Add Sandbox Scan Result

x-prisma-cloud-target-env: {"permission":"sandbox","saas":true,"self-hosted":true}
x-public: true

AddSandboxScanResult adds a sandbox scan result, the scan is augmented with geolocation data and returned to the client

application/json

Request Body

• _id string

  ID is a unique scan identifier.

• collections string[]

  Collections to which this result applies.

• connection object[]

  Connection is a list of connection events detected during this scan.

  Array [

  countryCode string

  CountryCode is the country code for the network IP.

  ip string

  IP is the network IP.

  port integer

  Port is the network port.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  protocol string

  Protocol is the transport layer protocol (UDP / TCP).

  time date-time

  Time is the event time.

  ]
• dns object[]

  DNS is a list of DNS queries detected during this scan.

  Array [

  countryCode string

  CountryCode is the country code for the network IP.

  domainName string

  DomainName is the domain name for a DNS query.

  domainType string

  DomainType is the domain type for a DNS query.

  ip string

  IP is the network IP.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• entrypoint string

  Entrypoint is the command executed in the sandbox scan.

• filesystem object[]

  Filesystem is a list of filesystem events detected during this scan.

  Array [

  accessType sandbox.FilesystemAccessType

  Possible values: [open,modify,create]

  FilesystemAccessType represents a type of accessing a file

  path string

  Path is the file path.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• findings object[]

  Findings are the detected findings during scan.

  Array [

  description string

  Description is the finding description.

  events object[]

  Events are the events that lead to the finding detection.

  Array [

  description string

  Description describes what happened in the event.

  time date-time

  Time is the time of event detection.

  ]

  severity sandbox.FindingSeverity

  Possible values: [critical,high,medium,low]

  FindingSeverity represents a finding severity level

  time date-time

  Time is the detection time (time of triggering event).

  type sandbox.FindingType

  Possible values: [dropper,modifiedBinary,executableCreation,filelessExecutableCreation,wildFireMalware,verticalPortScan,cryptoMiner,suspiciousELFHeader,kernelModule,modifiedBinaryExecution,filelessExecution]

  FindingType represents a unique sandbox-detected finding type

  ]
• image object

  ImageInfo contains image information collected during image scan

  Secrets string[]

  Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.

  allCompliance object

  AllCompliance contains data regarding passed compliance checks

  compliance object[]

  Compliance are all the passed compliance checks.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  enabled boolean

  Enabled indicates whether passed compliance checks is enabled by policy.

  applications object[]

  Products in the image.

  Array [

  installedFromPackage boolean

  Indicates that the app was installed as an OS package.

  knownVulnerabilities integer

  Total number of vulnerabilities for this application.

  layerTime int64

  Image layer to which the application belongs - layer creation time.

  name string

  Name of the application.

  path string

  Path of the detected application.

  service boolean

  Service indicates whether the application is installed as a service.

  version string

  Version of the application.

  ]

  baseImage string

  Image’s base image name. Used when filtering the vulnerabilities by base images.

  binaries object[]

  Binaries in the image.

  Array [

  altered boolean

  Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

  cveCount integer

  Total number of CVEs for this specific binary.

  deps string[]

  Third-party package files which are used by the binary.

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  md5 string

  Md5 hashset of the binary.

  missingPkg boolean

  Indicates if this binary is not related to any package (true) or not (false).

  name string

  Name of the binary.

  path string

  Relative path of the binary inside the container.

  pkgRootDir string

  Path for searching packages used by the binary.

  services string[]

  Names of services which use the binary.

  version string

  Version of the binary.

  ]

  cloudMetadata object

  CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

  accountID string

  Cloud account ID.

  awsExecutionEnv string

  AWS execution environment (e.g. EC2/Fargate).

  image string

  Image name.

  labels object[]

  Cloud provider metadata labels.

  Array [

  key string

  Label key.

  sourceName string

  Source name (e.g., for a namespace, the source name can be 'twistlock').

  sourceType common.ExternalLabelSourceType

  Possible values: [namespace,deployment,aws,azure,gcp,oci]

  ExternalLabelSourceType indicates the source of the labels

  timestamp date-time

  Time when the label was fetched.

  value string

  Value of the label.

  ]

  name string

  Instance name.

  provider common.CloudProvider

  Possible values: [aws,azure,gcp,alibaba,oci,others]

  CloudProvider specifies the cloud provider name

  region string

  Instance region.

  resourceID string

  Unique ID of the resource.

  resourceURL string

  Server-defined URL for the resource.

  type string

  Instance type.

  vmID string

  Azure unique vm ID.

  vmImageID string

  VMImageID holds the VM image ID.

  clusterType common.ClusterType

  Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

  ClusterType is the cluster type

  clusters string[]

  Cluster names.

  complianceDistribution object

  Distribution counts the number of vulnerabilities per type

  critical integer

  .

  high integer

  .

  low integer

  .

  medium integer

  .

  total integer

  .

  complianceIssues object[]

  All the compliance issues.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  complianceIssuesCount integer

  Number of compliance issues.

  complianceRiskScore float

  Compliance risk score for the image.

  creationTime date-time

  Specifies the time of creation for the latest version of the image.

  distro string

  Full name of the distribution.

  ecsClusterName string

  ECS cluster name.

  externalLabels object[]

  Kubernetes external labels of all containers running this image.

  Array [

  key string

  Label key.

  sourceName string

  Source name (e.g., for a namespace, the source name can be 'twistlock').

  sourceType common.ExternalLabelSourceType

  Possible values: [namespace,deployment,aws,azure,gcp,oci]

  ExternalLabelSourceType indicates the source of the labels

  timestamp date-time

  Time when the label was fetched.

  value string

  Value of the label.

  ]

  files object[]

  Files in the container.

  Array [

  md5 string

  Hash sum of the file using md5.

  path string

  Path of the file.

  sha1 string

  Hash sum of the file using SHA-1.

  sha256 string

  Hash sum of the file using SHA256.

  ]

  firstScanTime date-time

  Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.

  history object[]

  Docker image history.

  Array [

  baseLayer boolean

  Indicates if this layer originated from the base image (true) or not (false).

  created int64

  Date/time when the image layer was created.

  emptyLayer boolean

  Indicates if this instruction didn't create a separate layer (true) or not (false).

  id string

  ID of the layer.

  instruction string

  Docker file instruction and arguments used to create this layer.

  sizeBytes int64

  Size of the layer (in bytes).

  tags string[]

  Holds the image tags.

  vulnerabilities object[]

  Vulnerabilities which originated from this layer.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  ]

  hostDevices object[]

  Map from host network device name to IP address.

