arazzo: 1.0.1
info:
  title: Aqua Security Image Vulnerability Lookup
  summary: Authenticate, list registered images filtered by registry and repository, then fetch full vulnerability detail for the first match.
  description: >-
    Resolves a specific image from the Aqua inventory and reads its
    vulnerability posture. The workflow logs in, lists images filtered by
    registry and repository, captures the first matching image, and then reads
    the detailed image record to return its scan status, digest, operating
    system, and per-severity vulnerability counts. Every step spells out its
    request inline so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: aquaSecurityApi
  url: ../openapi/aqua-security-api.yaml
  type: openapi
workflows:
- workflowId: image-vulnerability-lookup
  summary: Find an image in the inventory and read its full vulnerability detail.
  description: >-
    Logs in, lists images scoped to a registry and repository, then reads the
    detail record for the requested tag and returns its vulnerability counts.
  inputs:
    type: object
    required:
    - id
    - password
    - registry
    - repository
    - image_name
    - image_tag
    properties:
      id:
        type: string
        description: Aqua username or user ID used to authenticate.
      password:
        type: string
        description: Aqua user password used to authenticate.
      registry:
        type: string
        description: Registry name to filter and read the image by (e.g. docker-hub).
      repository:
        type: string
        description: Repository name to filter the image list by (e.g. nginx).
      image_name:
        type: string
        description: Image repository name used to read the detail record (e.g. nginx).
      image_tag:
        type: string
        description: Image tag used to read the detail record (e.g. latest).
  steps:
  - stepId: authenticate
    description: >-
      Authenticate the user and obtain a JWT bearer token for the inventory and
      detail calls.
    operationId: login
    requestBody:
      contentType: application/json
      payload:
        id: $inputs.id
        password: $inputs.password
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      token: $response.body#/token
  - stepId: listImages
    description: >-
      List registered images filtered by registry and repository to confirm the
      target image exists in the inventory.
    operationId: listImages
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $steps.authenticate.outputs.token"
    - name: registry
      in: query
      value: $inputs.registry
    - name: repository
      in: query
      value: $inputs.repository
    - name: pagesize
      in: query
      value: 50
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      count: $response.body#/count
      firstImageName: $response.body#/result/0/name
  - stepId: getImageDetail
    description: >-
      Read the full image detail record, returning scan status, digest, and the
      per-severity vulnerability counts.
    operationId: getImage
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $steps.authenticate.outputs.token"
    - name: registry
      in: path
      value: $inputs.registry
    - name: image_name
      in: path
      value: $inputs.image_name
    - name: image_tag
      in: path
      value: $inputs.image_tag
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      scanStatus: $response.body#/scan_status
      digest: $response.body#/digest
      os: $response.body#/os
      vulnerabilities: $response.body#/vulnerabilities
  outputs:
    matchCount: $steps.listImages.outputs.count
    scanStatus: $steps.getImageDetail.outputs.scanStatus
    vulnerabilities: $steps.getImageDetail.outputs.vulnerabilities