openapi: 3.1.0 info: title: Palo Alto Networks Prisma Cloud Compute API description: >- REST API for Prisma Cloud Compute (CWPP) providing programmatic access to container and workload security across hosts, images, containers, and serverless functions. The API enables vulnerability management, compliance monitoring, runtime defense, registry scanning, and Defender deployment management. Authentication uses either a bearer token obtained from the /api/v1/authenticate endpoint (valid for 30 minutes) or HTTP Basic authentication with Prisma Cloud Compute credentials. The console address varies per deployment and must be substituted in the server URL. version: '32.07' contact: name: Palo Alto Networks Developer Support url: https://pan.dev/ license: name: Proprietary url: https://www.paloaltonetworks.com/legal servers: - url: https://{console}/api/v1 description: Prisma Cloud Compute Console API. variables: console: default: console.example.com description: >- Address of the Prisma Cloud Compute Console. For SaaS deployments, use the address provided in Prisma Cloud under Compute > Manage > System > Utilities. security: - bearerAuth: [] - basicAuth: [] tags: - name: Authentication description: Token-based authentication for API access. - name: Containers description: Running container inventory and security posture. - name: Defenders description: Defender agent deployment and management. - name: Hosts description: Host machine security monitoring and vulnerability data. - name: Images description: Container image vulnerability and compliance scan data. - name: Policies description: Vulnerability and compliance policy management. - name: Registry description: Registry image scanning configuration and results. - name: Scans description: CI/CD pipeline scan results. paths: /authenticate: post: operationId: authenticate summary: Palo Alto Networks Authenticate and Obtain Bearer Token description: >- Authenticates with Prisma Cloud Compute credentials and returns a JWT bearer token for subsequent API calls. The token is valid for 30 minutes. For integrations requiring project-level access, include the project name in the request body. tags: - Authentication security: [] requestBody: required: true content: application/json: schema: type: object required: - username - password properties: username: type: string description: Prisma Cloud Compute username or access key. password: type: string description: Prisma Cloud Compute password or secret key. project: type: string description: >- Project name for project-scoped access. Omit for Central Console access. examples: AuthenticateRequestExample: summary: Default authenticate request x-microcks-default: true value: username: soc-analyst password: example-password project: example-project responses: '200': description: Authentication successful. content: application/json: schema: type: object properties: token: type: string description: JWT bearer token valid for 30 minutes. examples: Authenticate200Example: summary: Default authenticate 200 response x-microcks-default: true value: token: 4149d308542fc31fb11607add5a3d9ef '401': description: Invalid credentials or unauthorized access. x-microcks-operation: delay: 0 dispatcher: FALLBACK /images: get: operationId: getImages summary: Palo Alto Networks List Image Scan Results description: >- Returns vulnerability and compliance scan results for all container images known to Prisma Cloud Compute. Results include images from deployed containers on hosts with Defenders and from registry scans. Supports filtering by search term, cluster, and collection. tags: - Images parameters: - name: offset in: query description: Number of records to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of records to return. schema: type: integer default: 50 example: 50 - name: search in: query description: Search term to filter images by repository name or tag. schema: type: string example: example-search - name: sort in: query description: Field to sort results by. schema: type: string enum: - vulnerabilities - compliance - scanTime example: compliance - name: reverse in: query description: Sort in reverse order. schema: type: boolean default: false example: false - name: collections in: query description: Filter by collection name. schema: type: string example: example-collections - name: clusters in: query description: Filter by cluster name. schema: type: string example: example-clusters - name: compact in: query description: Return compact results without full vulnerability details. schema: type: boolean default: false example: false responses: '200': description: Image scan results returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/Image' examples: GetImages200Example: summary: Default getImages 200 response x-microcks-default: true value: - _id: '856694' hostname: host-9c7b scanTime: '2024-03-20T05:38:38Z' repoTag: &id002 registry: example-registry repo: example-repo tag: critical-asset repoDigests: &id003 - example-repoDigests_item - example-repoDigests_item osDistro: example-osDistro osDistroVersion: 10.9.7 vulnerabilities: &id004 - id: example-id status: deferred cvss: 12.51 severity: high packageName: Corporate Firewall 45 packageVersion: 5.1.8 fixedVersion: 5.4.9 link: https://portal.test-corp.net/0da215 description: Configured applied endpoint threat network Security. publishedDate: '2026-05-18T00:03:03Z' - id: example-id status: fixed in cvss: 68.07 severity: low packageName: Primary Policy 76 packageVersion: 8.5.1 fixedVersion: 6.7.4 link: https://vpn.example.com/3f4797 description: Incident network violation rule