Skip to main content

Validate policies - code-based

POST 
/code/api/v1/policies/definition/:queryId

Prisma Cloud Application Security supports policy-as-code capabilities using YAML-based policy definition files to enable attribute and connection checks (composite checks).

For information on defining YAML-based policies, see the Prisma Cloud documentation about the Code Editor and Custom Build Policy Examples. If you are upgraded to Darwin, see Code Editor and Custom Build Policy Examples.

To use the API request, add your token to the header. API supports both YAML and JSON configuration of Prisma Cloud Application Security custom policy schema.

This API is used to validate a user defined Prisma Cloud Application Security YAML-based custom policy schema. It returns an array of errors for not supported keys, values, and more. This call is used to verify that a custom policy which is about to be saved is properly configured.

Policy definitions include the following types: option 1 - "attribute" block (defined by cond_type=attribute) - checks the specific attributes of a given resource type option 2 - "connection" block (defined by cond_type=connection) - checks the existence of connection between given two resource group types option 3 - "filter" block (defined by cond_type=filter) - return given resource group types option 4 - "and"/"or" - structure that supports nested "and"/"or" logic and blocks for options 1, 2 and 3 Use the given examples as a reference for configuring the API request body.

Request

Path Parameters

    queryId stringrequired

Body

required
    anyOf
    definition object required
    anyOf
    attribute stringrequired
    cond_type stringrequired

    Possible values: [attribute]

    operator object required
    anyOf

    string

    Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, is_empty, is_not_empty, length_equals, length_not_equals, length_greater_than, length_greater_than_or_equal, length_less_than, length_less_than_or_equal, is_true, is_false, subset, not_subset, intersects, not_intersects, equals_ignore_case, not_equals_ignore_case, number_of_words_equals, number_of_words_not_equals, number_of_words_less_than, number_of_words_less_than_or_equal, number_of_words_greater_than, number_of_words_greater_than_or_equal]

    resource_types objectrequired
    property name* ResourceType
    arguments string[]required
    provider stringrequired
    value object
    anyOf

    string

    metadata objectrequired
    category CategoryType (string)required

    Possible values: [elasticsearch, general, iam, logging, monitoring, networking, public, secrets, serverless, storage, kubernetes, vulnerabilities, compute, vcs, buildIntegrity, licenses, alibabacloud, drift]

    guidelines stringrequired
    name stringrequired
    severity SeverityType (string)required

    Possible values: [critical, high, medium, low, info]

    scope object
    provider ProviderType (string)required

    Possible values: [aws, gcp, azure, kubernetes, oci, openstack, packages, git, linode, digitalocean, panos, licenses, alibabacloud, circleci, github, gitlab, docker]

Responses

Policy definition

Schema
    errors string[]required
Loading...