Policy Preview
POST/code/api/v1/policies/preview
Prisma Cloud Application Security supports policy-as-code capabilities using YAML-based policy definition files to enable attribute and connection checks (composite checks).
For information on defining YAML-based policies, see the Prisma Cloud documentation about the Code Editor and Custom Build Policy Examples. If you are upgraded to Darwin, see Code Editor and Custom Build Policy Examples.
To use the API request, add your token to the header. API supports both YAML and JSON configuration of Prisma Cloud Application Security custom policy schema.
This API gets up to 30 results (by default) of non-compliant resources for a specific policy. The input is the policy to test and the output is an array of resources results.
Use the first example to configure the API to test a policy, and use the second example as a reference of the expected output.
Request
- application/json
Body
required
policy query
- AttributeQuery
- ConnectionQuery
- FilterQuery
- ComplexQuery
- AndQuery
- OrQuery
- SecretsQuery
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- Array [
- AttributeQuery
- ConnectionQuery
- FilterQuery
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- ]
- MOD1
- Array [
- AttributeQuery
- ConnectionQuery
- FilterQuery
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- ]
- Array [
- AttributeQuery
- ConnectionQuery
- FilterQuery
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- ]
- Array [
- AttributeQuery
- OrQuery
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- Array [
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- ]
- ]
- Array [
- BaseAttributeOperator
- MOD2
- MOD1
- MOD2
- MOD3
- Array [
- ]
- ]
- MOD1
- MOD2
- Array [
- ]
- MOD1
- MOD2
- Array [
- ]
policy object
policy_preview objectrequired
query object required
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
Possible values: [connection]
connected_resource_types objectrequired
property name* ResourceType
Possible values: [exists, not_exists]
resource_types objectrequired
property name* ResourceType
Possible values: [resource_type]
Possible values: [filter]
Possible values: [within]
and object[]
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
Possible values: [connection]
connected_resource_types objectrequired
property name* ResourceType
Possible values: [exists, not_exists]
resource_types objectrequired
property name* ResourceType
Possible values: [resource_type]
Possible values: [filter]
Possible values: [within]
not object
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
Possible values: [connection]
connected_resource_types objectrequired
property name* ResourceType
Possible values: [exists, not_exists]
resource_types objectrequired
property name* ResourceType
Possible values: [resource_type]
Possible values: [filter]
Possible values: [within]
or object[]
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
Possible values: [connection]
connected_resource_types objectrequired
property name* ResourceType
Possible values: [exists, not_exists]
resource_types objectrequired
property name* ResourceType
Possible values: [resource_type]
Possible values: [filter]
Possible values: [within]
and object[]
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
or object[]required
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
or object[]required
Possible values: [attribute]
operator object required
string
Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]
string
Possible values: [jsonpath_within, jsonpath_equals, jsonpath_not_equals, jsonpath_regex_match, jsonpath_not_regex_match, jsonpath_greater_than, jsonpath_greater_than_or_equal, jsonpath_less_than, jsonpath_less_than_or_equal, jsonpath_exists, jsonpath_not_exists, jsonpath_contains, jsonpath_not_contains, jsonpath_starting_with, jsonpath_not_starting_with, jsonpath_ending_with, jsonpath_not_ending_with, jsonpath_is_empty, jsonpath_is_not_empty, jsonpath_length_equals, jsonpath_length_not_equals, jsonpath_length_greater_than, jsonpath_length_greater_than_or_equal, jsonpath_length_less_than, jsonpath_length_less_than_or_equal, jsonpath_is_true, jsonpath_is_false, jsonpath_subset, jsonpath_not_subset, jsonpath_intersects, jsonpath_not_intersects, jsonpath_equals_ignore_case, jsonpath_not_equals_ignore_case, jsonpath_number_of_words_equals, jsonpath_number_of_words_not_equals, jsonpath_number_of_words_less_than, jsonpath_number_of_words_less_than_or_equal, jsonpath_number_of_words_greater_than, jsonpath_number_of_words_greater_than_or_equal]
resource_types objectrequired
property name* ResourceType
value object
string
boolean
string
Possible values: [secrets]
value object
string
string
resource_types object
string
string
scope object
Possible values: [aws, gcp, azure, kubernetes, oci, openstack, packages, git, linode, digitalocean, panos, licenses, alibabacloud, circleci, github, gitlab, docker]
Responses
- 200
- 403
- 404
- 422
- 500
Got policy preview
Response Headers
Access-Control-Allow-Headers string
Access-Control-Allow-Methods string
Access-Control-Allow-Origin string
- application/json
- Schema
- Example (from schema)
- Example 1
Schema
- policyPreviewResult
- ErrorMessage
- Array [
- ]
data object[]required
{}
{
"data": [
{
"arn": "/../folderName/account/branch/provider/resource",
"awsAccountId": "owner/repo",
"code": "---\nmetadata:\n name: \"example\" \n guidelines: \"guidelines example\" \n category: \"elasticsearch\" \n severity: \"critical\" \nscope:\n provider: \"aws\" \ndefinition: #define the conditions the policy searches for.\n or:\n - cond_type: \"attribute\"\n resource_types:\n - \"aws_instance\"\n attribute: \"instance_type\"\n operator: \"equals\"\n value: \"t3.micro\"\n - cond_type: \"attribute\"\n resource_types:\n - \"aws_instance\"\n attribute: \"instance_type\"\n operator: \"equals\"\n value: \"t3.nano\"\n",
"createdBy": "username",
"customerName": "customerName",
"file_path": "filePath",
"lines": [
10,
20
],
"resource": "aws_s3_bucket.logs",
"source": "",
"status": "Pass"
},
{
"arn": "arn",
"awsAccountId": "owner/repo",
"code": "resource code block",
"createdBy": "username",
"customerName": "customerName",
"file_path": "filePath",
"lines": [
4,
6
],
"resource": "aws_s3_bucket.flowbucket",
"source": "",
"status": "Fail"
}
],
"token": "12345"
}
Payment required
policies are not found
- application/json
- Schema
- Example (from schema)
Schema
The error code
{
"code": 0,
"message": "string"
}
Request arguments validation error
Could not get policy preview data