Skip to main content

Update Runtime Impacted Container Policy

GET 

/api/v33.02/policies/runtime/container/impacted

x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer"}

Returns the impacted images based on a given rule In the Console UI, you can see how it works by going to the Defend > Runtime > Container policy page and clicking the Show link.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container/impacted?ruleName={ruleName}'

For additional help with your ruleName:

$ curl -k -G \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
--data-urlencode 'ruleName=Default - alert on suspicious runtime behavior' \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container/impacted'

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    ruleName string

    RuleName is the rule name to apply.

Responses

Schema
  • Array [
  • _id string

    ID is the container ID.

    agentless boolean

    Agentless indicates if the result was received by an agentless scanner.

    agentlessScanID integer

    AgentlessScanID is the ID of the agentless scan in which the result was received.

    ais boolean

    AIS indicates the scan was performed by AIS.

    collections string (string)[]

    Collections are collections to which this container applies.

    csa boolean

    CSA indicates the scan was performed by the CSA.

    firewallProtection object

    ProtectionStatus describes the status of the WAAS protection

    enabled boolean

    Enabled indicates if WAAS proxy protection is enabled (true) or not (false).

    outOfBandMode waas.OutOfBandMode (string)

    Possible values: [,Observation,Protection]

    OutOfBandMode holds the app firewall out-of-band mode

    ports int (integer)[]

    Ports indicates http open ports associated with the container.

    supported boolean

    Supported indicates if WAAS protection is supported (true) or not (false).

    tlsPorts int (integer)[]

    TLSPorts indicates https open ports associated with the container.

    unprotectedProcesses object[]

    UnprotectedProcesses holds the processes that support HTTP/HTTPS without WAAS protection.

  • Array [
  • port integer

    Port is the process port.

    process string

    Process is the process name.

    tls boolean

    TLS is the port TLS indication.

  • ]
  • hostname string

    Hostname is the hostname on which the container is deployed.

    info object

    ContainerInfo contains all information gathered on a specific container

    allCompliance object

    AllCompliance contains data regarding passed compliance checks

    compliance object[]

    Compliance are all the passed compliance checks.

  • Array [
  • applicableRules string (string)[]

    Rules applied on the package.

    binaryPkgs string (string)[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vulnerability.ExploitType (string)

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vulnerability.ExploitKind (string)

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vulnerability.ExploitType (string)

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageType packages.Type (string)

    Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown]

    Type describes the package type

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string (string)
    secret object

    Secret represents a secret found on the scanned workload

    group string

    Group is a group name or ID of owner the file metadata containing the secret.

    locationInFile string

    LocationInFile is the line and offset in the file where the secret was found.

    metadataModifiedTime int64

    MetadataModifiedTime is the modification time of the file metadata containing the secret.

    modifiedTime int64

    ModifiedTime is the modification time of the file containing the secret.

    originalFileLocation string

    .

    path string

    Path is the path of the file in which the secret was found.

    permissions string

    Permissions are permission bits of the file metadata containing the secret.

    secretID string

    SecretID is the SHA1 of the secret content.

    size int64

    Size is the size in bytes of the file in which the secret was found.

    snippet string

    Snippet is the partial plain secret.

    type vuln.SecretType (string)

    Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server]

    SecretType represents a secret type

    user string

    User is a username or ID of owner the file metadata containing the secret.

    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate (string)[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vulnerability.Type (string)

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color (string)

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • wildfireMalware object

    WildFireMalware holds the data for WildFire malicious MD5

    md5 string

    MD5 is the hash of the malicious binary.

    path string

    Path is the path to malicious binary.

    verdict string

    Verdict is the malicious source like grayware, malware and phishing.

  • ]
  • enabled boolean

    Enabled indicates whether passed compliance checks is enabled by policy.

    app string

    App is the app that is hosted in the container.

    cloudMetadata object

    CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)

    accountID string

    Cloud account ID.

    awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

    image string

    The name of the image the cloud managed host or container is based on.

    labels object[]

    Cloud provider metadata labels.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType (string)

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • name string

    Resource name.

    provider common.CloudProvider (string)

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

    region string

    Resource's region.

    resourceID string

    Unique ID of the resource.

    resourceURL string

    Server-defined URL for the resource.

    type string

    Instance type.

    vmID string

    Azure unique vm ID.

    vmImageID string

    VMImageID holds the VM instance's image ID.

    cluster string

    Cluster is the provided cluster name.

    clusterType common.ClusterType (string)

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

    complianceDistribution object

    Distribution counts the number of vulnerabilities per type

    critical integer

    .

    high integer

    .

    low integer

    .

    medium integer

    .

    total integer

    .

    complianceIssues object[]

    ComplianceIssues are all the container compliance issues.

