Skip to main content

Update CI Serverless Vulnerability Policy

PUT 

/api/v34.00/policies/vulnerability/ci/serverless

x-prisma-cloud-target-env: {"permission":"policyServerless"}

Updates the vulnerability policy for serverless functions scanned in your continuous integration (CI) pipeline. All rules in the policy are updated in a single shot.

The policy set in this endpoint is enforced by the scanners in the Jenkins plugin and the twistcli command line tool.

This endpoint maps to the policy table in Defend > Vulnerabilities > Functions > CI in the Console UI.

cURL Request

Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/vulnerability/ci/serverless' \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules": [
{
"name": "<RULE_NAME>",
"collections": [
{
"name":"<COLLECTION_NAME>",
}
],
"alertThreshold": {
"value": 1,
"disabled": false
},
"blockThreshold": {
"value": 0,
"enabled": false
},

...

}
],
"policyType": "ciServerlessVulnerability",

...

}'

Note: No response will be returned upon successful execution.

Request

Body

    _idstring

    Internal identifier.

    policyTypecommon.PolicyType (string)

    PolicyType represents the type of the policy

    Possible values: [containerVulnerability,containerCompliance,ciImagesVulnerability,ciImagesCompliance,hostVulnerability,hostCompliance,vmVulnerability,vmCompliance,serverlessCompliance,ciServerlessCompliance,serverlessVulnerability,ciServerlessVulnerability,containerRuntime,appEmbeddedRuntime,containerAppFirewall,hostAppFirewall,outOfBandAppFirewall,agentlessAppFirewall,serverObserverAppFirewall,appEmbeddedAppFirewall,serverlessAppFirewall,networkFirewall,secrets,hostRuntime,serverlessRuntime,kubernetesAudit,trust,admission,codeRepoCompliance,ciCodeRepoCompliance,ciCodeRepoVulnerability,codeRepoVulnerability]

    rules object[]

    Rules holds all policy rules.

  • Array [
  • actionstring (string)[]

    Action to take.

    alertThreshold object

    AlertThreshold is the vulnerability policy alert threshold Threshold values typically vary between 0 and 10 (noninclusive)

    disabledboolean

    Suppresses alerts for all vulnerabilities (true).

    valuefloat

    Minimum severity to trigger alerts. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    allComplianceboolean

    Reports the results of all compliance checks (both passed and failed) (true).

    auditAllowedboolean

    Specifies if Prisma Cloud audits successful transactions.

    blockMsgcommon.PolicyBlockMsg (string)

    PolicyBlockMsg represent the block message in a Policy

    blockThreshold object

    BlockThreshold is the vulnerability policy block threshold Threshold values typically vary between 0 and 10 (noninclusive)

    enabledboolean

    Enables blocking (true).

    valuefloat

    Minimum severity to trigger blocking. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDsstring (string)[]

    List of account IDs.

    appIDsstring (string)[]

    List of application IDs.

    clustersstring (string)[]

    List of Kubernetes cluster names.

    colorcommon.Color (string)

    Color is a hexadecimal representation of color code value

    containersstring (string)[]

    List of containers.

    descriptionstring

    Free-form text.

    functionsstring (string)[]

    List of functions.

    hostsstring (string)[]

    List of hosts.

    imagesstring (string)[]

    List of images.

    labelsstring (string)[]

    List of labels.

    modifieddate-time

    Datetime when the collection was last modified.

    namestring

    Collection name. Must be unique.

    namespacesstring (string)[]

    List of Kubernetes namespaces.

    ownerstring

    User who created or last modified the collection.

    prismaboolean

    Indicates whether this collection originates from Prisma Cloud.

    systemboolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • condition object

    Conditions contains rule conditions. Conditions apply only for their respective policy type

    devicestring

    Allowed volume host device (wildcard). If a "container create" command specifies a non matching host device, th action is blocked. Only applies to rules in certain policy types.

    readonlyboolean

    Indicates if the condition applies only to read-only commands (i.e., HTTP GET requests) (true) or not (false).

    vulnerabilities object[]

    Block and scan severity-based vulnerabilities conditions.

  • Array [
  • blockboolean

    Specifies the effect. If true, the effect is block.

    idinteger

    Vulnerability ID.

  • ]
  • createPRboolean

    CreatePR indicates whether to create a pull request for vulnerability fixes (relevant for code repos).

    cveRules object[]

    List of CVE IDs classified for special handling (also known as exceptions).