incident blocked activity applied endpoint policy incident. publishedDate: '2024-05-26T07:45:57Z' vulnerabilitiesCount: 554 vulnerabilityDistribution: &id005 critical: 813 high: 64 medium: 396 low: 795 complianceIssues: &id006 - id: 915 title: Branch Policy 90 severity: medium cause: example-cause description: Network applied activity rule applied suspicious activity suspicious firewall. - id: 165 title: Primary Gateway 48 severity: medium cause: example-cause description: Malware malware configured suspicious threat suspicious network violation. complianceIssuesCount: 705 clusters: &id007 - example-clusters_item '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /images/download: get: operationId: downloadImageScanResults summary: Palo Alto Networks Download Image Scan Results description: >- Downloads image scan results as a CSV file. Supports the same filtering parameters as the GET /images endpoint. Useful for bulk export and integration with external vulnerability management systems. tags: - Images parameters: - name: search in: query description: Search term to filter images by repository name or tag. schema: type: string example: example-search - name: collections in: query description: Filter by collection name. schema: type: string example: example-collections - name: clusters in: query description: Filter by cluster name. schema: type: string example: example-clusters responses: '200': description: Image scan results CSV file returned. content: text/csv: schema: type: string format: binary '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /containers: get: operationId: getContainers summary: Palo Alto Networks List Running Containers description: >- Returns information about all running containers monitored by Prisma Cloud Compute Defenders. Includes container metadata, associated image scan results, network information, and runtime profile status. tags: - Containers parameters: - name: offset in: query description: Number of records to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of records to return. schema: type: integer default: 50 example: 50 - name: search in: query description: Search term to filter containers by name or image. schema: type: string example: example-search - name: collections in: query description: Filter by collection name. schema: type: string example: example-collections - name: clusters in: query description: Filter by cluster name. schema: type: string example: example-clusters - name: hostname in: query description: Filter by host where the container is running. schema: type: string example: host-b981 responses: '200': description: Container list returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/Container' examples: GetContainers200Example: summary: Default getContainers 200 response x-microcks-default: true value: - _id: '441805' name: Staging Sensor 73 hostname: host-ec79 imageId: '178488' imageName: Staging Sensor 95 state: exited created: '2026-06-08T07:42:55Z' cluster: example-cluster namespace: Branch Firewall 92 vulnerabilitiesCount: 280 complianceIssuesCount: 855 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /hosts: get: operationId: getHosts summary: Palo Alto Networks List Host Scan Results description: >- Returns vulnerability and compliance scan results for all hosts protected by Prisma Cloud Compute Defenders. Includes OS-level vulnerabilities, installed packages, and compliance check results. tags: - Hosts parameters: - name: offset in: query description: Number of records to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of records to return. schema: type: integer default: 50 example: 50 - name: search in: query description: Search term to filter hosts by hostname. schema: type: string example: example-search - name: sort in: query description: Field to sort results by. schema: type: string enum: - vulnerabilities - compliance - scanTime example: compliance - name: reverse in: query description: Sort in reverse order. schema: type: boolean default: false example: false - name: collections in: query description: Filter by collection name. schema: type: string example: example-collections - name: clusters in: query description: Filter by cluster name. schema: type: string example: example-clusters responses: '200': description: Host scan results returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/Host' examples: GetHosts200Example: summary: Default getHosts 200 response x-microcks-default: true value: - _id: '404955' hostname: host-4848 scanTime: '2024-04-25T22:09:59Z' osDistro: example-osDistro osDistroVersion: 6.6.2 kernelVersion: 8.6.6 cloudMetadata: &id008 provider: aws accountId: '566631' region: us-east-1 instanceId: '700233' vulnerabilities: &id009 - id: example-id status: deferred cvss: 13.89 severity: critical packageName: Branch Policy 65 packageVersion: 2.9.1 fixedVersion: 9.6.0 link: https://api.example.com/9c88b4 description: Monitoring blocked suspicious activity malware traffic Security policy rule configured. publishedDate: '2026-07-04T20:08:13Z' vulnerabilitiesCount: 315 vulnerabilityDistribution: &id010 critical: 842 high: 259 medium: 307 low: 195 complianceIssues: &id011 - id: 799 title: Staging Gateway 66 severity: low cause: example-cause description: Endpoint endpoint blocked monitoring policy alert network traffic network monitoring applied investigation. complianceIssuesCount: 960 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /policies/vulnerability/images: get: operationId: getImageVulnerabilityPolicy summary: Palo Alto Networks Get Image Vulnerability Policy description: >- Returns