  Array [

  ip string

  Network device IPv4 address.

  name string

  Network device name.

  ]

  id string

  Image ID.

  image object

  Image represents a container image

  created date-time

  Date/time when the image was created.

  entrypoint string[]

  Combined entrypoint of the image (entrypoint + CMD).

  env string[]

  Image environment variables.

  healthcheck boolean

  Indicates if health checks are enabled (true) or not (false).

  history object[]

  Holds the image history.

  Array [

  baseLayer boolean

  Indicates if this layer originated from the base image (true) or not (false).

  created int64

  Date/time when the image layer was created.

  emptyLayer boolean

  Indicates if this instruction didn't create a separate layer (true) or not (false).

  id string

  ID of the layer.

  instruction string

  Docker file instruction and arguments used to create this layer.

  sizeBytes int64

  Size of the layer (in bytes).

  tags string[]

  Holds the image tags.

  vulnerabilities object[]

  Vulnerabilities which originated from this layer.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  ]

  id string

  ID of the image.

  labels object

  Image labels.

  property name* string

  layers string[]

  Image filesystem layers.

  os string

  Image os type.

  repoDigest string[]

  Image repo digests.

  repoTags string[]

  Image repo tags.

  user string

  Image user.

  workingDir string

  Base working directory of the image.

  installedProducts object

  InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

  agentless boolean

  Agentless indicates whether the scan was performed with agentless approach.

  apache string

  Apache indicates the apache server version, empty in case apache not running.

  awsCloud boolean

  AWSCloud indicates whether AWS cloud is used.

  crio boolean

  CRI indicates whether the container runtime is CRI (and not docker).

  docker string

  Docker represents the docker daemon version.

  dockerEnterprise boolean

  DockerEnterprise indicates whether the enterprise version of Docker is installed.

  hasPackageManager boolean

  HasPackageManager indicates whether package manager is installed on the OS.

  k8sApiServer boolean

  K8sAPIServer indicates whether a kubernetes API server is running.

  k8sControllerManager boolean

  K8sControllerManager indicates whether a kubernetes controller manager is running.

  k8sEtcd boolean

  K8sEtcd indicates whether etcd is running.

  k8sFederationApiServer boolean

  K8sFederationAPIServer indicates whether a federation API server is running.

  k8sFederationControllerManager boolean

  K8sFederationControllerManager indicates whether a federation controller manager is running.

  k8sKubelet boolean

  K8sKubelet indicates whether kubelet is running.

  k8sProxy boolean

  K8sProxy indicates whether a kubernetes proxy is running.

  k8sScheduler boolean

  K8sScheduler indicates whether the kubernetes scheduler is running.

  kubernetes string

  Kubernetes represents the kubernetes version.

  openshift boolean

  Openshift indicates whether openshift is deployed.

  openshiftVersion string

  OpenshiftVersion represents the running openshift version.

  osDistro string

  OSDistro specifies the os distribution.

  serverless boolean

  Serverless indicates whether evaluated on a serverless environment.

  swarmManager boolean

  SwarmManager indicates whether a swarm manager is running.

  swarmNode boolean

  SwarmNode indicates whether the node is part of an active swarm.

  isARM64 boolean

  IsARM64 indicates if the architecture of the image is aarch64.

  k8sClusterAddr string

  Endpoint of the Kubernetes API server.

  labels string[]

  Image labels.

  layers string[]

  Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.

  missingDistroVulnCoverage boolean

  Indicates if the image OS is covered in the IS (true) or not (false).

  namespaces string[]

  k8s namespaces of all the containers running this image.

  osDistro string

  Name of the OS distribution.

  osDistroRelease string

  OS distribution release.

  osDistroVersion string

  OS distribution version.

  packageCorrelationDone boolean

  PackageCorrelationDone indicates that the correlation to OS packages has been done.

  packageManager boolean

  Indicates if the package manager is installed for the OS.

  packages object[]

  Packages which exist in the image.

  Array [

  pkgs object[]

  List of packages.

  Array [

  binaryIdx int16[]

  Indexes of the top binaries which use the package.

  binaryPkgs string[]

  Names of the distro binary packages (packages which are built on the source of the package).

  cveCount integer

  Total number of CVEs for this specific package.

  defaultGem boolean

  DefaultGem indicates this is a gem default package (and not a bundled package).

  files object[]

  List of package-related files and their hashes. Only included when the appropriate scan option is set.

  Array [

  md5 string

  Hash sum of the file using md5.

  path string

  Path of the file.

  sha1 string

  Hash sum of the file using SHA-1.

  sha256 string

  Hash sum of the file using SHA256.

  ]

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  goPkg boolean

  GoPkg indicates this is a Go package (and not module).

  jarIdentifier string

  JarIdentifier holds an additional identification detail of a JAR package.

  layerTime int64

  Image layer to which the package belongs (layer creation time).

  license string

  License information for the package.

  name string

  Name of the package.

  osPackage boolean

  OSPackage indicates that a python/java package was installed as an OS package.

  path string

  Full package path (e.g., JAR or Node.js package path).

  version string

  Package version.

  ]

  pkgsType vuln.PackageType

  Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go]

  PackageType describes the package type

  ]

  pushTime date-time

  PushTime is the image push time to the registry.

  registryNamespace string

  IBM cloud namespace to which the image belongs.

  registryType string

  RegistryType indicates the registry type where the image is stored.

  repoDigests string[]

  Digests of the image. Used for content trust (notary). Has one digest per tag.

  repoTag object

  ImageTag represents an image repository and its associated tag or registry digest

  digest string

  Image digest (requires V2 or later registry).

  id string

  ID of the image.

  registry string

  Registry name to which the image belongs.

  repo string

  Repository name to which the image belongs.

  tag string

  Image tag.

  rhelRepos string[]

  RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  scanBuildDate string

  Scanner build date that published the image.

  scanVersion string

  Scanner version that published the image.

  startupBinaries object[]

  Binaries which are expected to run when the container is created from this image.

  Array [

  altered boolean

  Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

  cveCount integer

  Total number of CVEs for this specific binary.

  deps string[]

  Third-party package files which are used by the binary.

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  md5 string

  Md5 hashset of the binary.

  missingPkg boolean

  Indicates if this binary is not related to any package (true) or not (false).

  name string

  Name of the binary.

  path string

  Relative path of the binary inside the container.

  pkgRootDir string

  Path for searching packages used by the binary.

  services string[]

  Names of services which use the binary.

  version string

  Version of the binary.

  ]

  tags object[]

  Tags associated with the given image.