  • Array [
  • applicableRules string (string)[]

    Rules applied on the package.

    binaryPkgs string (string)[]

    Names of the distro binary package names (packages which are built from the source of the package).

    block boolean

    Indicates if the vulnerability has a block effect (true) or not (false).

    cause string

    Additional information regarding the root cause for the vulnerability.

    cri boolean

    Indicates if this is a CRI-specific vulnerability (true) or not (false).

    custom boolean

    Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

    cve string

    CVE ID of the vulnerability (if applied).

    cvss float

    CVSS score of the vulnerability.

    description string

    Description of the vulnerability.

    discovered date-time

    Specifies the time of discovery for the vulnerability.

    exploit vulnerability.ExploitType (string)

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

    exploits object[]

    Exploits represents the exploits data found for a CVE

  • Array [
  • kind vulnerability.ExploitKind (string)

    Possible values: [poc,in-the-wild]

    ExploitKind represents the kind of the exploit

    link string

    Link is a link to information about the exploit.

    source vulnerability.ExploitType (string)

    Possible values: [,exploit-db,exploit-windows,cisa-kev]

    ExploitType represents the source of an exploit

  • ]
  • fixDate int64

    Date/time when the vulnerability was fixed (in Unix time).

    fixLink string

    Link to the vendor's fixed-version information.

    functionLayer string

    Specifies the serverless layer ID in which the vulnerability was discovered.

    gracePeriodDays integer

    Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

    id integer

    ID of the violation.

    layerTime int64

    Date/time of the image layer to which the CVE belongs.

    link string

    Vendor link to the CVE.

    packageName string

    Name of the package that caused the vulnerability.

    packageType packages.Type (string)

    Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown]

    Type describes the package type

    packageVersion string

    Version of the package that caused the vulnerability (or null).

    published int64

    Date/time when the vulnerability was published (in Unix time).

    riskFactors object

    RiskFactors maps the existence of vulnerability risk factors

    property name* string (string)
    secret object

    Secret represents a secret found on the scanned workload

    group string

    Group is a group name or ID of owner the file metadata containing the secret.

    locationInFile string

    LocationInFile is the line and offset in the file where the secret was found.

    metadataModifiedTime int64

    MetadataModifiedTime is the modification time of the file metadata containing the secret.

    modifiedTime int64

    ModifiedTime is the modification time of the file containing the secret.

    originalFileLocation string

    .

    path string

    Path is the path of the file in which the secret was found.

    permissions string

    Permissions are permission bits of the file metadata containing the secret.

    secretID string

    SecretID is the SHA1 of the secret content.

    size int64

    Size is the size in bytes of the file in which the secret was found.

    snippet string

    Snippet is the partial plain secret.

    type vuln.SecretType (string)

    Possible values: [AWS Access Key ID,AWS Secret Key,AWS MWS Auth Token,Azure Storage Account Access Key,Azure Service Principal,GCP Service Account Auth Key,Private Encryption Key,Public Encryption Key,PEM X509 Certificate Header,SSH Authorized Keys,Artifactory API Token,Artifactory Password,Basic Auth Credentials,Mailchimp Access Key,NPM Token,Slack Token,Slack Webhook,Square OAuth Secret,Notion Integration Token,Airtable API Key,Atlassian Oauth2 Keys,CircleCI Personal Token,Databricks Authentication Token,GitHub Token,GitLab Token,Google API key,Grafana Token,Python Package Index Key (PYPI),Typeform API Token,Scalr Token,Braintree Access Token,Braintree Payments Key,Paypal Token Key,Braintree Payments ID,Datadog Client Token,ClickUp Personal API Token,OpenAI API Key,Java DB Connectivity (JDBC),MongoDB,.Net SQL Server]

    SecretType represents a secret type

    user string

    User is a username or ID of owner the file metadata containing the secret.

    severity string

    Textual representation of the vulnerability's severity.

    status string

    Vendor status for the vulnerability.

    templates vuln.ComplianceTemplate (string)[]

    Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

    List of templates with which the vulnerability is associated.

    text string

    Description of the violation.

    title string

    Compliance title.

    twistlock boolean

    Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

    type vulnerability.Type (string)

    Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux,gke_worker,image_malware,host_malware,aks_worker,eks_worker,image_secret,host_secret]

    Type represents the vulnerability type

    vecStr string

    Textual representation of the metric values used to score the vulnerability.

    vulnTagInfos object[]

    Tag information for the vulnerability.

  • Array [
  • color common.Color (string)

    Color is a hexadecimal representation of color code value

    comment string

    Tag comment in a specific vulnerability context.

    name string

    Name of the tag.