the currently configured image vulnerability policy. The policy defines the rules for blocking, alerting, and ignoring vulnerabilities found in container images based on severity, CVE, package, and other criteria. tags: - Policies responses: '200': description: Image vulnerability policy returned successfully. content: application/json: schema: $ref: '#/components/schemas/VulnerabilityPolicy' examples: GetImageVulnerabilityPolicy200Example: summary: Default getImageVulnerabilityPolicy 200 response x-microcks-default: true value: rules: &id001 - name: Production Agent 10 collections: - example-collections_item - example-collections_item effect: alert condition: cves: ids: - example-ids_item - example-ids_item effect: example-effect severities: - critical - name: Production Agent 26 collections: - example-collections_item - example-collections_item effect: ignore condition: cves: ids: - example-ids_item - example-ids_item effect: example-effect severities: - critical - high '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK put: operationId: updateImageVulnerabilityPolicy summary: Palo Alto Networks Update Image Vulnerability Policy description: >- Replaces the image vulnerability policy with the provided configuration. The policy is applied to all image scans and enforced at container admission. tags: - Policies requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VulnerabilityPolicy' examples: UpdateImageVulnerabilityPolicyRequestExample: summary: Default updateImageVulnerabilityPolicy request x-microcks-default: true value: rules: *id001 responses: '200': description: Image vulnerability policy updated successfully. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /policies/compliance/images: get: operationId: getImageCompliancePolicy summary: Palo Alto Networks Get Image Compliance Policy description: >- Returns the currently configured image compliance policy. The compliance policy defines the checks applied to container images based on CIS benchmarks and custom rules. tags: - Policies responses: '200': description: Image compliance policy returned successfully. content: application/json: schema: $ref: '#/components/schemas/CompliancePolicy' examples: GetImageCompliancePolicy200Example: summary: Default getImageCompliancePolicy 200 response x-microcks-default: true value: rules: &id012 - name: Primary Agent 83 collections: - example-collections_item effect: block condition: checks: - {} - {} '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /policies/runtime/container: get: operationId: getContainerRuntimePolicy summary: Palo Alto Networks Get Container Runtime Policy description: >- Returns the currently configured container runtime defense policy. Runtime policies define allowed process, network, and file system activities for running containers, enabling detection and prevention of anomalous runtime behavior. tags: - Policies responses: '200': description: Container runtime policy returned successfully. content: application/json: schema: $ref: '#/components/schemas/RuntimePolicy' examples: GetContainerRuntimePolicy200Example: summary: Default getContainerRuntimePolicy 200 response x-microcks-default: true value: rules: &id013 - name: Primary Policy 20 collections: - example-collections_item - example-collections_item processes: effect: ignore whitelist: - example-whitelist_item - example-whitelist_item blacklist: - example-blacklist_item network: effect: block filesystem: effect: block - name: Primary Policy 29 collections: - example-collections_item - example-collections_item processes: effect: alert whitelist: - example-whitelist_item blacklist: - example-blacklist_item network: effect: alert filesystem: effect: alert '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /registry: get: operationId: getRegistries summary: Palo Alto Networks List Configured Registries description: >- Returns a list of container registries configured for scanning in Prisma Cloud Compute. Each entry includes the registry URL, credential references, scanning scope, and schedule. tags: - Registry responses: '200': description: Registry configurations returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/RegistryConfig' examples: GetRegistries200Example: summary: Default getRegistries 200 response x-microcks-default: true value: - version: jfrog registry: example-registry namespace: Corporate Gateway 63 credentialID: '865122' os: linux cap: 304 scanners: 112 tag: critical-asset '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK post: operationId: addRegistry summary: Palo Alto Networks Add a Registry description: >- Adds a new container registry to the scanning configuration. Supports Docker Hub, AWS ECR, Azure Container Registry, Google Container Registry, and other OCI-compatible registries. tags: - Registry requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RegistryConfig' examples: AddRegistryRequestExample: summary: Default addRegistry request x-microcks-default: true value: version: jfrog registry: example-registry namespace: Corporate Gateway 63 credentialID: '865122' os: linux cap: 304 scanners: 112 tag: critical-asset responses: '200': description: Registry added successfully. