Container App Firewall Policy Impacted
GET/api/v33.02/policies/firewall/app/container/impacted
x-prisma-cloud-target-env: {"permission":"policyWAAS"}
Returns a list of containers for which the firewall policy rule applies to.
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
RuleName is the rule name to apply.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
ID is the container ID.
Agentless indicates if the result was received by an agentless scanner.
AgentlessScanID is the ID of the agentless scan in which the result was received.
AIS indicates the scan was performed by AIS.
Collections are collections to which this container applies.
CSA indicates the scan was performed by the CSA.
firewallProtection object
ProtectionStatus describes the status of the WAAS protection
Enabled indicates if WAAS proxy protection is enabled (true) or not (false).
Possible values: [,Observation,Protection
]
OutOfBandMode holds the app firewall out-of-band mode
Ports indicates http open ports associated with the container.
Supported indicates if WAAS protection is supported (true) or not (false).
TLSPorts indicates https open ports associated with the container.
unprotectedProcesses object[]
UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.
Port is the process port.
Process is the process name.
TLS is the port TLS indication.
Hostname is the hostname on which the container is deployed.
info object
ContainerInfo contains all information gathered on a specific container
allCompliance object
AllCompliance contains data regarding passed compliance checks
compliance object[]
Compliance are all the passed compliance checks.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
Group is a group name or ID of owner the file metadata containing the secret.
LocationInFile is the line and offset in the file where the secret was found.
MetadataModifiedTime is the modification time of the file metadata containing the secret.
ModifiedTime is the modification time of the file containing the secret.
.
Path is the path of the file in which the secret was found.
Permissions are permission bits of the file metadata containing the secret.
SecretID is the SHA1 of the secret content.
Size is the size in bytes of the file in which the secret was found.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
User is a username or ID of owner the file metadata containing the secret.
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
Enabled indicates whether passed compliance checks is enabled by policy.
App is the app that is hosted in the container.
cloudMetadata object
CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)
Cloud account ID.
AWS execution environment (e.g. EC2/Fargate).
The name of the image the cloud managed host or container is based on.
labels object[]
Cloud provider metadata labels.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
Resource name.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Resource's region.
Unique ID of the resource.
Server-defined URL for the resource.
Instance type.
Azure unique vm ID.
VMImageID holds the VM instance's image ID.
Cluster is the provided cluster name.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
complianceDistribution object
Distribution counts the number of vulnerabilities per type
.
.
.
.
.
complianceIssues object[]
ComplianceIssues are all the container compliance issues.
Rules applied on the package.
Names of the distro binary package names (packages which are built from the source of the package).
Indicates if the vulnerability has a block effect (true) or not (false).
Additional information regarding the root cause for the vulnerability.
Indicates if this is a CRI-specific vulnerability (true) or not (false).
Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).
CVE ID of the vulnerability (if applied).
CVSS score of the vulnerability.
Description of the vulnerability.
Specifies the time of discovery for the vulnerability.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
exploits object[]
Exploits represents the exploits data found for a CVE
Possible values: [poc,in-the-wild
]
ExploitKind represents the kind of the exploit
Link is a link to information about the exploit.
Possible values: [,exploit-db,exploit-windows,cisa-kev
]
ExploitType represents the source of an exploit
Date/time when the vulnerability was fixed (in Unix time).
Link to the vendor's fixed-version information.
Specifies the serverless layer ID in which the vulnerability was discovered.
Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.
ID of the violation.
Date/time of the image layer to which the CVE belongs.
Vendor link to the CVE.
Name of the package that caused the vulnerability.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Version of the package that caused the vulnerability (or null).
Date/time when the vulnerability was published (in Unix time).
riskFactors object
RiskFactors maps the existence of vulnerability risk factors
secret object
Secret represents a secret found on the scanned workload
Group is a group name or ID of owner the file metadata containing the secret.
LocationInFile is the line and offset in the file where the secret was found.
MetadataModifiedTime is the modification time of the file metadata containing the secret.
ModifiedTime is the modification time of the file containing the secret.
.
Path is the path of the file in which the secret was found.
Permissions are permission bits of the file metadata containing the secret.
SecretID is the SHA1 of the secret content.
Size is the size in bytes of the file in which the secret was found.
Snippet is the partial plain secret.
Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server
]
SecretType represents a secret type
User is a username or ID of owner the file metadata containing the secret.
Textual representation of the vulnerability's severity.
Vendor status for the vulnerability.
Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG
]
List of templates with which the vulnerability is associated.
Description of the violation.
Compliance title.
Indicates if this is a Twistlock-specific vulnerability (true) or not (false).
Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret
]
Type represents the vulnerability type
Textual representation of the metric values used to score the vulnerability.
vulnTagInfos object[]
Tag information for the vulnerability.
Color is a hexadecimal representation of color code value
Tag comment in a specific vulnerability context.
Name of the tag.
wildfireMalware object
WildFireMalware holds the data for WildFire malicious MD5
MD5 is the hash of the malicious binary.
