
ID of the image.
Registry name to which the image belongs.
Repository name to which the image belongs.
Image tag.
SHA256 of the image's last layer that is the last element of the Layers field.
trustResult object
ImageResult represents an aggregated image trust result
groups object[]
Trust groups which apply to the image.
Name of the group.
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
Image names or IDs (e.g., docker.io/library/ubuntu:16.04 / SHA264@...).
Filesystem layers. The image is trusted if its layers have a prefix of the trusted groups layer in the same order.
Specifies the date and time when the rule was last modified.
Name of the rule.
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
hostsStatuses object[]
Image trust status on each host. Can be set to "trusted" or "untrusted".
Host name.
Possible values: [trusted,untrusted
]
Status is the trust status for an image
Possible values: [trusted,untrusted
]
Status is the trust status for an image
Indicates if the image is a Twistlock image (true) or not (false).
Possible values: [image,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo
]
ScanType displays the components for an ongoing scan
vulnerabilities object[]
CVE vulnerabilities of the image.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
LocationInFile is the line and offset in the file where the secret was found.
ModifiedTime is the modification time of the file containing the secret.
Path is the path of the file in which the secret was found.
SecretID is the SHA1 of the secret content.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Total number of vulnerabilities.
vulnerabilityDistribution object
Distribution counts the number of vulnerabilities per type
.
.
.
.
.
Image's CVE risk score.
wildFireUsage object
Usage holds wildfire usage stats, period for the usage varies with context
Bytes is the total number of bytes uploaded to the WildFire API.
Queries is the number of queries to the WildFire API.
Uploads is the number of uploads to the WildFire API.
{
"images": [
{
"Secrets": [
"string"
],
"_id": "string",
"agentless": true,
"aisUUID": "string",
"allCompliance": {
"compliance": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
],
"enabled": true
},
"appEmbedded": true,
"applications": [
{
"installedFromPackage": true,
"knownVulnerabilities": 0,
"layerTime": 0,
"name": "string",
"originPackageName": "string",
"path": "string",
"service": true,
"version": "string"
}
],
"baseImage": "string",
"binaries": [
{
"altered": true,
"cveCount": 0,
"deps": [
"string"
],
"fileMode": 0,
"functionLayer": "string",
"md5": "string",
"missingPkg": true,
"name": "string",
"path": "string",
"pkgRootDir": "string",
"services": [
"string"
],
"version": "string"
}
],
"cloudMetadata": {
"accountID": "string",
"awsExecutionEnv": "string",
"image": "string",
"labels": [
{
"key": "string",
"sourceName": "string",
"sourceType": [
"namespace",
"deployment",
"aws",
"azure",
"gcp",
"oci"
],
"timestamp": "2024-07-29T15:51:28.071Z",
"value": "string"
}
],
"name": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"region": "string",
"resourceID": "string",
"resourceURL": "string",
"type": "string",
"vmID": "string",
"vmImageID": "string"
},
"clusterType": [
"AKS",
"ECS",
"EKS",
"GKE",
"Kubernetes"
],
"clusters": [
"string"
],
"collections": [
"string"
],
"complianceDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"complianceIssues": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
],
"complianceIssuesCount": 0,
"complianceRiskScore": 0,
"compressed": true,
"compressedLayerTimes": {
"appTimes": [
0
],
"pkgsTimes": [
{
"pkgTimes": [
0
],
"pkgsType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
]
}
]
},
"creationTime": "2024-07-29T15:51:28.071Z",
"csa": true,
"distro": "string",
"ecsClusterName": "string",
"err": "string",
"errCode": 0,
"externalLabels": [
{
"key": "string",
"sourceName": "string",
"sourceType": [
"namespace",
"deployment",
"aws",
"azure",
"gcp",
"oci"
],
"timestamp": "2024-07-29T15:51:28.071Z",
"value": "string"
}
],
"files": [
{
"md5": "string",
"path": "string",
"sha1": "string",
"sha256": "string"
}
],
"firewallProtection": {
"enabled": true,
"outOfBandMode": [
"",
"Observation",
"Protection"
],
"ports": [
0
],
"supported": true,
"tlsPorts": [
0
],
"unprotectedProcesses": [
{
"port": 0,
"process": "string",
"tls": true
}
]
},
"firstScanTime": "2024-07-29T15:51:28.071Z",
"foundSecrets": [
{
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
}
],
"history": [
{
"baseLayer": true,
"created": 0,
"emptyLayer": true,
"id": "string",
"instruction": "string",
"sizeBytes": 0,