  Array [

  digest string

  Image digest (requires V2 or later registry).

  id string

  ID of the image.

  registry string

  Registry name to which the image belongs.

  repo string

  Repository name to which the image belongs.

  tag string

  Image tag.

  ]

  topLayer string

  SHA256 of the image's last layer that is the last element of the Layers field.

  twistlockImage boolean

  Indicates if the image is a Twistlock image (true) or not (false).

  vulnerabilities object[]

  CVE vulnerabilities of the image.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  vulnerabilitiesCount integer

  Total number of vulnerabilities.

  vulnerabilityDistribution object

  Distribution counts the number of vulnerabilities per type

  critical integer

  .

  high integer

  .

  low integer

  .

  medium integer

  .

  total integer

  .

  vulnerabilityRiskScore float

  Image's CVE risk score.

• imageName string

  ImageName is the image name (e.g. registry/repo:tag).

• listening object[]

  Listening is a list of listening events detected during this scan.

  Array [

  port integer

  Port is the network port.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• pass boolean

  Pass indicates if the scan passed or failed.

• procs object[]

  Procs are the different detected process during this scan.

  Array [

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  ]
• riskScore double

  RiskScore is the weighted total risk score.

• scanDuration int64

  ScanDuration is the provided scan duration in nanoseconds.

• scanTime date-time

  Start is the scan start time.

• suspiciousFiles object[]

  SuspiciousFiles are suspicious files detected during scan.

  Array [

  containerPath string

  ContainerPath is the path of the file in the running container.

  created boolean

  Created indicates if the file was created during runtime.

  md5 string

  MD5 is the file MD5 hash.

  path string

  Path is the path to the copy of the file.

  ]

Responses

• 200
• default

---

ScanResult represents sandbox scan results

application/json

• Schema
• Example (from schema)

---

Schema

• _id string

  ID is a unique scan identifier.

• collections string[]

  Collections to which this result applies.

• connection object[]

  Connection is a list of connection events detected during this scan.

  Array [

  countryCode string

  CountryCode is the country code for the network IP.

  ip string

  IP is the network IP.

  port integer

  Port is the network port.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  protocol string

  Protocol is the transport layer protocol (UDP / TCP).

  time date-time

  Time is the event time.

  ]
• dns object[]

  DNS is a list of DNS queries detected during this scan.

  Array [

  countryCode string

  CountryCode is the country code for the network IP.

  domainName string

  DomainName is the domain name for a DNS query.

  domainType string

  DomainType is the domain type for a DNS query.

  ip string

  IP is the network IP.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• entrypoint string

  Entrypoint is the command executed in the sandbox scan.

• filesystem object[]

  Filesystem is a list of filesystem events detected during this scan.

  Array [

  accessType sandbox.FilesystemAccessType

  Possible values: [open,modify,create]

  FilesystemAccessType represents a type of accessing a file

  path string

  Path is the file path.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• findings object[]

  Findings are the detected findings during scan.

  Array [

  description string

  Description is the finding description.

  events object[]

  Events are the events that lead to the finding detection.

  Array [

  description string

  Description describes what happened in the event.

  time date-time

  Time is the time of event detection.

  ]

  severity sandbox.FindingSeverity

  Possible values: [critical,high,medium,low]

  FindingSeverity represents a finding severity level

  time date-time

  Time is the detection time (time of triggering event).

  type sandbox.FindingType

  Possible values: [dropper,modifiedBinary,executableCreation,filelessExecutableCreation,wildFireMalware,verticalPortScan,cryptoMiner,suspiciousELFHeader,kernelModule,modifiedBinaryExecution,filelessExecution]

  FindingType represents a unique sandbox-detected finding type

  ]
• image object

  ImageInfo contains image information collected during image scan

  Secrets string[]

  Secrets are paths to embedded secrets inside the image Note: capital letter JSON annotation is kept to avoid converting all images for backward-compatibility support.

  allCompliance object

  AllCompliance contains data regarding passed compliance checks

  compliance object[]

  Compliance are all the passed compliance checks.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  enabled boolean

  Enabled indicates whether passed compliance checks is enabled by policy.

  applications object[]

  Products in the image.

  Array [

  installedFromPackage boolean

  Indicates that the app was installed as an OS package.

  knownVulnerabilities integer

  Total number of vulnerabilities for this application.

  layerTime int64

  Image layer to which the application belongs - layer creation time.

  name string

  Name of the application.

  path string

  Path of the detected application.

  service boolean

  Service indicates whether the application is installed as a service.

  version string

  Version of the application.

  ]

  baseImage string

  Image’s base image name. Used when filtering the vulnerabilities by base images.

  binaries object[]

  Binaries in the image.

  Array [

  altered boolean

  Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

  cveCount integer

  Total number of CVEs for this specific binary.

  deps string[]

  Third-party package files which are used by the binary.

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  md5 string

  Md5 hashset of the binary.

  missingPkg boolean

  Indicates if this binary is not related to any package (true) or not (false).

  name string

  Name of the binary.

  path string

  Relative path of the binary inside the container.

  pkgRootDir string

  Path for searching packages used by the binary.

  services string[]

  Names of services which use the binary.

  version string

  Version of the binary.

  ]

  cloudMetadata object

  CloudMetadata is the metadata for an instance running in a cloud provider (AWS/GCP/Azure)

  accountID string

  Cloud account ID.

  awsExecutionEnv string

  AWS execution environment (e.g. EC2/Fargate).

  image string

  Image name.

  labels object[]

  Cloud provider metadata labels.

  Array [

  key string

  Label key.

  sourceName string

  Source name (e.g., for a namespace, the source name can be 'twistlock').

  sourceType common.ExternalLabelSourceType

  Possible values: [namespace,deployment,aws,azure,gcp,oci]

  ExternalLabelSourceType indicates the source of the labels

  timestamp date-time

  Time when the label was fetched.

  value string

  Value of the label.

  ]

  name string

  Instance name.

  provider common.CloudProvider

  Possible values: [aws,azure,gcp,alibaba,oci,others]

  CloudProvider specifies the cloud provider name

  region string

  Instance region.

  resourceID string

  Unique ID of the resource.

  resourceURL string

  Server-defined URL for the resource.

  type string

  Instance type.

  vmID string

  Azure unique vm ID.

  vmImageID string

  VMImageID holds the VM image ID.

  clusterType common.ClusterType

  Possible values: [AKS,ECS,EKS,GKE,Kubernetes]

  ClusterType is the cluster type

  clusters string[]

  Cluster names.

  complianceDistribution object

  Distribution counts the number of vulnerabilities per type

  critical integer

  .

  high integer

  .

  low integer

  .

  medium integer

  .

  total integer

  .

  complianceIssues object[]

  All the compliance issues.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  complianceIssuesCount integer

  Number of compliance issues.

  complianceRiskScore float

  Compliance risk score for the image.

  creationTime date-time

  Specifies the time of creation for the latest version of the image.

  distro string

  Full name of the distribution.

  ecsClusterName string

  ECS cluster name.

  externalLabels object[]

  Kubernetes external labels of all containers running this image.