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /defenders: get: operationId: getDefenders summary: Palo Alto Networks List Defenders description: >- Returns information about all deployed Defenders including their connection status, version, type, and the host they are running on. Defenders are the runtime agents that enforce security policies and report vulnerability and compliance data to the Console. tags: - Defenders parameters: - name: offset in: query description: Number of records to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of records to return. schema: type: integer default: 50 example: 50 - name: search in: query description: Search term to filter Defenders by hostname. schema: type: string example: example-search - name: connected in: query description: Filter by connection status. schema: type: boolean example: true - name: type in: query description: Filter by Defender type. schema: type: string enum: - docker - dockerWindows - cri - fargate - appEmbedded - serverless example: serverless - name: cluster in: query description: Filter by cluster name. schema: type: string example: example-cluster responses: '200': description: Defender list returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/Defender' examples: GetDefenders200Example: summary: Default getDefenders 200 response x-microcks-default: true value: - hostname: host-7a08 version: 9.6.1 type: cri connected: true lastModified: '2024-10-15T05:34:16Z' cluster: example-cluster cloudMetadata: &id014 provider: example-provider accountId: '210791' region: us-west-2 category: appEmbedded '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /defenders/summary: get: operationId: getDefendersSummary summary: Palo Alto Networks Get Defender Summary Statistics description: >- Returns summary statistics about deployed Defenders including total count, connected count, version distribution, and deployment type breakdown. tags: - Defenders responses: '200': description: Defender summary statistics returned successfully. content: application/json: schema: $ref: '#/components/schemas/DefenderSummary' examples: GetDefendersSummary200Example: summary: Default getDefendersSummary 200 response x-microcks-default: true value: total: 699 connected: 599 disconnected: 938 by_type: &id015 docker: 291 dockerWindows: 218 cri: 483 fargate: 38 appEmbedded: 555 serverless: 454 version_distribution: &id016 - version: 1.1.4 count: 916 - version: 9.6.3 count: 298 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK /scans: get: operationId: getCIScans summary: Palo Alto Networks Get CI Scan Results description: >- Returns vulnerability and compliance scan results from CI/CD pipeline scans run using the twistcli tool or CI/CD integrations. Results include the scan target, policy outcome, and detailed findings for each scan run. tags: - Scans parameters: - name: offset in: query description: Number of records to skip for pagination. schema: type: integer default: 0 example: 0 - name: limit in: query description: Maximum number of records to return. schema: type: integer default: 50 example: 50 - name: search in: query description: Search term to filter scan results by image name. schema: type: string example: example-search - name: type in: query description: Filter by scan target type. schema: type: string enum: - ciImage - ciServerless - ciIaC example: ciServerless responses: '200': description: CI scan results returned successfully. content: application/json: schema: type: array items: $ref: '#/components/schemas/CIScan' examples: GetCiscans200Example: summary: Default getCIScans 200 response x-microcks-default: true value: - entityInfo: &id017 _id: '302929' type: ciIaC hostname: host-6942 scanTime: '2026-01-25T05:11:50Z' pass: true vulnerabilitiesCount: 27 complianceIssuesCount: 398 vulnerabilityDistribution: &id018 critical: 112 high: 224 medium: 858 low: 591 '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '500': $ref: '#/components/responses/InternalServerError' x-microcks-operation: delay: 0 dispatcher: FALLBACK components: securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- JWT token obtained from the /api/v1/authenticate endpoint. Valid for 30 minutes. basicAuth: type: http scheme: basic description: HTTP Basic authentication using Prisma Cloud Compute credentials. responses: BadRequest: description: Invalid request parameters or body. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Unauthorized: description: Invalid or expired authentication credentials. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Forbidden: description: Insufficient permissions for this operation. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' InternalServerError: description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' schemas: Image: type: object properties: _id: type: string description: Unique image identifier composed of registry, repository, and tag. example: '856694' hostname: type: string description: Hostname of the machine where the image was scanned. example: host-9c7b scanTime: type: string format: date-time description: Timestamp of the most recent scan. example: '2024-03-20T05:38:38Z' repoTag: type: object description: Repository and tag information for the image. properties: registry: type: string description: Container registry URL. example: example-registry repo: type: string description: Repository name. example: example-repo tag: type: string description: Image tag. example: pci-scope example: *id002 repoDigests: type: array description: Content-addressable image digests. items: type: string example: *id003 osDistro: type: string description: Operating system distribution of the image. example: example-osDistro osDistroVersion: type: string description: Operating system distribution version. example: 10.9.7 vulnerabilities: type: array description: Vulnerabilities discovered in the image. items: $ref: '#/components/schemas/Vulnerability' example: *id004 vulnerabilitiesCount: type: integer description: Total number