×

POST /v1/images/scan

ScanImage scans a single image and returns the result

Description

Parameters

Body Parameter

Name Description Required Default Pattern

body

V1ScanImageRequest

X

Return Type

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageImage

0

An unexpected error response.

RuntimeError

Samples

Common object reference

CVSSV2AccessComplexity

Enum Values

ACCESS_HIGH

ACCESS_MEDIUM

ACCESS_LOW

CVSSV2Authentication

Enum Values

AUTH_MULTIPLE

AUTH_SINGLE

AUTH_NONE

CVSSV3Complexity

Enum Values

COMPLEXITY_LOW

COMPLEXITY_HIGH

CVSSV3Privileges

Enum Values

PRIVILEGE_NONE

PRIVILEGE_LOW

PRIVILEGE_HIGH

CVSSV3UserInteraction

Enum Values

UI_NONE

UI_REQUIRED

EmbeddedVulnerabilityVulnerabilityType

Enum Values

UNKNOWN_VULNERABILITY

IMAGE_VULNERABILITY

K8S_VULNERABILITY

ISTIO_VULNERABILITY

NODE_VULNERABILITY

OPENSHIFT_VULNERABILITY

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

typeUrl

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

value

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

RuntimeError

Field Name Required Nullable Type Description Format

error

String

code

Integer

int32

message

String

details

List of ProtobufAny

StorageCVSSV2

Field Name Required Nullable Type Description Format

vector

String

attackVector

StorageCVSSV2AttackVector

ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK,

accessComplexity

CVSSV2AccessComplexity

ACCESS_HIGH, ACCESS_MEDIUM, ACCESS_LOW,

authentication

CVSSV2Authentication

AUTH_MULTIPLE, AUTH_SINGLE, AUTH_NONE,

confidentiality

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

integrity

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

availability

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

exploitabilityScore

Float

float

impactScore

Float

float

score

Float

float

severity

StorageCVSSV2Severity

UNKNOWN, LOW, MEDIUM, HIGH,

StorageCVSSV2AttackVector

Enum Values

ATTACK_LOCAL

ATTACK_ADJACENT

ATTACK_NETWORK

StorageCVSSV2Impact

Enum Values

IMPACT_NONE

IMPACT_PARTIAL

IMPACT_COMPLETE

StorageCVSSV2Severity

Enum Values

UNKNOWN

LOW

MEDIUM

HIGH

StorageCVSSV3

Field Name Required Nullable Type Description Format

vector

String

exploitabilityScore

Float

float

impactScore

Float

float

attackVector

StorageCVSSV3AttackVector

ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, ATTACK_PHYSICAL,

attackComplexity

CVSSV3Complexity

COMPLEXITY_LOW, COMPLEXITY_HIGH,

privilegesRequired

CVSSV3Privileges

PRIVILEGE_NONE, PRIVILEGE_LOW, PRIVILEGE_HIGH,

userInteraction

CVSSV3UserInteraction

UI_NONE, UI_REQUIRED,

scope

StorageCVSSV3Scope

UNCHANGED, CHANGED,

confidentiality

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

integrity

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

availability

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

score

Float

float

severity

StorageCVSSV3Severity

UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL,

StorageCVSSV3AttackVector

Enum Values

ATTACK_LOCAL

ATTACK_ADJACENT

ATTACK_NETWORK

ATTACK_PHYSICAL

StorageCVSSV3Impact

Enum Values

IMPACT_NONE

IMPACT_LOW

IMPACT_HIGH

StorageCVSSV3Scope

Enum Values

UNCHANGED

CHANGED

StorageCVSSV3Severity

Enum Values

UNKNOWN

NONE

LOW

MEDIUM

HIGH

CRITICAL

StorageCosignSignature

Field Name Required Nullable Type Description Format

rawSignature

byte[]

byte

signaturePayload

byte[]

byte

certPem

byte[]

byte

certChainPem

byte[]

byte

StorageDataSource

Field Name Required Nullable Type Description Format

id

String

name

String

mirror

String

StorageEmbeddedImageScanComponent

Next Tag: 13
Field Name Required Nullable Type Description Format

name

String

version

String

license

StorageLicense

vulns

List of StorageEmbeddedVulnerability

layerIndex

Integer

int32

priority

String

int64

source

StorageSourceType

OS, PYTHON, JAVA, RUBY, NODEJS, GO, DOTNETCORERUNTIME, INFRASTRUCTURE,

location

String

topCvss

Float

float

riskScore

Float

float

fixedBy

String

Component version that fixes all the fixable vulnerabilities in this component.

executables

List of StorageEmbeddedImageScanComponentExecutable

StorageEmbeddedImageScanComponentExecutable

Field Name Required Nullable Type Description Format

path

String

dependencies

List of string

StorageEmbeddedVulnerability

Next Tag: 21
Field Name Required Nullable Type Description Format

cve

String

cvss

Float

float

summary

String

link

String

fixedBy

String

scoreVersion

StorageEmbeddedVulnerabilityScoreVersion

V2, V3,

cvssV2

StorageCVSSV2

cvssV3

StorageCVSSV3

publishedOn

Date

date-time

lastModified

Date

date-time

vulnerabilityType

EmbeddedVulnerabilityVulnerabilityType

UNKNOWN_VULNERABILITY, IMAGE_VULNERABILITY, K8S_VULNERABILITY, ISTIO_VULNERABILITY, NODE_VULNERABILITY, OPENSHIFT_VULNERABILITY,

vulnerabilityTypes

List of EmbeddedVulnerabilityVulnerabilityType

suppressed

Boolean

suppressActivation

Date

date-time

suppressExpiry

Date

date-time

firstSystemOccurrence

Date

Time when the CVE was first seen, for this specific distro, in the system.