  Array [

  key string

  Label key.

  sourceName string

  Source name (e.g., for a namespace, the source name can be 'twistlock').

  sourceType common.ExternalLabelSourceType

  Possible values: [namespace,deployment,aws,azure,gcp,oci]

  ExternalLabelSourceType indicates the source of the labels

  timestamp date-time

  Time when the label was fetched.

  value string

  Value of the label.

  ]

  files object[]

  Files in the container.

  Array [

  md5 string

  Hash sum of the file using md5.

  path string

  Path of the file.

  sha1 string

  Hash sum of the file using SHA-1.

  sha256 string

  Hash sum of the file using SHA256.

  ]

  firstScanTime date-time

  Specifies the time of the scan for the first version of the image. This time is preserved even after the version update.

  history object[]

  Docker image history.

  Array [

  baseLayer boolean

  Indicates if this layer originated from the base image (true) or not (false).

  created int64

  Date/time when the image layer was created.

  emptyLayer boolean

  Indicates if this instruction didn't create a separate layer (true) or not (false).

  id string

  ID of the layer.

  instruction string

  Docker file instruction and arguments used to create this layer.

  sizeBytes int64

  Size of the layer (in bytes).

  tags string[]

  Holds the image tags.

  vulnerabilities object[]

  Vulnerabilities which originated from this layer.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  ]

  hostDevices object[]

  Map from host network device name to IP address.

  Array [

  ip string

  Network device IPv4 address.

  name string

  Network device name.

  ]

  id string

  Image ID.

  image object

  Image represents a container image

  created date-time

  Date/time when the image was created.

  entrypoint string[]

  Combined entrypoint of the image (entrypoint + CMD).

  env string[]

  Image environment variables.

  healthcheck boolean

  Indicates if health checks are enabled (true) or not (false).

  history object[]

  Holds the image history.

  Array [

  baseLayer boolean

  Indicates if this layer originated from the base image (true) or not (false).

  created int64

  Date/time when the image layer was created.

  emptyLayer boolean

  Indicates if this instruction didn't create a separate layer (true) or not (false).

  id string

  ID of the layer.

  instruction string

  Docker file instruction and arguments used to create this layer.

  sizeBytes int64

  Size of the layer (in bytes).

  tags string[]

  Holds the image tags.

  vulnerabilities object[]

  Vulnerabilities which originated from this layer.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  ]

  id string

  ID of the image.

  labels object

  Image labels.

  property name* string

  layers string[]

  Image filesystem layers.

  os string

  Image os type.

  repoDigest string[]

  Image repo digests.

  repoTags string[]

  Image repo tags.

  user string

  Image user.

  workingDir string

  Base working directory of the image.

  installedProducts object

  InstalledProducts contains data regarding products running in environment TODO #34713: Swarm support was deprecated in Joule, remove swarm node/manager boolean (and related compliance) in Lagrange

  agentless boolean

  Agentless indicates whether the scan was performed with agentless approach.

  apache string

  Apache indicates the apache server version, empty in case apache not running.

  awsCloud boolean

  AWSCloud indicates whether AWS cloud is used.

  crio boolean

  CRI indicates whether the container runtime is CRI (and not docker).

  docker string

  Docker represents the docker daemon version.

  dockerEnterprise boolean

  DockerEnterprise indicates whether the enterprise version of Docker is installed.

  hasPackageManager boolean

  HasPackageManager indicates whether package manager is installed on the OS.

  k8sApiServer boolean

  K8sAPIServer indicates whether a kubernetes API server is running.

  k8sControllerManager boolean

  K8sControllerManager indicates whether a kubernetes controller manager is running.

  k8sEtcd boolean

  K8sEtcd indicates whether etcd is running.

  k8sFederationApiServer boolean

  K8sFederationAPIServer indicates whether a federation API server is running.

  k8sFederationControllerManager boolean

  K8sFederationControllerManager indicates whether a federation controller manager is running.

  k8sKubelet boolean

  K8sKubelet indicates whether kubelet is running.

  k8sProxy boolean

  K8sProxy indicates whether a kubernetes proxy is running.

  k8sScheduler boolean

  K8sScheduler indicates whether the kubernetes scheduler is running.

  kubernetes string

  Kubernetes represents the kubernetes version.

  openshift boolean

  Openshift indicates whether openshift is deployed.

  openshiftVersion string

  OpenshiftVersion represents the running openshift version.

  osDistro string

  OSDistro specifies the os distribution.

  serverless boolean

  Serverless indicates whether evaluated on a serverless environment.

  swarmManager boolean

  SwarmManager indicates whether a swarm manager is running.

  swarmNode boolean

  SwarmNode indicates whether the node is part of an active swarm.

  isARM64 boolean

  IsARM64 indicates if the architecture of the image is aarch64.

  k8sClusterAddr string

  Endpoint of the Kubernetes API server.

  labels string[]

  Image labels.

  layers string[]

  Image's filesystem layers. Each layer is a SHA256 digest of the filesystem diff See: https://windsock.io/explaining-docker-image-ids/.

  missingDistroVulnCoverage boolean

  Indicates if the image OS is covered in the IS (true) or not (false).

  namespaces string[]

  k8s namespaces of all the containers running this image.

  osDistro string

  Name of the OS distribution.

  osDistroRelease string

  OS distribution release.

  osDistroVersion string

  OS distribution version.

  packageCorrelationDone boolean

  PackageCorrelationDone indicates that the correlation to OS packages has been done.

  packageManager boolean

  Indicates if the package manager is installed for the OS.

  packages object[]

  Packages which exist in the image.

  Array [

  pkgs object[]

  List of packages.

  Array [

  binaryIdx int16[]

  Indexes of the top binaries which use the package.

  binaryPkgs string[]

  Names of the distro binary packages (packages which are built on the source of the package).

  cveCount integer

  Total number of CVEs for this specific package.

  defaultGem boolean

  DefaultGem indicates this is a gem default package (and not a bundled package).

  files object[]

  List of package-related files and their hashes. Only included when the appropriate scan option is set.

  Array [

  md5 string

  Hash sum of the file using md5.

  path string

  Path of the file.

  sha1 string

  Hash sum of the file using SHA-1.

  sha256 string

  Hash sum of the file using SHA256.

