Skip to main content

Validate policies - code-based

Prisma Cloud Code Security supports policy-as-code capabilities using YAML-based policy definition files to enable attribute and connection checks (composite checks).

To use the API request, add your token to the header. API supports both YAML and JSON configuration of Prisma Cloud Code Security custom policy schema)

This API is used to validate a user defined Prisma Cloud Code Security YAML-based custom policy schema. It returns an array of errors for not supported keys, values, and more. This call is used to verify that a custom policy which is about to be saved is properly configured.

Policy definitions include the following types: option 1 - "attribute" block (defined by cond_type=attribute) - checks the specific attributes of a given resource type option 2 - "connection" block (defined by cond_type=connection) - checks the existence of connection between given two resource group types option 3 - "filter" block (defined by cond_type=filter) - return given resource group types option 4 - "and"/"or" - structure that supports nested "and"/"or" logic and blocks for options 1, 2 and 3

Use the example below as a reference for configuring the API request body.

Path Parameters
  • queryId string required
Request Body required
  • anyOf

  • definition object required
  • anyOf

  • attribute string required
  • cond_type string required

    Possible values: [attribute]

  • operator AttributeOperator required

    Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, jsonpath_equals, jsonpath_not_equals, jsonpath_exists, jsonpath_not_exists, subset, not_subset]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • value object
  • anyOf

  • string
  • operator string required

    Possible values: [exists, not_exists]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • operator string required

    Possible values: [exists, not_exists]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • ]
  • not object
  • anyOf

  • Array [
  • anyOf

  • attribute string required
  • cond_type string required

    Possible values: [attribute]

  • operator AttributeOperator required

    Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, jsonpath_equals, jsonpath_not_equals, jsonpath_exists, jsonpath_not_exists, subset, not_subset]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • value object
  • anyOf

  • string
  • operator string required

    Possible values: [exists, not_exists]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • ]
  • or object[]
  • Array [
  • anyOf

  • attribute string required
  • cond_type string required

    Possible values: [attribute]

  • operator AttributeOperator required

    Possible values: [within, equals, not_equals, regex_match, not_regex_match, greater_than, greater_than_or_equal, less_than, less_than_or_equal, exists, not_exists, contains, not_contains, starting_with, not_starting_with, ending_with, not_ending_with, jsonpath_equals, jsonpath_not_equals, jsonpath_exists, jsonpath_not_exists, subset, not_subset]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • value object
  • anyOf

  • string
  • operator string required

    Possible values: [exists, not_exists]

  • resource_types object required
  • anyOf

  • Array [
  • string
  • ]
  • ]
  • metadata object required
  • category CategoryType required

    Possible values: [elasticsearch, general, iam, logging, monitoring, networking, public, secrets, serverless, storage, kubernetes, vulnerabilities, compute, vcs, buildIntegrity, licenses, alibabacloud]

  • guidelines string required
  • name string required
  • severity SeverityType required

    Possible values: [critical, high, medium, low, info]

  • scope object required
  • provider ProviderType required

    Possible values: [aws, gcp, azure, kubernetes, oci, openstack, packages, git, linode, digitalocean, panos, licenses, alibabacloud]

  • Responses

    Policy definition


    Schema
    • errors string[] required
    Loading...