  • ]
  • wildfireMalware object

    WildFireMalware holds the data for WildFire malicious MD5

    md5 string

    MD5 is the hash of the malicious binary.

    path string

    Path is the path to malicious binary.

    verdict string

    Verdict is the malicious source like grayware, malware and phishing.

  • ]
  • complianceIssuesCount integer

    .

    complianceRiskScore float

    ComplianceRiskScore is the container's compliance risk score.

    externalLabels object[]

    ExternalLabels is the external labels e.g., kubernetes namespace labels.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType (string)

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • id string

    ID is the container id.

    image string

    Image is the canonical image name.

    imageID string

    ImageID is the image id.

    imageName string

    The image name as stated in the docker run command.

    infra boolean

    Infra represents any container that belongs to the infrastructure.

    installedProducts object

    InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

    agentless boolean

    Agentless indicates whether the scan was performed with agentless approach.

    apache string

    Apache indicates the apache server version, empty in case apache not running.

    awsCloud boolean

    AWSCloud indicates whether AWS cloud is used.

    clusterType common.ClusterType (string)

    Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

    ClusterType is the cluster type

    crio boolean

    CRI indicates whether the container runtime is CRI (and not docker).

    docker string

    Docker represents the docker daemon version.

    dockerEnterprise boolean

    DockerEnterprise indicates whether the enterprise version of Docker is installed.

    hasPackageManager boolean

    HasPackageManager indicates whether package manager is installed on the OS.

    k8sApiServer boolean

    K8sAPIServer indicates whether a kubernetes API server is running.

    k8sControllerManager boolean

    K8sControllerManager indicates whether a kubernetes controller manager is running.

    k8sEtcd boolean

    K8sEtcd indicates whether etcd is running.

    k8sFederationApiServer boolean

    K8sFederationAPIServer indicates whether a federation API server is running.

    k8sFederationControllerManager boolean

    K8sFederationControllerManager indicates whether a federation controller manager is running.

    k8sKubelet boolean

    K8sKubelet indicates whether kubelet is running.

    k8sProxy boolean

    K8sProxy indicates whether a kubernetes proxy is running.

    k8sScheduler boolean

    K8sScheduler indicates whether the kubernetes scheduler is running.

    kubernetes string

    Kubernetes represents the kubernetes version.

    managedClusterVersion string

    ManagedClusterVersion is the version of the managed Kubernetes service, e.g. AKS/EKS/GKE/etc.

    openshift boolean

    Openshift indicates whether openshift is deployed.

    openshiftVersion string

    OpenshiftVersion represents the running openshift version.

    osDistro string

    OSDistro specifies the os distribution.

    serverless boolean

    Serverless indicates whether evaluated on a serverless environment.

    swarmManager boolean

    SwarmManager indicates whether a swarm manager is running.

    swarmNode boolean

    SwarmNode indicates whether the node is part of an active swarm.

    labels string (string)[]

    Labels are the container labels (https://docs.docker.com/engine/userguide/labels-custom-metadata/).

    name string

    Name is the container name.

    namespace string

    Namespace is the k8s deployment namespace.

    network object

    ContainerNetwork contains details about the container network (ports, IPs, type etc...)

    ports object[]

    Ports are the ports details associated with the container.

  • Array [
  • container integer

    Container is the mapped port inside the container.

    host integer

    Host is the host port number.

    hostIP string

    HostIP is the host IP.

    listening boolean

    Listening indicates whether the port is in listening mode.

    nat boolean

    NAT indicates the port is exposed using NAT.

  • ]
  • networkSettings object

    DockerNetworkInfo contains network-related information about a container

    ipAddress string

    IPAddress is the container IP.

    macAddress string

    MacAddress is the container MAC.

    networks object[]

    Networks are the networks the container is connected to.

  • Array [
  • ipAddress string

    IPAddress is the container IP.

    macAddress string

    MacAddress is the container MAC.

    name string

    Name is the network name.

  • ]
  • ports object[]

    Ports are the container network binding that are externally mapped.

  • Array [
  • containerPort string

    ContainerPort is the mapped port inside the container.

    hostIP string

    HostIP is the host IP.

    hostPort integer

    HostPort is the host port.

  • ]
  • processes object[]

    Processes are the processes that are running inside the container.

  • Array [
  • name string

    Name is a process name.

  • ]
  • profileID string

    ProfileID is the container profile id.

    sizeBytes int64

    .

    startTime date-time

    StartTime is the starting time of the container.

    markedForDeletion boolean

    MarkedForDeletion indicates whether a container is marked for deletion.

    runtimeEnabled boolean

    RuntimeEnabled indicates if any runtime rule applies to the container.

    scanTime date-time

    ScanTime is the container scan time.

  • ]
Loading...