  ]

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  goPkg boolean

  GoPkg indicates this is a Go package (and not module).

  jarIdentifier string

  JarIdentifier holds an additional identification detail of a JAR package.

  layerTime int64

  Image layer to which the package belongs (layer creation time).

  license string

  License information for the package.

  name string

  Name of the package.

  osPackage boolean

  OSPackage indicates that a python/java package was installed as an OS package.

  path string

  Full package path (e.g., JAR or Node.js package path).

  version string

  Package version.

  ]

  pkgsType vuln.PackageType

  Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go]

  PackageType describes the package type

  ]

  pushTime date-time

  PushTime is the image push time to the registry.

  registryNamespace string

  IBM cloud namespace to which the image belongs.

  registryType string

  RegistryType indicates the registry type where the image is stored.

  repoDigests string[]

  Digests of the image. Used for content trust (notary). Has one digest per tag.

  repoTag object

  ImageTag represents an image repository and its associated tag or registry digest

  digest string

  Image digest (requires V2 or later registry).

  id string

  ID of the image.

  registry string

  Registry name to which the image belongs.

  repo string

  Repository name to which the image belongs.

  tag string

  Image tag.

  rhelRepos string[]

  RhelRepositories are the (RPM) repositories IDs from which the packages in this image were installed Used for matching vulnerabilities by Red Hat CPEs.

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  scanBuildDate string

  Scanner build date that published the image.

  scanVersion string

  Scanner version that published the image.

  startupBinaries object[]

  Binaries which are expected to run when the container is created from this image.

  Array [

  altered boolean

  Indicates if the binary was installed from a package manager and modified/replaced (true) or not (false).

  cveCount integer

  Total number of CVEs for this specific binary.

  deps string[]

  Third-party package files which are used by the binary.

  functionLayer string

  ID of the serverless layer in which the package was discovered.

  md5 string

  Md5 hashset of the binary.

  missingPkg boolean

  Indicates if this binary is not related to any package (true) or not (false).

  name string

  Name of the binary.

  path string

  Relative path of the binary inside the container.

  pkgRootDir string

  Path for searching packages used by the binary.

  services string[]

  Names of services which use the binary.

  version string

  Version of the binary.

  ]

  tags object[]

  Tags associated with the given image.

  Array [

  digest string

  Image digest (requires V2 or later registry).

  id string

  ID of the image.

  registry string

  Registry name to which the image belongs.

  repo string

  Repository name to which the image belongs.

  tag string

  Image tag.

  ]

  topLayer string

  SHA256 of the image's last layer that is the last element of the Layers field.

  twistlockImage boolean

  Indicates if the image is a Twistlock image (true) or not (false).

  vulnerabilities object[]

  CVE vulnerabilities of the image.

  Array [

  applicableRules string[]

  Rules applied on the package.

  binaryPkgs string[]

  Names of the distro binary package names (packages which are built from the source of the package).

  block boolean

  Indicates if the vulnerability has a block effect (true) or not (false).

  cause string

  Additional information regarding the root cause for the vulnerability.

  cri boolean

  Indicates if this is a CRI-specific vulnerability (true) or not (false).

  custom boolean

  Indicates if the vulnerability is a custom vulnerability (e.g., openscap, sandbox) (true) or not (false).

  cve string

  CVE ID of the vulnerability (if applied).

  cvss float

  CVSS score of the vulnerability.

  description string

  Description of the vulnerability.

  discovered date-time

  Specifies the time of discovery for the vulnerability.

  exploit vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  exploits object[]

  Exploits represents the exploits data found for a CVE

  Array [

  kind vuln.ExploitKind

  Possible values: [poc,in-the-wild]

  ExploitKind represents the kind of the exploit

  link string

  Link is a link to information about the exploit.

  source vuln.ExploitType

  Possible values: [,exploit-db,exploit-windows,cisa-kev]

  ExploitType represents the source of an exploit

  ]

  fixDate int64

  Date/time when the vulnerability was fixed (in Unix time).

  fixLink string

  Link to the vendor's fixed-version information.

  functionLayer string

  Specifies the serverless layer ID in which the vulnerability was discovered.

  gracePeriodDays integer

  Number of grace days left for a vulnerability, based on the configured grace period. Nil if no block vulnerability rule applies.

  id integer

  ID of the violation.

  layerTime int64

  Date/time of the image layer to which the CVE belongs.

  link string

  Vendor link to the CVE.

  packageName string

  Name of the package that caused the vulnerability.

  packageVersion string

  Version of the package that caused the vulnerability (or null).

  published int64

  Date/time when the vulnerability was published (in Unix time).

  riskFactors object

  RiskFactors maps the existence of vulnerability risk factors

  property name* string

  severity string

  Textual representation of the vulnerability's severity.

  status string

  Vendor status for the vulnerability.

  templates vuln.ComplianceTemplate[]

  Possible values: [PCI,HIPAA,NIST SP 800-190,GDPR,DISA STIG]

  List of templates with which the vulnerability is associated.

  text string

  Description of the violation.

  title string

  Compliance title.

  twistlock boolean

  Indicates if this is a Twistlock-specific vulnerability (true) or not (false).

  type vuln.Type

  Possible values: [container,image,host_config,daemon_config,daemon_config_files,security_operations,k8s_master,k8s_worker,k8s_federation,linux,windows,istio,serverless,custom,docker_stig,openshift_master,openshift_worker,application_control_linux]

  Type represents the vulnerability type

  vecStr string

  Textual representation of the metric values used to score the vulnerability.

  vulnTagInfos object[]

  Tag information for the vulnerability.

  Array [

  color common.Color

  Color is a hexadecimal representation of color code value

  comment string

  Tag comment in a specific vulnerability context.

  name string

  Name of the tag.

  ]

  ]

  vulnerabilitiesCount integer

  Total number of vulnerabilities.

  vulnerabilityDistribution object

  Distribution counts the number of vulnerabilities per type

  critical integer

  .

  high integer

  .

  low integer

  .

  medium integer

  .

  total integer

  .

  vulnerabilityRiskScore float

  Image's CVE risk score.

• imageName string

  ImageName is the image name (e.g. registry/repo:tag).

• listening object[]

  Listening is a list of listening events detected during this scan.

  Array [

  port integer

  Port is the network port.

  process object

  ProcessEvent represents a process event during sandbox scan

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  time date-time

  Time is the event time.

  ]
• pass boolean

  Pass indicates if the scan passed or failed.

• procs object[]

  Procs are the different detected process during this scan.