  • Array [
  • descriptionstring

    Free-form text for documenting the exception.

    effectvuln.Effect (string)

    Effect specifies relevant action for a vulnerability

    Possible values: [ignore,alert,block]

    expiration object

    ExpirationDate is the vulnerability expiration date

    datedate-time

    Date is the vulnerability expiration date.

    enabledboolean

    Enabled indicates that the grace period is enabled.

    idstring

    CVE ID.

  • ]
  • disabledboolean

    Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).

    effectcommon.PolicyEffect (string)

    PolicyEffect state the effect of evaluating the given policy

    Possible values: [allow,deny,block,alert]

    excludeBaseImageVulnsboolean

    ExcludeBaseImageVulns indicates whether to exclude vulnerabilities coming from the base image.

    graceDaysinteger

    Number of days to suppress the rule's block effect. Measured from date the vuln was fixed. If there's no fix, measured from the date the vuln was published.

    graceDaysPolicy object

    GraceDaysPolicy indicates the grace days policy by severity

    criticalinteger

    .

    enabledboolean

    Enabled is an indication whether the the grace days by severity is enabled.

    highinteger

    .

    lowinteger

    .

    mediuminteger

    .

    groupstring (string)[]

    Applicable groups.

    license object

    LicenseConfig is the compliance policy license configuration

    alertThreshold object

    LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)

    enabledboolean

    Enabled indicates that the action is enabled.

    valuefloat

    Value is the minimum severity score for which the action is enabled.

    blockThreshold object

    LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)

    enabledboolean

    Enabled indicates that the action is enabled.

    valuefloat

    Value is the minimum severity score for which the action is enabled.

    criticalstring (string)[]

    Critical is the list of licenses with critical severity.

    highstring (string)[]

    High is the list of licenses with high severity.

    lowstring (string)[]

    Low is the list of licenses with low severity.

    mediumstring (string)[]

    Medium is the list of licenses with medium severity.

    modifieddate-time

    Specifies the date and time when the rule was last modified.

    namestring

    Name of the rule.

    notesstring

    Describes any noteworthy points for a rule. You can include any text.

    onlyFixedboolean

    Applies rule only when vendor fixes are available (true).

    ownerstring

    User who created or last modified the rule.

    pkgTypesThresholds object[]

    PkgTypesThresholds holds package type specific alert and block thresholds.

  • Array [
  • alertThreshold object

    AlertThreshold is the vulnerability policy alert threshold Threshold values typically vary between 0 and 10 (noninclusive)

    disabledboolean

    Suppresses alerts for all vulnerabilities (true).

    valuefloat

    Minimum severity to trigger alerts. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    blockThreshold object

    BlockThreshold is the vulnerability policy block threshold Threshold values typically vary between 0 and 10 (noninclusive)

    enabledboolean

    Enables blocking (true).

    valuefloat

    Minimum severity to trigger blocking. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    typepackages.Type (string)

    Type describes the package type

    Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown]

  • ]
  • previousNamestring

    Previous name of the rule. Required for rule renaming.

    principalstring (string)[]

    Applicable users.

    riskFactorsEffects object[]

    RiskFactorsEffects indicates the effect (alert/block) of each risk factor.

  • Array [
  • effectvuln.Effect (string)

    Effect specifies relevant action for a vulnerability

    Possible values: [ignore,alert,block]

    riskFactorvulnerability.RiskFactor (string)

    RiskFactor represents a vulnerability risk factor, used in determining a vulnerability risk score

    Possible values: [Critical severity,High severity,Medium severity,Has fix,Remote execution,DoS - Low,DoS - High,Recent vulnerability,Exploit exists - in the wild,Exploit exists - POC,Attack complexity: low,Attack vector: network,Reachable from the internet,Listening ports,Container is running as root,No mandatory security profile applied,Running as privileged container,Package in use,Sensitive information,Root mount,Runtime socket,Host access]

  • ]
  • tags object[]

    List of tags classified for special handling (also known as exceptions).

  • Array [
  • descriptionstring

    Free-form text for documenting the exception.

    effectvuln.Effect (string)

    Effect specifies relevant action for a vulnerability

    Possible values: [ignore,alert,block]

    expiration object

    ExpirationDate is the vulnerability expiration date

    datedate-time

    Date is the vulnerability expiration date.

    enabledboolean

    Enabled indicates that the grace period is enabled.

    namestring

    Tag name.

  • ]
  • verboseboolean

    Displays a detailed message when an operation is blocked (true).