"tags": [
"string"
],
"vulnerabilities": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
]
}
],
"hostDevices": [
{
"ip": "string",
"name": "string"
}
],
"hostRuntimeEnabled": true,
"hostname": "string",
"hosts": {},
"id": "string",
"image": {
"created": "2024-07-29T15:51:28.071Z",
"entrypoint": [
"string"
],
"env": [
"string"
],
"healthcheck": true,
"history": [
{
"baseLayer": true,
"created": 0,
"emptyLayer": true,
"id": "string",
"instruction": "string",
"sizeBytes": 0,
"tags": [
"string"
],
"vulnerabilities": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
]
}
],
"id": "string",
"labels": {},
"layers": [
"string"
],
"os": "string",
"repoDigest": [
"string"
],
"repoTags": [
"string"
],
"user": "string",
"workingDir": "string"
},
"installedProducts": {
"agentless": true,
"apache": "string",
"awsCloud": true,
"clusterType": [
"AKS",
"ECS",
"EKS",
"GKE",
"Kubernetes"
],
"crio": true,
"docker": "string",
"dockerEnterprise": true,
"hasPackageManager": true,
"k8sApiServer": true,
"k8sControllerManager": true,
"k8sEtcd": true,
"k8sFederationApiServer": true,
"k8sFederationControllerManager": true,
"k8sKubelet": true,
"k8sProxy": true,
"k8sScheduler": true,
"kubernetes": "string",
"managedClusterVersion": "string",
"openshift": true,
"openshiftVersion": "string",
"osDistro": "string",
"serverless": true,
"swarmManager": true,
"swarmNode": true
},
"instances": [
{
"host": "string",
"image": "string",
"modified": "2024-07-29T15:51:28.071Z",
"registry": "string",
"repo": "string",
"tag": "string"
}
],
"isARM64": true,
"k8sClusterAddr": "string",
"labels": [
"string"
],
"layers": [
"string"
],
"malwareAnalyzedTime": "2024-07-29T15:51:28.071Z",
"missingDistroVulnCoverage": true,
"namespaces": [
"string"
],
"osDistro": "string",
"osDistroRelease": "string",
"osDistroVersion": "string",
"packageManager": true,
"packages": [
{
"pkgs": [
{
"author": "string",
"binaryIdx": [
0
],
"binaryPkgs": [
"string"
],
"cveCount": 0,
"defaultGem": true,
"files": [
{
"md5": "string",
"path": "string",
"sha1": "string",
"sha256": "string"
}
],
"functionLayer": "string",
"goPkg": true,
"jarIdentifier": "string",
"layerTime": 0,
"license": "string",
"name": "string",
"originPackageName": "string",
"osPackage": true,
"path": "string",
"purl": "string",
"securityRepoPkg": true,
"symbols": [
"string"
],
"version": "string"
}
],
"pkgsType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
]
}
],
"pullDuration": 0,
"pushTime": "2024-07-29T15:51:28.071Z",
"redHatNonRPMImage": true,
"registryNamespace": "string",
"registryTags": [
"string"
],
"registryType": "string",
"repoDigests": [
"string"
],
"repoTag": {
"digest": "string",
"id": "string",
"registry": "string",
"repo": "string",
"tag": "string"
},
"rhelRepos": [
"string"
],
"riskFactors": {},
"scanBuildDate": "string",
"scanDuration": 0,
"scanID": 0,
"scanTime": "2024-07-29T15:51:28.071Z",
"scanVersion": "string",
"secretScanMetrics": {
"failedScans": 0,
"foundSecrets": 0,
"scanTime": 0,
"scanTimeouts": 0,
"scannedFileSize": 0,
"scannedFiles": 0,
"totalBytes": 0,
"totalFiles": 0,
"totalTime": 0,
"typesCount": {}
},
"startupBinaries": [
{
"altered": true,
"cveCount": 0,
"deps": [
"string"
],
"fileMode": 0,
"functionLayer": "string",
"md5": "string",
"missingPkg": true,
"name": "string",
"path": "string",
"pkgRootDir": "string",
"services": [
"string"
],
"version": "string"
}
],
"stopped": true,
"tags": [
{
"digest": "string",
"id": "string",
"registry": "string",
"repo": "string",
"tag": "string"
}
],
"topLayer": "string",
"trustResult": {
"groups": [
{
"_id": "string",
"disabled": true,
"images": [
"string"
],
"layers": [
"string"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"notes": "string",
"owner": "string",
"previousName": "string"
}
],
"hostsStatuses": [
{
"host": "string",
"status": [
"trusted",
"untrusted"
]
}
]
},
"trustStatus": [
"trusted",
"untrusted"
],
"twistlockImage": true,
"type": [
"image",
"ciImage",
"container",
"host",
"agentlessHost",
"registry",
"serverlessScan",
"ciServerless",
"vm",
"tas",
"ciTas",
"cloudDiscovery",
"serverlessRadar",
"serverlessAutoDeploy",
"hostAutoDeploy",
"codeRepo",
"ciCodeRepo"
],
"vulnerabilities": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"locationInFile": "string",
"modifiedTime": 0,
"path": "string",
"secretID": "string",
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
]
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
],
"vulnerabilitiesCount": 0,
"vulnerabilityDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"vulnerabilityRiskScore": 0,
"wildFireUsage": {
"bytes": 0,
"queries": 0,
"uploads": 0
}
}
]
}