  Array [

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  parent object

  ProcessInfo holds process information

  command string

  Command is the command line.

  md5 string

  MD5 is the md5 hash for the process binary.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  path string

  Path is the binary path.

  time date-time

  Time is the process start time.

  user string

  User is the username/id.

  ]
• riskScore double

  RiskScore is the weighted total risk score.

• scanDuration int64

  ScanDuration is the provided scan duration in nanoseconds.

• scanTime date-time

  Start is the scan start time.

• suspiciousFiles object[]

  SuspiciousFiles are suspicious files detected during scan.

  Array [

  containerPath string

  ContainerPath is the path of the file in the running container.

  created boolean

  Created indicates if the file was created during runtime.

  md5 string

  MD5 is the file MD5 hash.

  path string

  Path is the path to the copy of the file.

  ]

{
  "_id": "string",
  "collections": [
    "string"
  ],
  "connection": [
    {
      "countryCode": "string",
      "ip": "string",
      "port": 0,
      "process": {
        "command": "string",
        "md5": "string",
        "parent": {
          "command": "string",
          "md5": "string",
          "path": "string",
          "time": "2023-05-27T04:01:51.362Z",
          "user": "string"
        },
        "path": "string",
        "time": "2023-05-27T04:01:51.362Z",
        "user": "string"
      },
      "protocol": "string",
      "time": "2023-05-27T04:01:51.362Z"
    }
  ],
  "dns": [
    {
      "countryCode": "string",
      "domainName": "string",
      "domainType": "string",
      "ip": "string",
      "process": {
        "command": "string",
        "md5": "string",
        "parent": {
          "command": "string",
          "md5": "string",
          "path": "string",
          "time": "2023-05-27T04:01:51.363Z",
          "user": "string"
        },
        "path": "string",
        "time": "2023-05-27T04:01:51.363Z",
        "user": "string"
      },
      "time": "2023-05-27T04:01:51.363Z"
    }
  ],
  "entrypoint": "string",
  "filesystem": [
    {
      "accessType": [
        "open",
        "modify",
        "create"
      ],
      "path": "string",
      "process": {
        "command": "string",
        "md5": "string",
        "parent": {
          "command": "string",
          "md5": "string",
          "path": "string",
          "time": "2023-05-27T04:01:51.363Z",
          "user": "string"
        },
        "path": "string",
        "time": "2023-05-27T04:01:51.363Z",
        "user": "string"
      },
      "time": "2023-05-27T04:01:51.363Z"
    }
  ],
  "findings": [
    {
      "description": "string",
      "events": [
        {
          "description": "string",
          "time": "2023-05-27T04:01:51.363Z"
        }
      ],
      "severity": [
        "critical",
        "high",
        "medium",
        "low"
      ],
      "time": "2023-05-27T04:01:51.363Z",
      "type": [
        "dropper",
        "modifiedBinary",
        "executableCreation",
        "filelessExecutableCreation",
        "wildFireMalware",
        "verticalPortScan",
        "cryptoMiner",
        "suspiciousELFHeader",
        "kernelModule",
        "modifiedBinaryExecution",
        "filelessExecution"
      ]
    }
  ],
  "image": {
    "Secrets": [
      "string"
    ],
    "allCompliance": {
      "compliance": [
        {
          "applicableRules": [
            "string"
          ],
          "binaryPkgs": [
            "string"
          ],
          "block": true,
          "cause": "string",
          "cri": true,
          "custom": true,
          "cve": "string",
          "cvss": 0,
          "description": "string",
          "discovered": "2023-05-27T04:01:51.363Z",
          "exploit": [
            "",
            "exploit-db",
            "exploit-windows",
            "cisa-kev"
          ],
          "exploits": [
            {
              "kind": [
                "poc",
                "in-the-wild"
              ],
              "link": "string",
              "source": [
                "",
                "exploit-db",
                "exploit-windows",
                "cisa-kev"
              ]
            }
          ],
          "fixDate": 0,
          "fixLink": "string",
          "functionLayer": "string",
          "gracePeriodDays": 0,
          "id": 0,
          "layerTime": 0,
          "link": "string",
          "packageName": "string",
          "packageVersion": "string",
          "published": 0,
          "riskFactors": {},
          "severity": "string",
          "status": "string",
          "templates": [
            [
              "PCI",
              "HIPAA",
              "NIST SP 800-190",
              "GDPR",
              "DISA STIG"
            ]
          ],
          "text": "string",
          "title": "string",
          "twistlock": true,
          "type": [
            "container",
            "image",
            "host_config",
            "daemon_config",
            "daemon_config_files",
            "security_operations",
            "k8s_master",
            "k8s_worker",
            "k8s_federation",
            "linux",
            "windows",
            "istio",
            "serverless",
            "custom",
            "docker_stig",
            "openshift_master",
            "openshift_worker",
            "application_control_linux"
          ],
          "vecStr": "string",
          "vulnTagInfos": [
            {
              "color": "string",
              "comment": "string",
              "name": "string"
            }
          ]
        }
      ],
      "enabled": true
    },
    "applications": [
      {
        "installedFromPackage": true,
        "knownVulnerabilities": 0,
        "layerTime": 0,
        "name": "string",
        "path": "string",
        "service": true,
        "version": "string"
      }
    ],
    "baseImage": "string",
    "binaries": [
      {
        "altered": true,
        "cveCount": 0,
        "deps": [
          "string"
        ],
        "functionLayer": "string",
        "md5": "string",
        "missingPkg": true,
        "name": "string",
        "path": "string",
        "pkgRootDir": "string",
        "services": [
          "string"
        ],
        "version": "string"
      }
    ],
    "cloudMetadata": {
      "accountID": "string",
      "awsExecutionEnv": "string",
      "image": "string",
      "labels": [
        {
          "key": "string",
          "sourceName": "string",
          "sourceType": [
            "namespace",
            "deployment",
            "aws",
            "azure",
            "gcp",
            "oci"
          ],
          "timestamp": "2023-05-27T04:01:51.364Z",
          "value": "string"
        }
      ],
      "name": "string",
      "provider": [
        "aws",
        "azure",
        "gcp",
        "alibaba",
        "oci",
        "others"
      ],
      "region": "string",
      "resourceID": "string",
      "resourceURL": "string",
      "type": "string",
      "vmID": "string",
      "vmImageID": "string"
    },
    "clusterType": [
      "AKS",
      "ECS",
      "EKS",
      "GKE",
      "Kubernetes"
    ],
    "clusters": [
      "string"
    ],
    "complianceDistribution": {
      "critical": 0,
      "high": 0,
      "low": 0,
      "medium": 0,
      "total": 0
    },
    "complianceIssues": [
      {
        "applicableRules": [
          "string"
        ],
        "binaryPkgs": [
          "string"
