Scan Registries
POST/api/v33.01/registry/scan/select
x-prisma-cloud-target-env: {"permission":"monitorImages"}
Sends a registry scan request to all registry scanner defenders
Request
- application/json
Body
array
- Array [
- Array [
- ]
- ]
OnDemandScan indicates whether to handle request using the on-demand scanner.
ScanID is the ID of the scan.
settings object
RegistrySpecification contains information for connecting to local/remote registry
azureCloudMetadata object
CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)
Cloud account ID.
AWS execution environment (e.g. EC2/Fargate).
The name of the image the cloud managed host or container is based on.
labels object[]
Cloud provider metadata labels.
Label key.
Source name (e.g., for a namespace, the source name can be 'twistlock').
Possible values: [namespace,deployment,aws,azure,gcp,oci
]
ExternalLabelSourceType indicates the source of the labels
Time when the label was fetched.
Value of the label.
Resource name.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Resource's region.
Unique ID of the resource.
Server-defined URL for the resource.
Instance type.
Azure unique vm ID.
VMImageID holds the VM instance's image ID.
CACert is the Certificate Authority that signed the registry certificate.
Specifies the maximum number of images from each repo to fetch and scan, sorted by most recently modified.
Specifies the set of Defenders in-scope for working on a scan job.
credential object
Credential specifies the authentication data of an external provider
Specifies the unique ID for credential.
Specifies the unique ID for an IBM Cloud account.
Specifies the account identifier. Example: a username, access key, account GUID, and so on.
Specifies the name of the cloud account.
apiToken object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
azureSPInfo object
AzureSPInfo contains the Azure credentials needed for certificate based authentications
ClientID is the client identifier.
Possible values: [user-assigned,system-assigned
]
SubscriptionID is a GUID that uniquely identifies the subscription to use Azure services.
TenantID is the ID of the AAD directory in which the application was created.
Specifies the CA certificate for a certificate-based authentication.
Specifies the cloud provider account ID.
Specifies the time when the credential was created (or, when the account ID was changed for AWS).
Specifies the description for a credential.
Indicates whether the credential was onboarded from the Prisma platform.
Indicates whether the credential scope is global. Available values are: true: Global false: Not Global Note: For GCP, the credential scope is the organization.
Specifies the time when the credential was last modified.
ociCred object
OCICred are additional parameters required for OCI credentials
Fingerprint is the public key signature.
TenancyID is the OCID of the tenancy.
Specifies the user who created or modified the credential.
Specifies the time when the account was last modified by Prisma Cloud Compute.
Specifies the Amazon Resource Name (ARN) of the role to be assumed.
secret object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
Indicates whether to skip the certificate verification in TLS communication.
Specifies a list of specific endpoints for use in STS sessions in various regions.
tokens object
TemporaryToken is a temporary session token for cloud provider APIs AWS - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html GCP - https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Azure - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on
Specifies a temporary access key.
awsSecretAccessKey object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
Specifies a duration for the token.
Specifies an expiration time for the token.
token object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
Possible values: [aws,azure,gcp,ibmCloud,oci,apiToken,basic,dtr,kubeconfig,certificate,gitlabToken
]
Type specifies the credential type
Specifies the base server URL.
Indicates whether to authenticate using the IAM Role attached to the instance. Available values are: true: Authenticate with the attached credentials false: Don’t authenticate with the attached credentials.
Indicates whether to use the regional STS endpoint for an STS session. Available values are: true: Use the regional STS false: Don’t use the regional STS.
ID of the credentials in the credentials store to use for authenticating with the registry.
Repositories to exclude from scanning.
Tags to exclude from scanning.
gitlabRegistrySpec object
GitlabRegistrySpec represents a specification for registry scanning in GitLab
.
.
.
.
.
Indicates whether the Prisma Cloud plugin uses temporary tokens provided by Harbor to scan images in projects where Harbor's deployment security setting is enabled.
ID is a unique identifier of the registry spec.
Possible values: [local,remote,virtual
]
JFrog Artifactory repository types to scan.
LastScanStatus is the last scan status. we keep both LastScanStatus and ScanStatus in order to not lose the latest scan status when a scan starts.
LastScanTime specifies the last time a scan was completed.
IBM Bluemix namespace https://console.bluemix.net/docs/services/Registry/registry_overview.html#registry_planning.
Possible values: [linux,linuxARM64,windows
]
RegistryOSType specifies the registry images base OS type
Registry address (e.g., https://gcr.io).
Repositories to scan.
ScanError is the error received while scanning the specification.
ScanStatus is the scan status that's updated dynamically during the scan, when the scan finishes - its value is passed to the LastScanStatus field in the DB.
ScanTime specifies the time a scan was started.
ScannedImagesSuccessTotal is the total number of registry images that were scanned successfully on the last registry specification scan.
Number of Defenders that can be utilized for each scan job.
Tags to scan.
Registry type. Determines the protocol Prisma Cloud uses to communicate with the registry.
Pattern heuristic for quickly filtering images by tags without having to query all images for modification dates.
tag object
ImageTag represents an image repository and its associated tag or registry digest
Image digest (requires V2 or later registry).
ID of the image.
Registry name to which the image belongs.
Repository name to which the image belongs.
Image tag.
Type indicates the type of the scan request.
Responses
- 200
- default
OK