of vulnerabilities found. example: 554 vulnerabilityDistribution: type: object description: Vulnerability count by severity level. properties: critical: type: integer example: 62 high: type: integer example: 107 medium: type: integer example: 509 low: type: integer example: 687 example: *id005 complianceIssues: type: array description: Compliance check failures for the image. items: $ref: '#/components/schemas/ComplianceIssue' example: *id006 complianceIssuesCount: type: integer description: Total number of compliance issues found. example: 705 clusters: type: array description: Kubernetes clusters where this image is deployed. items: type: string example: *id007 Vulnerability: type: object properties: id: type: string description: CVE identifier (e.g., CVE-2024-1234). example: example-id status: type: string enum: - fixed in - needed - will not fix - deferred description: Fix availability status. example: deferred cvss: type: number format: float description: CVSS v3 base score. example: 13.89 severity: type: string enum: - critical - high - medium - low description: Severity level derived from CVSS score. example: critical packageName: type: string description: Name of the affected package. example: Branch Policy 65 packageVersion: type: string description: Installed version of the affected package. example: 2.9.1 fixedVersion: type: string description: Version that contains the fix, if available. example: 9.6.0 link: type: string description: URL to the CVE advisory or details page. example: https://api.example.com/9c88b4 description: type: string description: Brief description of the vulnerability. example: Monitoring blocked suspicious activity malware traffic Security policy rule configured. publishedDate: type: string format: date-time description: Date the vulnerability was publicly disclosed. example: '2026-07-04T20:08:13Z' Container: type: object properties: _id: type: string description: Unique container identifier. example: '441805' name: type: string description: Container name. example: Staging Sensor 73 hostname: type: string description: Host where the container is running. example: host-ec79 imageId: type: string description: ID of the container image. example: '178488' imageName: type: string description: Full image name including registry, repository, and tag. example: Staging Sensor 95 state: type: string enum: - running - created - exited - paused description: Current container state. example: exited created: type: string format: date-time description: Container creation timestamp. example: '2026-06-08T07:42:55Z' cluster: type: string description: Kubernetes cluster name. example: example-cluster namespace: type: string description: Kubernetes namespace. example: Branch Firewall 92 vulnerabilitiesCount: type: integer description: Number of vulnerabilities in the container image. example: 280 complianceIssuesCount: type: integer description: Number of compliance issues for this container. example: 855 Host: type: object properties: _id: type: string description: Unique host identifier. example: '404955' hostname: type: string description: Host machine hostname. example: host-4848 scanTime: type: string format: date-time description: Timestamp of the most recent host scan. example: '2024-04-25T22:09:59Z' osDistro: type: string description: Operating system distribution. example: example-osDistro osDistroVersion: type: string description: Operating system version. example: 6.6.2 kernelVersion: type: string description: Linux kernel version. example: 8.6.6 cloudMetadata: type: object description: Cloud provider metadata for the host. properties: provider: type: string enum: - aws - azure - gcp - oci example: azure accountId: type: string example: '847408' region: type: string example: us-east-1 instanceId: type: string example: '842603' example: *id008 vulnerabilities: type: array description: Vulnerabilities discovered on the host. items: $ref: '#/components/schemas/Vulnerability' example: *id009 vulnerabilitiesCount: type: integer description: Total number of vulnerabilities found. example: 315 vulnerabilityDistribution: type: object properties: critical: type: integer example: 687 high: type: integer example: 527 medium: type: integer example: 929 low: type: integer example: 782 example: *id010 complianceIssues: type: array items: $ref: '#/components/schemas/ComplianceIssue' example: *id011 complianceIssuesCount: type: integer example: 960 VulnerabilityPolicy: type: object properties: rules: type: array description: Ordered list of vulnerability policy rules. items: type: object properties: name: type: string description: Rule name. example: Corporate Agent 90 collections: type: array items: type: string description: Collections this rule applies to. example: - example-collections_item - example-collections_item effect: type: string enum: - ignore - alert - block description: Action to take for matching vulnerabilities. example: block condition: type: object description: Conditions that trigger this rule. properties: cves: type: object properties: ids: type: array items: type: string example: - example-ids_item - example-ids_item effect: type: string example: example-effect example: ids: - example-ids_item - example-ids_item effect: example-effect severities: type: array items: type: string enum: - critical - high - medium - low example: - critical - medium example: cves: ids: - example-ids_item effect: example-effect severities: - low - medium example: *id001 CompliancePolicy: type: object properties: rules: type: array description: Ordered list of compliance policy rules. items: type: object properties: name: type: string example: Production Policy 80 collections: type: array items: type: string example: - example-collections_item - example-collections_item effect: type: string enum: - ignore - alert - block example: alert condition: type: object properties: checks: type: array items: type: object properties: id: type: integer description: Compliance check ID. example: 684 block: type: boolean example: true example: - id: 304 block: true example: checks: - id: 93 block: false - id: 138 block: true example: *id012 RuntimePolicy: type: object properties: rules: type: array description: Container runtime defense rules. items: type: object properties: name: type: string example: Production Firewall 87 collections: type: array items: type: string example: - example-collections_item processes: type: object properties: effect: type: string enum: - ignore - alert - block example: alert whitelist: type: array items: type: string example: - example-whitelist_item blacklist: type: array items: type: string example: - example-blacklist_item - example-blacklist_item example: effect: ignore whitelist: - example-whitelist_item - example-whitelist_item blacklist: - example-blacklist_item - example-blacklist_item network: type: object properties: effect: type: string enum: - ignore - alert - block example: alert example: effect: alert filesystem: type: object properties: effect: type: string enum: - ignore - alert - block example: ignore example: effect: ignore example: *id013 RegistryConfig: type: object required: - version - registry properties: version: type: string description: Registry type identifier. enum: - dockerhub - aws - azure - gcr - jfrog - quay - other example: jfrog registry: type: string description: Registry URL or hostname. example: example-registry namespace: type: string description: Registry namespace or organization name. example: Corporate Gateway 63 credentialID: type: string description: Credential store identifier for registry authentication. example: '865122' os: type: string enum: - linux - windows default: linux description: Base OS for scanned images. example: linux cap: type: integer description: Maximum number of images to scan from this registry. example: 304 scanners: type: integer description: Number of scanner instances to use. example: 112 tag: type: string description: Specific tag to scan. Scans all tags if omitted. example: critical-asset Defender: type: object properties: hostname: type: string description: Hostname where the Defender is deployed. example: host-7a08 version: type: string description: Defender agent version. example: 9.6.1 type: type: string enum: - docker - dockerWindows - cri - fargate - appEmbedded - serverless description: Type of Defender deployment. example: cri connected: type: boolean description: Whether the Defender is currently connected to the Console. example: true lastModified: type: string format: date-time description: Timestamp of the last status update from the Defender. example: '2024-10-15T05:34:16Z' cluster: type: string description: Kubernetes cluster name if applicable. example: example-cluster cloudMetadata: type: object properties: provider: type: string example: example-provider accountId: type: string example: '642621' region: type: string example: us-west-2 example: *id014 category: type: string enum: - container - host - serverless - appEmbedded example: appEmbedded DefenderSummary: type: object properties: total: type: integer description: Total number of deployed Defenders. example: 699 connected: type: integer description: Number of currently connected Defenders. example: 599 disconnected: type: integer description: Number of disconnected Defenders. example: 938 by_type: type: object description: Defender count breakdown by deployment type. properties: docker: type: integer example: 337 dockerWindows: type: integer example: 871 cri: type: integer example: 582 fargate: type: integer example: 950 appEmbedded: type: integer example: 172 serverless: type: integer example: 889 example: *id015 version_distribution: type: array items: type: object properties: version: type: string example: 7.8.9 count: type: integer example: 568 example: *id016 CIScan: type: object properties: entityInfo: type: object properties: _id: type: string example: '112406' type: type: string enum: - ciImage - ciServerless - ciIaC example: ciImage hostname: type: string example: host-d7ec scanTime: type: string format: date-time example: '2026-01-03T15:52:28Z' example: *id017 pass: type: boolean description: Whether the scan passed the configured policy thresholds. example: true vulnerabilitiesCount: type: integer example: 27 complianceIssuesCount: type: integer example: 398 vulnerabilityDistribution: type: object properties: critical: type: integer example: 508 high: type: integer example: 66 medium: type: integer example: 709 low: type: integer example: 859 example: *id018 ComplianceIssue: type: object properties: id: type: integer description: Compliance check ID. example: 668 title: type: string description: Title of the compliance check. example: Primary Firewall 38 severity: type: string enum: - critical - high - medium - low description: Severity of the compliance issue. example: high cause: type: string description: Explanation of why the resource failed the check. example: example-cause description: type: string description: Detailed description of the compliance requirement. example: Detected on policy monitoring detected alert. ErrorResponse: type: object properties: err: type: string description: Error message. example: example-err