        ],
        "block": true,
        "cause": "string",
        "cri": true,
        "custom": true,
        "cve": "string",
        "cvss": 0,
        "description": "string",
        "discovered": "2023-05-27T04:01:51.364Z",
        "exploit": [
          "",
          "exploit-db",
          "exploit-windows",
          "cisa-kev"
        ],
        "exploits": [
          {
            "kind": [
              "poc",
              "in-the-wild"
            ],
            "link": "string",
            "source": [
              "",
              "exploit-db",
              "exploit-windows",
              "cisa-kev"
            ]
          }
        ],
        "fixDate": 0,
        "fixLink": "string",
        "functionLayer": "string",
        "gracePeriodDays": 0,
        "id": 0,
        "layerTime": 0,
        "link": "string",
        "packageName": "string",
        "packageVersion": "string",
        "published": 0,
        "riskFactors": {},
        "severity": "string",
        "status": "string",
        "templates": [
          [
            "PCI",
            "HIPAA",
            "NIST SP 800-190",
            "GDPR",
            "DISA STIG"
          ]
        ],
        "text": "string",
        "title": "string",
        "twistlock": true,
        "type": [
          "container",
          "image",
          "host_config",
          "daemon_config",
          "daemon_config_files",
          "security_operations",
          "k8s_master",
          "k8s_worker",
          "k8s_federation",
          "linux",
          "windows",
          "istio",
          "serverless",
          "custom",
          "docker_stig",
          "openshift_master",
          "openshift_worker",
          "application_control_linux"
        ],
        "vecStr": "string",
        "vulnTagInfos": [
          {
            "color": "string",
            "comment": "string",
            "name": "string"
          }
        ]
      }
    ],
    "complianceIssuesCount": 0,
    "complianceRiskScore": 0,
    "creationTime": "2023-05-27T04:01:51.364Z",
    "distro": "string",
    "ecsClusterName": "string",
    "externalLabels": [
      {
        "key": "string",
        "sourceName": "string",
        "sourceType": [
          "namespace",
          "deployment",
          "aws",
          "azure",
          "gcp",
          "oci"
        ],
        "timestamp": "2023-05-27T04:01:51.364Z",
        "value": "string"
      }
    ],
    "files": [
      {
        "md5": "string",
        "path": "string",
        "sha1": "string",
        "sha256": "string"
      }
    ],
    "firstScanTime": "2023-05-27T04:01:51.364Z",
    "history": [
      {
        "baseLayer": true,
        "created": 0,
        "emptyLayer": true,
        "id": "string",
        "instruction": "string",
        "sizeBytes": 0,
        "tags": [
          "string"
        ],
        "vulnerabilities": [
          {
            "applicableRules": [
              "string"
            ],
            "binaryPkgs": [
              "string"
            ],
            "block": true,
            "cause": "string",
            "cri": true,
            "custom": true,
            "cve": "string",
            "cvss": 0,
            "description": "string",
            "discovered": "2023-05-27T04:01:51.364Z",
            "exploit": [
              "",
              "exploit-db",
              "exploit-windows",
              "cisa-kev"
            ],
            "exploits": [
              {
                "kind": [
                  "poc",
                  "in-the-wild"
                ],
                "link": "string",
                "source": [
                  "",
                  "exploit-db",
                  "exploit-windows",
                  "cisa-kev"
                ]
              }
            ],
            "fixDate": 0,
            "fixLink": "string",
            "functionLayer": "string",
            "gracePeriodDays": 0,
            "id": 0,
            "layerTime": 0,
            "link": "string",
            "packageName": "string",
            "packageVersion": "string",
            "published": 0,
            "riskFactors": {},
            "severity": "string",
            "status": "string",
            "templates": [
              [
                "PCI",
                "HIPAA",
                "NIST SP 800-190",
                "GDPR",
                "DISA STIG"
              ]
            ],
            "text": "string",
            "title": "string",
            "twistlock": true,
            "type": [
              "container",
              "image",
              "host_config",
              "daemon_config",
              "daemon_config_files",
              "security_operations",
              "k8s_master",
              "k8s_worker",
              "k8s_federation",
              "linux",
              "windows",
              "istio",
              "serverless",
              "custom",
              "docker_stig",
              "openshift_master",
              "openshift_worker",
              "application_control_linux"
            ],
            "vecStr": "string",
            "vulnTagInfos": [
              {
                "color": "string",
                "comment": "string",
                "name": "string"
              }
            ]
          }
        ]
      }
    ],
    "hostDevices": [
      {
        "ip": "string",
        "name": "string"
      }
    ],
    "id": "string",
    "image": {
      "created": "2023-05-27T04:01:51.364Z",
      "entrypoint": [
        "string"
      ],
      "env": [
        "string"
      ],
      "healthcheck": true,
      "history": [
        {
          "baseLayer": true,
          "created": 0,
          "emptyLayer": true,
          "id": "string",
          "instruction": "string",
          "sizeBytes": 0,
          "tags": [
            "string"
          ],
          "vulnerabilities": [
            {
              "applicableRules": [
                "string"
              ],
              "binaryPkgs": [
                "string"
              ],
              "block": true,
              "cause": "string",
              "cri": true,
              "custom": true,
              "cve": "string",
              "cvss": 0,
              "description": "string",
              "discovered": "2023-05-27T04:01:51.365Z",
              "exploit": [
                "",
                "exploit-db",
                "exploit-windows",
                "cisa-kev"
              ],
              "exploits": [
                {
                  "kind": [
                    "poc",
                    "in-the-wild"
                  ],
                  "link": "string",
                  "source": [
                    "",
                    "exploit-db",
                    "exploit-windows",
                    "cisa-kev"
                  ]
                }
              ],
              "fixDate": 0,
              "fixLink": "string",
              "functionLayer": "string",
              "gracePeriodDays": 0,
              "id": 0,
              "layerTime": 0,
              "link": "string",
              "packageName": "string",
              "packageVersion": "string",
              "published": 0,
              "riskFactors": {},
              "severity": "string",
              "status": "string",
              "templates": [
                [
                  "PCI",
                  "HIPAA",
                  "NIST SP 800-190",
                  "GDPR",
                  "DISA STIG"
                ]
              ],
              "text": "string",
