openapi: 3.0.3 info: title: ARMO Platform Customer API (Kubescape) description: >- The ARMO Platform Customer API is the hosted REST API of ARMO Platform, the commercial multi-cluster, multi-cloud Kubernetes security SaaS built on the open-source Kubescape project (CNCF, Apache 2.0). It exposes the security posture, compliance, vulnerability, runtime threat detection, network policy, and registry/repository scanning data that Kubescape produces. The endpoint paths in this document are taken from the public ARMO Customer API reference (hub.armosec.io/reference/customer-api). Request and response schemas are honestly modeled by API Evangelist to represent typical payloads and are not copied verbatim from a published machine-readable spec; verify exact field names against the live reference before integrating. Note on the open-source tool: the core Kubescape CLI is not an HTTP API, and the in-cluster Operator components expose their own OpenAPI/Swagger UIs (/openapi/v2/swaggerui) only inside the cluster - not on this hosted host. This document covers the hosted ARMO Platform Customer API only. version: '1.0' contact: name: ARMO / Kubescape url: https://www.armosec.io license: name: Apache-2.0 (open-source Kubescape core) url: https://github.com/kubescape/kubescape/blob/master/LICENSE servers: - url: https://api.armosec.io/api/v1 description: ARMO Platform Customer API security: - apiKeyAuth: [] tags: - name: Posture & Compliance description: Framework, control, and resource posture results. - name: Vulnerabilities description: Image and workload vulnerability scanning and results. - name: Runtime Security description: Runtime incidents, attack chains, and security risks. - name: Network Policies description: Generated NetworkPolicies and seccomp profiles. - name: Registry & Repository description: Registry scans and Git repository posture. - name: Access Keys description: Agent access keys and exception policies. paths: /posture/frameworks: post: operationId: getPostureFrameworks tags: [Posture & Compliance] summary: Get framework scan summaries description: Returns compliance scan summaries per framework (NSA-CISA, MITRE, CIS, SOC2, and others). requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Framework summaries. content: application/json: schema: type: object properties: response: type: array items: $ref: '#/components/schemas/FrameworkSummary' '401': $ref: '#/components/responses/Unauthorized' /posture/controls: post: operationId: getPostureControls tags: [Posture & Compliance] summary: Get control run results description: Returns per-control run results with pagination. Each control is one of the 200+ Kubescape controls (C-0001..C-0292). requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Control results. content: application/json: schema: type: object properties: response: type: array items: $ref: '#/components/schemas/ControlResult' '401': $ref: '#/components/responses/Unauthorized' /posture/controls/sections: post: operationId: getPostureControlSections tags: [Posture & Compliance] summary: Get framework subsection summaries description: Returns summaries for the subsections of a compliance framework. requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Section summaries. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /posture/resources: post: operationId: getPostureResources tags: [Posture & Compliance] summary: List affected resources description: Returns the Kubernetes resources affected by posture control failures. requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Affected resources. content: application/json: schema: type: object properties: response: type: array items: $ref: '#/components/schemas/AffectedResource' '401': $ref: '#/components/responses/Unauthorized' /vulnerability/scan: post: operationId: startVulnerabilityScan tags: [Vulnerabilities] summary: Initiate a vulnerability scan description: Triggers an image vulnerability scan. requestBody: content: application/json: schema: $ref: '#/components/schemas/ScanRequest' responses: '200': description: Scan accepted. content: application/json: schema: $ref: '#/components/schemas/ScanAccepted' '401': $ref: '#/components/responses/Unauthorized' /vulnerability/scanResults/summary: post: operationId: getVulnerabilityScanSummary tags: [Vulnerabilities] summary: Get vulnerability scan summaries requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Scan summaries. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /vulnerability/scanResults/details: post: operationId: getVulnerabilityScanDetails tags: [Vulnerabilities] summary: Get detailed CVE listings requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: CVE details. content: application/json: schema: type: object properties: response: type: array items: $ref: '#/components/schemas/Vulnerability' '401': $ref: '#/components/responses/Unauthorized' /vulnerability/severity: post: operationId: getVulnerabilitySeverity tags: [Vulnerabilities] summary: Get latest scan severity metrics requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Severity metrics. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /vulnerabilities/list: post: operationId: listVulnerabilities tags: [Vulnerabilities] summary: List vulnerabilities description: Scoped list of vulnerabilities, including "Vulnerabilities In Use" (runtime-observed) filtering. requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Vulnerabilities. content: application/json: schema: type: object properties: response: type: array items: $ref: '#/components/schemas/Vulnerability' '401': $ref: '#/components/responses/Unauthorized' /images/list: post: operationId: listImages tags: [Vulnerabilities] summary: List scanned images requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Images. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /runtimeIncidents: get: operationId: listRuntimeIncidents tags: [Runtime Security] summary: List runtime incidents description: Returns eBPF-based runtime threat detection incidents. responses: '200': description: Runtime incidents. content: application/json: schema: type: array items: $ref: '#/components/schemas/RuntimeIncident' '401': $ref: '#/components/responses/Unauthorized' /runtimeIncidents/{guid}/alerts: get: operationId: getRuntimeIncidentAlerts tags: [Runtime Security] summary: Get alerts for an incident parameters: - $ref: '#/components/parameters/Guid' responses: '200': description: Alerts. content: application/json: schema: type: array items: type: object '401': $ref: '#/components/responses/Unauthorized' /runtimeIncidents/{guid}/resolve: post: operationId: resolveRuntimeIncident tags: [Runtime Security] summary: Resolve a runtime incident description: Marks an incident as FalsePositive or Suspicious. parameters: - $ref: '#/components/parameters/Guid' responses: '200': description: Resolved. '401': $ref: '#/components/responses/Unauthorized' /attackChains: post: operationId: getAttackChains tags: [Runtime Security] summary: Get attack path (attack chain) analysis requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Attack chains. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /securityRisks: get: operationId: getSecurityRisks tags: [Runtime Security] summary: Get prioritized security risks responses: '200': description: Security risks. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /networkPolicies: get: operationId: getNetworkPolicies tags: [Network Policies] summary: Retrieve generated network policies responses: '200': description: Network policies. content: application/json: schema: type: array items: type: object '401': $ref: '#/components/responses/Unauthorized' /networkPolicies/generate: post: operationId: generateNetworkPolicies tags: [Network Policies] summary: Generate least-privilege NetworkPolicies description: Generates Kubernetes NetworkPolicies from observed workload behavior (Bill of Behavior). requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Generated policies. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /seccompProfiles/generate: post: operationId: generateSeccompProfiles tags: [Network Policies] summary: Generate seccomp profiles requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Generated seccomp profiles. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /registry/scan: post: operationId: scheduleRegistryScan tags: [Registry & Repository] summary: Schedule a registry scan description: Schedules a container registry scan (ECR, GAR, ACR, Harbor, Quay, Nexus, GitLab). requestBody: content: application/json: schema: $ref: '#/components/schemas/RegistryScanRequest' responses: '200': description: Registry scan scheduled. content: application/json: schema: $ref: '#/components/schemas/ScanAccepted' '401': $ref: '#/components/responses/Unauthorized' /repositoryPosture/failedControls: post: operationId: getRepositoryFailedControls tags: [Registry & Repository] summary: Get repository failed controls requestBody: $ref: '#/components/requestBodies/ListRequest' responses: '200': description: Failed controls for a Git repository. content: application/json: schema: type: object '401': $ref: '#/components/responses/Unauthorized' /authentication/accessKeys: get: operationId: listAccessKeys tags: [Access Keys] summary: List agent access keys responses: '200': description: Access keys. content: application/json: schema: type: array items: $ref: '#/components/schemas/AccessKey' '401': $ref: '#/components/responses/Unauthorized' post: operationId: createAccessKey tags: [Access Keys] summary: Create an agent access key requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKey' responses: '200': description: Created access key. content: application/json: schema: $ref: '#/components/schemas/AccessKey' '401': $ref: '#/components/responses/Unauthorized' /authentication/accessKeys/{guid}: delete: operationId: deleteAccessKey tags: [Access Keys] summary: Revoke an agent access key parameters: - $ref: '#/components/parameters/Guid' responses: '200': description: Revoked. '401': $ref: '#/components/responses/Unauthorized' components: securitySchemes: apiKeyAuth: type: apiKey in: header name: X-API-KEY description: >- Agent Access Key generated in ARMO Platform under Settings > Agent Access Keys, sent in the X-API-KEY request header. parameters: Guid: name: guid in: path required: true description: The GUID of the target resource. schema: type: string requestBodies: ListRequest: description: Standard ARMO list/query body with pagination, sorting, and field filters. content: application/json: schema: $ref: '#/components/schemas/ListRequest' responses: Unauthorized: description: Missing or invalid X-API-KEY. content: application/json: schema: $ref: '#/components/schemas/Error' schemas: ListRequest: type: object description: Query body used across ARMO list endpoints. properties: pageSize: type: integer default: 50 pageNum: type: integer default: 0 orderBy: type: string innerFilters: type: array items: type: object additionalProperties: true FrameworkSummary: type: object properties: name: type: string example: cis-v1.10.0 complianceScore: type: number format: float failedControls: type: integer totalControls: type: integer ControlResult: type: object properties: id: type: string example: C-0016 name: type: string example: Allow privilege escalation severity: type: string enum: [Low, Medium, High, Critical] status: type: string enum: [passed, failed, skipped] affectedResourcesCount: type: integer AffectedResource: type: object properties: resourceID: type: string kind: type: string example: Deployment namespace: type: string name: type: string cluster: type: string ScanRequest: type: object properties: cluster: type: string namespace: type: string imageTag: type: string RegistryScanRequest: type: object properties: registryName: type: string registryProvider: type: string enum: [ecr, gar, acr, harbor, quay, nexus, gitlab] cron: type: string description: Cron schedule for recurring scans. ScanAccepted: type: object properties: status: type: string example: accepted jobID: type: string Vulnerability: type: object properties: name: type: string example: CVE-2024-3094 severity: type: string enum: [Negligible, Low, Medium, High, Critical] packageName: type: string packageVersion: type: string fixedInVersion: type: string isRelevant: type: boolean description: Whether the vulnerability is in a component observed in use at runtime. RuntimeIncident: type: object properties: guid: type: string name: type: string severity: type: string enum: [Low, Medium, High, Critical] cluster: type: string namespace: type: string workload: type: string status: type: string enum: [Active, FalsePositive, Suspicious] creationTime: type: string format: date-time AccessKey: type: object properties: guid: type: string name: type: string expirationDate: type: string format: date-time Error: type: object properties: error: type: string code: type: integer