Path is the path to malicious binary.
Verdict is the malicious source like grayware, malware and phishing.
.
ComplianceRiskScore is the container's compliance risk score.
externalLabels object[]
ExternalLabels is the external labels e.g., kubernetes namespace labels.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
ID is the container id.
Image is the canonical image name.
ImageID is the image id.
The image name as stated in the docker run command.
Infra represents any container that belongs to the infrastructure.
installedProducts object
InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange
Agentless indicates whether the scan was performed with agentless approach.
Apache indicates the apache server version, empty in case apache not running.
AWSCloud indicates whether AWS cloud is used.
Possible values: [AKS,ECS,EKS,GKE,Kubernetes
]
ClusterType is the cluster type
CRI indicates whether the container runtime is CRI (and not docker).
Docker represents the docker daemon version.
DockerEnterprise indicates whether the enterprise version of Docker is installed.
HasPackageManager indicates whether package manager is installed on the OS.
K8sAPIServer indicates whether a kubernetes API server is running.
K8sControllerManager indicates whether a kubernetes controller manager is running.
K8sEtcd indicates whether etcd is running.
K8sFederationAPIServer indicates whether a federation API server is running.
K8sFederationControllerManager indicates whether a federation controller manager is running.
K8sKubelet indicates whether kubelet is running.
K8sProxy indicates whether a kubernetes proxy is running.
K8sScheduler indicates whether the kubernetes scheduler is running.
Kubernetes represents the kubernetes version.
ManagedClusterVersion is the version of the managed Kubernetes service, e.g. AKS/EKS/GKE/etc.
Openshift indicates whether openshift is deployed.
OpenshiftVersion represents the running openshift version.
OSDistro specifies the os distribution.
Serverless indicates whether evaluated on a serverless environment.
SwarmManager indicates whether a swarm manager is running.
SwarmNode indicates whether the node is part of an active swarm.
Labels are the container labels (https://docs.docker.com/engine/userguide/labels-custom-metadata/).
Name is the container name.
Namespace is the k8s deployment namespace.
network object
ContainerNetwork contains details about the container network (ports, IPs, type etc...)
ports object[]
Ports are the ports details associated with the container.
Container is the mapped port inside the container.
Host is the host port number.
HostIP is the host IP.
Listening indicates whether the port is in listening mode.
NAT indicates the port is exposed using NAT.
networkSettings object
DockerNetworkInfo contains network-related information about a container
IPAddress is the container IP.
MacAddress is the container MAC.
networks object[]
Networks are the networks the container is connected to.
IPAddress is the container IP.
MacAddress is the container MAC.
Name is the network name.
ports object[]
Ports are the container network binding that are externally mapped.
ContainerPort is the mapped port inside the container.
HostIP is the host IP.
HostPort is the host port.
processes object[]
Processes are the processes that are running inside the container.
Name is a process name.
ProfileID is the container profile id.
.
StartTime is the starting time of the container.
MarkedForDeletion indicates whether a container is marked for deletion.
RuntimeEnabled indicates if any runtime rule applies to the container.
ScanTime is the container scan time.
[
{
"_id": "string",
"agentless": true,
"agentlessScanID": 0,
"ais": true,
"collections": [
"string"
],
"csa": true,
"firewallProtection": {
"enabled": true,
"outOfBandMode": [
"",
"Observation",
"Protection"
],
"ports": [
0
],
"supported": true,
"tlsPorts": [
0
],
"unprotectedProcesses": [
{
"port": 0,
"process": "string",
"tls": true
}
]
},
"hostname": "string",
"info": {
"allCompliance": {
"compliance": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"group": "string",
"locationInFile": "string",
"metadataModifiedTime": 0,
"modifiedTime": 0,
"originalFileLocation": "string",
"path": "string",
"permissions": "string",
"secretID": "string",
"size": 0,
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
],
"user": "string"
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
],
"enabled": true
},
"app": "string",
"cloudMetadata": {
"accountID": "string",
"awsExecutionEnv": "string",
"image": "string",
"labels": [
{
"key": "string",
"sourceName": "string",
"sourceType": [
"namespace",
"deployment",
"aws",
"azure",
"gcp",
"oci"
],
"timestamp": "2024-07-29T15:51:28.071Z",