              "title": "string",
              "twistlock": true,
              "type": [
                "container",
                "image",
                "host_config",
                "daemon_config",
                "daemon_config_files",
                "security_operations",
                "k8s_master",
                "k8s_worker",
                "k8s_federation",
                "linux",
                "windows",
                "istio",
                "serverless",
                "custom",
                "docker_stig",
                "openshift_master",
                "openshift_worker",
                "application_control_linux"
              ],
              "vecStr": "string",
              "vulnTagInfos": [
                {
                  "color": "string",
                  "comment": "string",
                  "name": "string"
                }
              ]
            }
          ]
        }
      ],
      "id": "string",
      "labels": {},
      "layers": [
        "string"
      ],
      "os": "string",
      "repoDigest": [
        "string"
      ],
      "repoTags": [
        "string"
      ],
      "user": "string",
      "workingDir": "string"
    },
    "installedProducts": {
      "agentless": true,
      "apache": "string",
      "awsCloud": true,
      "crio": true,
      "docker": "string",
      "dockerEnterprise": true,
      "hasPackageManager": true,
      "k8sApiServer": true,
      "k8sControllerManager": true,
      "k8sEtcd": true,
      "k8sFederationApiServer": true,
      "k8sFederationControllerManager": true,
      "k8sKubelet": true,
      "k8sProxy": true,
      "k8sScheduler": true,
      "kubernetes": "string",
      "openshift": true,
      "openshiftVersion": "string",
      "osDistro": "string",
      "serverless": true,
      "swarmManager": true,
      "swarmNode": true
    },
    "isARM64": true,
    "k8sClusterAddr": "string",
    "labels": [
      "string"
    ],
    "layers": [
      "string"
    ],
    "missingDistroVulnCoverage": true,
    "namespaces": [
      "string"
    ],
    "osDistro": "string",
    "osDistroRelease": "string",
    "osDistroVersion": "string",
    "packageCorrelationDone": true,
    "packageManager": true,
    "packages": [
      {
        "pkgs": [
          {
            "binaryIdx": [
              0
            ],
            "binaryPkgs": [
              "string"
            ],
            "cveCount": 0,
            "defaultGem": true,
            "files": [
              {
                "md5": "string",
                "path": "string",
                "sha1": "string",
                "sha256": "string"
              }
            ],
            "functionLayer": "string",
            "goPkg": true,
            "jarIdentifier": "string",
            "layerTime": 0,
            "license": "string",
            "name": "string",
            "osPackage": true,
            "path": "string",
            "version": "string"
          }
        ],
        "pkgsType": [
          "nodejs",
          "gem",
          "python",
          "jar",
          "package",
          "windows",
          "binary",
          "nuget",
          "go"
        ]
      }
    ],
    "pushTime": "2023-05-27T04:01:51.365Z",
    "registryNamespace": "string",
    "registryType": "string",
    "repoDigests": [
      "string"
    ],
    "repoTag": {
      "digest": "string",
      "id": "string",
      "registry": "string",
      "repo": "string",
      "tag": "string"
    },
    "rhelRepos": [
      "string"
    ],
    "riskFactors": {},
    "scanBuildDate": "string",
    "scanVersion": "string",
    "startupBinaries": [
      {
        "altered": true,
        "cveCount": 0,
        "deps": [
          "string"
        ],
        "functionLayer": "string",
        "md5": "string",
        "missingPkg": true,
        "name": "string",
        "path": "string",
        "pkgRootDir": "string",
        "services": [
          "string"
        ],
        "version": "string"
      }
    ],
    "tags": [
      {
        "digest": "string",
        "id": "string",
        "registry": "string",
        "repo": "string",
        "tag": "string"
      }
    ],
    "topLayer": "string",
    "twistlockImage": true,
    "vulnerabilities": [
      {
        "applicableRules": [
          "string"
        ],
        "binaryPkgs": [
          "string"
        ],
        "block": true,
        "cause": "string",
        "cri": true,
        "custom": true,
        "cve": "string",
        "cvss": 0,
        "description": "string",
        "discovered": "2023-05-27T04:01:51.365Z",
        "exploit": [
          "",
          "exploit-db",
          "exploit-windows",
          "cisa-kev"
        ],
        "exploits": [
          {
            "kind": [
              "poc",
              "in-the-wild"
            ],
            "link": "string",
            "source": [
              "",
              "exploit-db",
              "exploit-windows",
              "cisa-kev"
            ]
          }
        ],
        "fixDate": 0,
        "fixLink": "string",
        "functionLayer": "string",
        "gracePeriodDays": 0,
        "id": 0,
        "layerTime": 0,
        "link": "string",
        "packageName": "string",
        "packageVersion": "string",
        "published": 0,
        "riskFactors": {},
        "severity": "string",
        "status": "string",
        "templates": [
          [
            "PCI",
            "HIPAA",
            "NIST SP 800-190",
            "GDPR",
            "DISA STIG"
          ]
        ],
        "text": "string",
        "title": "string",
        "twistlock": true,
        "type": [
          "container",
          "image",
          "host_config",
          "daemon_config",
          "daemon_config_files",
          "security_operations",
          "k8s_master",
          "k8s_worker",
          "k8s_federation",
          "linux",
          "windows",
          "istio",
          "serverless",
          "custom",
          "docker_stig",
          "openshift_master",
          "openshift_worker",
          "application_control_linux"
        ],
        "vecStr": "string",
        "vulnTagInfos": [
          {
            "color": "string",
            "comment": "string",
            "name": "string"
          }
        ]
      }
    ],
    "vulnerabilitiesCount": 0,
    "vulnerabilityDistribution": {
      "critical": 0,
      "high": 0,
      "low": 0,
      "medium": 0,
      "total": 0
    },
    "vulnerabilityRiskScore": 0
  },
  "imageName": "string",
  "listening": [
    {
      "port": 0,
      "process": {
        "command": "string",
        "md5": "string",
        "parent": {
          "command": "string",
          "md5": "string",
          "path": "string",
          "time": "2023-05-27T04:01:51.366Z",
          "user": "string"
        },
        "path": "string",
        "time": "2023-05-27T04:01:51.366Z",
        "user": "string"
      },
      "time": "2023-05-27T04:01:51.366Z"
    }
  ],
  "pass": true,
  "procs": [
    {
      "command": "string",
      "md5": "string",
      "parent": {
        "command": "string",
        "md5": "string",
        "path": "string",
        "time": "2023-05-27T04:01:51.366Z",
        "user": "string"
      },
      "path": "string",
      "time": "2023-05-27T04:01:51.366Z",
      "user": "string"
    }
  ],
  "riskScore": 0,
  "scanDuration": 0,
  "scanTime": "2023-05-27T04:01:51.366Z",
  "suspiciousFiles": [
    {
      "containerPath": "string",
      "created": true,
      "md5": "string",
      "path": "string"
    }
  ]
}

Loading...