Skip to main content

Get Container Scan Results

x-prisma-cloud-target-env: {"permission":"monitorImages","saas":true,"self-hosted":true}
x-public: true

Retrieves container scan reports.

Note: The API rate limit for this endpoint is 30 requests per minute. You'll see an HTTP error response 429 if the limit exceeds.

This endpoint maps to Monitor > Compliance > Images > Deployed in the Console UI.

Refer to the following available options for the fields query parameters:

  • labels
  • externalLabels
  • cluster
  • hostname
  • image

cURL Request

Refer to the following example cURL command that retrieves a scan report for all containers:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/containers"

Refer to the following example cURL command that retrieves a scan report for a container with the collection <COLLECTION ID>:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/containers?collections=<COLLECTION ID>"

The name query is synonymous with the filter containers text field in the Console UI.

A successful response returns the container scan reports.

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • hostname string[]

    Hosts is used to filter containers by host.

  • image string[]

    Images is used to filter containers by image name.

  • imageId string[]

    ImageIDs is used to filter containers by image ids.

  • id string[]

    IDs is used to filter container by container ID.

  • profileId string[]

    ProfileIDs is used to filter container by runtime profile ID.

  • namespaces string[]

    Namespaces are the namespaces to filter.

  • firewallSupported boolean

    FirewallSupported is used to fetch containers with app firewall supported.

  • clusters string[]

    Clusters is used to filter containers by cluster name.

  • complianceIDs int[]

    ComplianceIDs is used to filter containers by compliance IDs.

  • agentless boolean

    Agentless indicates that we should return only containers that were scanned by an agentless scanner.

Responses
Schema
  • Array [
  • _id string

    ID is the container ID.

  • agentless boolean

    Agentless indicates if the result was received by an agentless scanner.

  • agentlessScanID integer

    AgentlessScanID is the ID of the agentless scan in which the result was received.

  • collections string[]

    Collections are collections to which this container applies.

  • firewallProtection object

    ProtectionStatus describes the status of the WAAS protection

  • enabled boolean

    Enabled indicates if WAAS proxy protection is enabled (true) or not (false).

  • outOfBandMode waas.OutOfBandMode

    Possible values: [,Observation,Protection]

    OutOfBandMode holds the app firewall out-of-band mode

  • ports int[]

    Ports indicates http open ports associated with the container.

  • supported boolean

    Supported indicates if WAAS protection is supported (true) or not (false).

  • tlsPorts int[]

    TLSPorts indicates https open ports associated with the container.

  • unprotectedProcesses object[]

    UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.

  • Array [
  • port integer

    Port is the process port.

  • process string

    Process is the process name.

  • tls boolean

    TLS is the port TLS indication.

  • ]
  • hostname string

    Hostname is the hostname on which the container is deployed.

  • info object

    ContainerInfo contains all information gathered on a specific container

  • allCompliance object

    AllCompliance contains data regarding passed compliance checks

  • compliance object[]

    Compliance are all the passed compliance checks.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

  • binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

  • block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

  • cause string

    Additional information regarding the root cause for the vulnerability.

  • cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

  • custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  • cve string

    CVE ID of the vulnerability (if applied).

  • cvss float

    CVSS score of the vulnerability.

  • description string

    Description of the vulnerability.

  • discovered date-time

    Specifies the time of discovery for the vulnerability.

  • exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

  • link string

    Link is a link to information about the exploit.

  • source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

  • fixLink string

    Link to the vendor's fixed-version information.

  • functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

  • gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  • id integer

    ID of the violation.

  • layerTime int64

    Date/time of the image layer to which the CVE belongs.

  • link string

    Vendor link to the CVE.

  • packageName string

    Name of the package that caused the vulnerability.

  • packageVersion string

    Version of the package that caused the vulnerability (or null).

  • published int64

    Date/time when the vulnerability was published (in Unix time).

  • riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

  • property name* string
  • severity string

    Textual representation of the vulnerability's severity.

  • status string

    Vendor status for the vulnerability.

  • templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

  • text string

    Description of the violation.

  • title string

    Compliance title.

  • twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  • type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

  • vecStr string

    Textual representation of the metric values used to score the vulnerability.

  • vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

  • comment string

    Tag comment in a specific vulnerability context.

  • name string

    Name of the tag.

  • ]
  • ]
  • enabled boolean

    Enabled indicates whether passed compliance checks is enabled by policy.

  • app string

    App is the app that is hosted in the container.

  • cloudMetadata object

    CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

  • accountID string

    Cloud account ID.

  • awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

  • image string

    Image name.

  • labels object[]

    Cloud provider metadata labels.

  • Array [
  • key string

    Label key.

  • sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

  • sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

  • timestamp date-time

    Time when the label was fetched.

  • value string

    Value of the label.

  • ]
  • name string

    Instance name.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • region string

    Instance region.

  • resourceID string

    Unique ID of the resource.

  • resourceURL string

    Server-defined URL for the resource.

  • type string

    Instance type.

  • vmID string

    Azure unique vm ID.

  • vmImageID string

    VMImageID holds the VM image ID.

  • cluster string

    Cluster is the provided cluster name.

  • clusterType common.ClusterType

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

  • complianceDistribution object

    Distribution counts the number of vulnerabilities per type

  • critical integer

    .

  • high integer

    .

  • low integer

    .

  • medium integer

    .

  • total integer

    .

  • complianceIssues object[]

    ComplianceIssues are all the container compliance issues.

  • Array [
  • applicableRules string[]

    Rules applied on the package.

  • binaryPkgs string[]

    Names of the distro binary package names (packages which are built from the source of the package).

  • block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

  • cause string

    Additional information regarding the root cause for the vulnerability.

  • cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

  • custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  • cve string

    CVE ID of the vulnerability (if applied).