"value": "string"
}
],
"name": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"region": "string",
"resourceID": "string",
"resourceURL": "string",
"type": "string",
"vmID": "string",
"vmImageID": "string"
},
"cluster": "string",
"clusterType": [
"AKS",
"ECS",
"EKS",
"GKE",
"Kubernetes"
],
"complianceDistribution": {
"critical": 0,
"high": 0,
"low": 0,
"medium": 0,
"total": 0
},
"complianceIssues": [
{
"applicableRules": [
"string"
],
"binaryPkgs": [
"string"
],
"block": true,
"cause": "string",
"cri": true,
"custom": true,
"cve": "string",
"cvss": 0,
"description": "string",
"discovered": "2024-07-29T15:51:28.071Z",
"exploit": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
],
"exploits": [
{
"kind": [
"poc",
"in-the-wild"
],
"link": "string",
"source": [
"",
"exploit-db",
"exploit-windows",
"cisa-kev"
]
}
],
"fixDate": 0,
"fixLink": "string",
"functionLayer": "string",
"gracePeriodDays": 0,
"id": 0,
"layerTime": 0,
"link": "string",
"packageName": "string",
"packageType": [
"nodejs",
"gem",
"python",
"jar",
"package",
"windows",
"binary",
"nuget",
"go",
"app",
"unknown"
],
"packageVersion": "string",
"published": 0,
"riskFactors": {},
"secret": {
"group": "string",
"locationInFile": "string",
"metadataModifiedTime": 0,
"modifiedTime": 0,
"originalFileLocation": "string",
"path": "string",
"permissions": "string",
"secretID": "string",
"size": 0,
"snippet": "string",
"type": [
"AWS Access Key ID",
"AWS Secret Key",
"AWS MWS Auth Token",
"Azure Storage Account Access Key",
"Azure Service Principal",
"GCP Service Account Auth Key",
"Private Encryption Key",
"Public Encryption Key",
"PEM X509 Certificate Header",
"SSH Authorized Keys",
"Artifactory API Token",
"Artifactory Password",
"Basic Auth Credentials",
"Mailchimp Access Key",
"NPM Token",
"Slack Token",
"Slack Webhook",
"Square OAuth Secret",
"Notion Integration Token",
"Airtable API Key",
"Atlassian Oauth2 Keys",
"CircleCI Personal Token",
"Databricks Authentication Token",
"GitHub Token",
"GitLab Token",
"Google API key",
"Grafana Token",
"Python Package Index Key (PYPI)",
"Typeform API Token",
"Scalr Token",
"Braintree Access Token",
"Braintree Payments Key",
"Paypal Token Key",
"Braintree Payments ID",
"Datadog Client Token",
"ClickUp Personal API Token",
"OpenAI API Key",
"Java DB Connectivity (JDBC)",
"MongoDB",
".Net SQL Server"
],
"user": "string"
},
"severity": "string",
"status": "string",
"templates": [
[
"PCI",
"HIPAA",
"NIST SP 800-190",
"GDPR",
"DISA STIG"
]
],
"text": "string",
"title": "string",
"twistlock": true,
"type": [
"container",
"image",
"host_config",
"daemon_config",
"daemon_config_files",
"security_operations",
"k8s_master",
"k8s_worker",
"k8s_federation",
"linux",
"windows",
"istio",
"serverless",
"custom",
"docker_stig",
"openshift_master",
"openshift_worker",
"application_control_linux",
"gke_worker",
"image_malware",
"host_malware",
"aks_worker",
"eks_worker",
"image_secret",
"host_secret"
],
"vecStr": "string",
"vulnTagInfos": [
{
"color": "string",
"comment": "string",
"name": "string"
}
],
"wildfireMalware": {
"md5": "string",
"path": "string",
"verdict": "string"
}
}
],
"complianceIssuesCount": 0,
"complianceRiskScore": 0,
"externalLabels": [
{
"key": "string",
"sourceName": "string",
"sourceType": [
"namespace",
"deployment",
"aws",
"azure",
"gcp",
"oci"
],
"timestamp": "2024-07-29T15:51:28.071Z",
"value": "string"
}
],
"id": "string",
"image": "string",
"imageID": "string",
"imageName": "string",
"infra": true,
"installedProducts": {
"agentless": true,
"apache": "string",
"awsCloud": true,
"clusterType": [
"AKS",
"ECS",
"EKS",
"GKE",
"Kubernetes"
],
"crio": true,
"docker": "string",
"dockerEnterprise": true,
"hasPackageManager": true,
"k8sApiServer": true,
"k8sControllerManager": true,
"k8sEtcd": true,
"k8sFederationApiServer": true,
"k8sFederationControllerManager": true,
"k8sKubelet": true,
"k8sProxy": true,
"k8sScheduler": true,
"kubernetes": "string",
"managedClusterVersion": "string",
"openshift": true,
"openshiftVersion": "string",
"osDistro": "string",
"serverless": true,
"swarmManager": true,
"swarmNode": true
},
"labels": [
"string"
],
"name": "string",
"namespace": "string",
"network": {
"ports": [
{
"container": 0,
"host": 0,
"hostIP": "string",
"listening": true,
"nat": true
}
]
},
"networkSettings": {
"ipAddress": "string",
"macAddress": "string",
"networks": [
{
"ipAddress": "string",
"macAddress": "string",
"name": "string"
}
],
"ports": [
{
"containerPort": "string",
"hostIP": "string",
"hostPort": 0
}
]
},
"processes": [
{
"name": "string"
}
],
"profileID": "string",
"sizeBytes": 0,
"startTime": "2024-07-29T15:51:28.071Z"
},
"markedForDeletion": true,
"runtimeEnabled": true,
"scanTime": "2024-07-29T15:51:28.071Z"
}
]