  • ]

Responses

OK

curl -L -X PUT 'https://pan.dev/api/v34.00/policies/vulnerability/ci/serverless' \
-H 'Content-Type: application/json'
Request Collapse all
Body
{
  "_id": "string",
  "policyType": [
    "containerVulnerability",
    "containerCompliance",
    "ciImagesVulnerability",
    "ciImagesCompliance",
    "hostVulnerability",
    "hostCompliance",
    "vmVulnerability",
    "vmCompliance",
    "serverlessCompliance",
    "ciServerlessCompliance",
    "serverlessVulnerability",
    "ciServerlessVulnerability",
    "containerRuntime",
    "appEmbeddedRuntime",
    "containerAppFirewall",
    "hostAppFirewall",
    "outOfBandAppFirewall",
    "agentlessAppFirewall",
    "serverObserverAppFirewall",
    "appEmbeddedAppFirewall",
    "serverlessAppFirewall",
    "networkFirewall",
    "secrets",
    "hostRuntime",
    "serverlessRuntime",
    "kubernetesAudit",
    "trust",
    "admission",
    "codeRepoCompliance",
    "ciCodeRepoCompliance",
    "ciCodeRepoVulnerability",
    "codeRepoVulnerability"
  ],
  "rules": [
    {
      "action": [
        "string"
      ],
      "alertThreshold": {
        "disabled": true,
        "value": 0
      },
      "allCompliance": true,
      "auditAllowed": true,
      "blockMsg": "string",
      "blockThreshold": {
        "enabled": true,
        "value": 0
      },
      "collections": [
        {
          "accountIDs": [
            "string"
          ],
          "appIDs": [
            "string"
          ],
          "clusters": [
            "string"
          ],
          "color": "string",
          "containers": [
            "string"
          ],
          "description": "string",
          "functions": [
            "string"
          ],
          "hosts": [
            "string"
          ],
          "images": [
            "string"
          ],
          "labels": [
            "string"
          ],
          "modified": "2024-07-29T15:51:28.071Z",
          "name": "string",
          "namespaces": [
            "string"
          ],
          "owner": "string",
          "prisma": true,
          "system": true
        }
      ],
      "condition": {
        "device": "string",
        "readonly": true,
        "vulnerabilities": [
          {
            "block": true,
            "id": 0
          }
        ]
      },
      "createPR": true,
      "cveRules": [
        {
          "description": "string",
          "effect": [
            "ignore",
            "alert",
            "block"
          ],
          "expiration": {
            "date": "2024-07-29T15:51:28.071Z",
            "enabled": true
          },
          "id": "string"
        }
      ],
      "disabled": true,
      "effect": [
        "allow",
        "deny",
        "block",
        "alert"
      ],
      "excludeBaseImageVulns": true,
      "graceDays": 0,
      "graceDaysPolicy": {
        "critical": 0,
        "enabled": true,
        "high": 0,
        "low": 0,
        "medium": 0
      },
      "group": [
        "string"
      ],
      "license": {
        "alertThreshold": {
          "enabled": true,
          "value": 0
        },
        "blockThreshold": {
          "enabled": true,
          "value": 0
        },
        "critical": [
          "string"
        ],
        "high": [
          "string"
        ],
        "low": [
          "string"
        ],
        "medium": [
          "string"
        ]
      },
      "modified": "2024-07-29T15:51:28.071Z",
      "name": "string",
      "notes": "string",
      "onlyFixed": true,
      "owner": "string",
      "pkgTypesThresholds": [
        {
          "alertThreshold": {
            "disabled": true,
            "value": 0
          },
          "blockThreshold": {
            "enabled": true,
            "value": 0
          },
          "type": [
            "nodejs",
            "gem",
            "python",
            "jar",
            "package",
            "windows",
            "binary",
            "nuget",
            "go",
            "app",
            "unknown"
          ]
        }
      ],
      "previousName": "string",
      "principal": [
        "string"
      ],
      "riskFactorsEffects": [
        {
          "effect": [
            "ignore",
            "alert",
            "block"
          ],
          "riskFactor": [
            "Critical severity",
            "High severity",
            "Medium severity",
            "Has fix",
            "Remote execution",
            "DoS - Low",
            "DoS - High",
            "Recent vulnerability",
            "Exploit exists - in the wild",
            "Exploit exists - POC",
            "Attack complexity: low",
            "Attack vector: network",
            "Reachable from the internet",
            "Listening ports",
            "Container is running as root",
            "No mandatory security profile applied",
            "Running as privileged container",
            "Package in use",
            "Sensitive information",
            "Root mount",
            "Runtime socket",
            "Host access"
          ]
        }
      ],
      "tags": [
        {
          "description": "string",
          "effect": [
            "ignore",
            "alert",
            "block"
          ],
          "expiration": {
            "date": "2024-07-29T15:51:28.071Z",
            "enabled": true
          },
          "name": "string"
        }
      ],
      "verbose": true
    }
  ]
}