  • cvss float

    CVSS score of the vulnerability.

  • description string

    Description of the vulnerability.

  • discovered date-time

    Specifies the time of discovery for the vulnerability.

  • exploit vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vuln.ExploitKind

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

  • link string

    Link is a link to information about the exploit.

  • source vuln.ExploitType

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

  • fixLink string

    Link to the vendor's fixed-version information.

  • functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

  • gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  • id integer

    ID of the violation.

  • layerTime int64

    Date/time of the image layer to which the CVE belongs.

  • link string

    Vendor link to the CVE.

  • packageName string

    Name of the package that caused the vulnerability.

  • packageVersion string

    Version of the package that caused the vulnerability (or null).

  • published int64

    Date/time when the vulnerability was published (in Unix time).

  • riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

  • property name* string
  • severity string

    Textual representation of the vulnerability's severity.

  • status string

    Vendor status for the vulnerability.

  • templates vuln.ComplianceTemplate[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

  • text string

    Description of the violation.

  • title string

    Compliance title.

  • twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  • type vuln.Type

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

    Type represents the vulnerability type

  • vecStr string

    Textual representation of the metric values used to score the vulnerability.

  • vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color

    Color is a hexadecimal representation of color code value

  • comment string

    Tag comment in a specific vulnerability context.

  • name string

    Name of the tag.

  • ]
  • ]
  • complianceIssuesCount integer

    .

  • complianceRiskScore float

    ComplianceRiskScore is the container's compliance risk score.

  • externalLabels object[]

    ExternalLabels is the external labels e.g., kubernetes namespace labels.

  • Array [
  • key string

    Label key.

  • sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

  • sourceType common.ExternalLabelSourceType

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

  • timestamp date-time

    Time when the label was fetched.

  • value string

    Value of the label.

  • ]
  • id string

    ID is the container id.

  • image string

    Image is the canonical image name.

  • imageID string

    ImageID is the image id.

  • imageName string

    Deprecated: The image name as stated in the docker run command.

  • infra boolean

    Infra represents any container that belongs to the infrastructure.

  • installedProducts object

    InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

  • agentless boolean

    Agentless indicates whether the scan was performed with agentless approach.

  • apache string

    Apache indicates the apache server version, empty in case apache not running.

  • awsCloud boolean

    AWSCloud indicates whether AWS cloud is used.

  • crio boolean

    CRI indicates whether the container runtime is CRI (and not docker).

  • docker string

    Docker represents the docker daemon version.

  • dockerEnterprise boolean

    DockerEnterprise indicates whether the enterprise version of Docker is installed.

  • hasPackageManager boolean

    HasPackageManager indicates whether package manager is installed on the OS.

  • k8sApiServer boolean

    K8sAPIServer indicates whether a kubernetes API server is running.

  • k8sControllerManager boolean

    K8sControllerManager indicates whether a kubernetes controller manager is running.

  • k8sEtcd boolean

    K8sEtcd indicates whether etcd is running.

  • k8sFederationApiServer boolean

    K8sFederationAPIServer indicates whether a federation API server is running.

  • k8sFederationControllerManager boolean

    K8sFederationControllerManager indicates whether a federation controller manager is running.

  • k8sKubelet boolean

    K8sKubelet indicates whether kubelet is running.

  • k8sProxy boolean

    K8sProxy indicates whether a kubernetes proxy is running.

  • k8sScheduler boolean

    K8sScheduler indicates whether the kubernetes scheduler is running.

  • kubernetes string

    Kubernetes represents the kubernetes version.

  • openshift boolean

    Openshift indicates whether openshift is deployed.

  • openshiftVersion string

    OpenshiftVersion represents the running openshift version.

  • osDistro string

    OSDistro specifies the os distribution.

  • serverless boolean

    Serverless indicates whether evaluated on a serverless environment.

  • swarmManager boolean

    SwarmManager indicates whether a swarm manager is running.

  • swarmNode boolean

    SwarmNode indicates whether the node is part of an active swarm.

  • labels string[]

    Labels are the container labels (https://docs.docker.com/engine/userguide/labels-custom-metadata/).

  • name string

    Name is the container name.

  • namespace string

    Namespace is the k8s deployment namespace.

  • network object

    ContainerNetwork contains details about the container network (ports, IPs, type etc...)

  • ports object[]

    Ports are the ports details associated with the container.

  • Array [
  • container integer

    Container is the mapped port inside the container.

  • host integer

    Host is the host port number.

  • hostIP string

    HostIP is the host IP.

  • listening boolean

    Listening indicates whether the port is in listening mode.

  • nat boolean

    NAT indicates the port is exposed using NAT.

  • ]
  • networkSettings object

    DockerNetworkInfo contains network-related information about a container

  • ipAddress string

    IPAddress is the container IP.

  • macAddress string

    MacAddress is the container MAC.

  • networks object[]

    Networks are the networks the container is connected to.

  • Array [
  • ipAddress string

    IPAddress is the container IP.

  • macAddress string

    MacAddress is the container MAC.

  • name string

    Name is the network name.

  • ]
  • ports object[]

    Ports are the container network binding that are externally mapped.

  • Array [
  • containerPort string

    ContainerPort is the mapped port inside the container.

  • hostIP string

    HostIP is the host IP.

  • hostPort integer

    HostPort is the host port.

  • ]
  • processes object[]

    Processes are the processes that are running inside the container.

  • Array [
  • name string

    Name is a process name.

  • ]
  • profileID string

    ProfileID is the container profile id.

  • sizeBytes int64

    .

  • startTime date-time

    StartTime is the starting time of the container.

  • runtimeEnabled boolean

    RuntimeEnabled indicates if any runtime rule applies to the container.

  • scanTime date-time

    ScanTime is the container scan time.

  • ]
Loading...