date-time

firstImageOccurrence

Date

Time when the CVE was first seen in this image.

date-time

severity

StorageVulnerabilitySeverity

UNKNOWN_VULNERABILITY_SEVERITY, LOW_VULNERABILITY_SEVERITY, MODERATE_VULNERABILITY_SEVERITY, IMPORTANT_VULNERABILITY_SEVERITY, CRITICAL_VULNERABILITY_SEVERITY,

state

StorageVulnerabilityState

OBSERVED, DEFERRED, FALSE_POSITIVE,

StorageEmbeddedVulnerabilityScoreVersion

Enum Values

V2

V3

StorageImage

Next Tag: 19
Field Name Required Nullable Type Description Format

id

String

name

StorageImageName

names

List of StorageImageName

This should deprecate the ImageName field long-term, allowing images with the same digest to be associated with different locations. TODO(dhaus): For now, this message will be without search tags due to duplicated search tags otherwise.

metadata

StorageImageMetadata

scan

StorageImageScan

signatureVerificationData

StorageImageSignatureVerificationData

signature

StorageImageSignature

components

Integer

int32

cves

Integer

int32

fixableCves

Integer

int32

lastUpdated

Date

date-time

notPullable

Boolean

isClusterLocal

Boolean

priority

String

int64

riskScore

Float

float

topCvss

Float

float

notes

List of StorageImageNote

StorageImageLayer

Field Name Required Nullable Type Description Format

instruction

String

value

String

created

Date

date-time

author

String

empty

Boolean

StorageImageMetadata

If any fields of ImageMetadata are modified including subfields, please check pkg/images/enricher/metadata.go to ensure that those changes will be automatically picked up Next Tag: 6

StorageImageName

Field Name Required Nullable Type Description Format

registry

String

remote

String

tag

String

fullName

String

StorageImageNote

Enum Values

MISSING_METADATA

MISSING_SCAN_DATA

MISSING_SIGNATURE

MISSING_SIGNATURE_VERIFICATION_DATA

StorageImageScan

Next tag: 8
Field Name Required Nullable Type Description Format

scannerVersion

String

scanTime

Date

date-time

components

List of StorageEmbeddedImageScanComponent

operatingSystem

String

dataSource

StorageDataSource

notes

List of StorageImageScanNote

hash

String

uint64

StorageImageScanNote

Enum Values

UNSET

OS_UNAVAILABLE

PARTIAL_SCAN_DATA

OS_CVES_UNAVAILABLE

OS_CVES_STALE

LANGUAGE_CVES_UNAVAILABLE

CERTIFIED_RHEL_SCAN_UNAVAILABLE

StorageImageSignature

Field Name Required Nullable Type Description Format

signatures

List of StorageSignature

fetched

Date

date-time

StorageImageSignatureVerificationData

Field Name Required Nullable Type Description Format

results

List of StorageImageSignatureVerificationResult

StorageImageSignatureVerificationResult

Next Tag: 6
Field Name Required Nullable Type Description Format

verificationTime

Date

date-time

verifierId

String

verifier_id correlates to the ID of the signature integration used to verify the signature.

status

StorageImageSignatureVerificationResultStatus

UNSET, VERIFIED, FAILED_VERIFICATION, INVALID_SIGNATURE_ALGO, CORRUPTED_SIGNATURE, GENERIC_ERROR,

description

String

description is set in the case of an error with the specific error’s message. Otherwise, this will not be set.

verifiedImageReferences

List of string

The full image names that are verified by this specific signature integration ID.

StorageImageSignatureVerificationResultStatus

Status represents the status of the result.

  • VERIFIED: VERIFIED is set when the signature’s verification was successful.

  • FAILED_VERIFICATION: FAILED_VERIFICATION is set when the signature’s verification failed.

  • INVALID_SIGNATURE_ALGO: INVALID_SIGNATURE_ALGO is set when the signature’s algorithm is invalid and unsupported.

  • CORRUPTED_SIGNATURE: CORRUPTED_SIGNATURE is set when the raw signature is corrupted, i.e. wrong base64 encoding.

  • GENERIC_ERROR: GENERIC_ERROR is set when an error occurred during verification that cannot be associated with a specific status.

Enum Values

UNSET

VERIFIED

FAILED_VERIFICATION

INVALID_SIGNATURE_ALGO

CORRUPTED_SIGNATURE

GENERIC_ERROR

StorageLicense

Field Name Required Nullable Type Description Format

name

String

type

String

url

String

StorageSignature

Field Name Required Nullable Type Description Format

cosign

StorageCosignSignature

StorageSourceType

Enum Values

OS

PYTHON

JAVA

RUBY

NODEJS

GO

DOTNETCORERUNTIME

INFRASTRUCTURE

StorageV1Metadata

StorageV2Metadata

StorageVulnerabilitySeverity

Enum Values

UNKNOWN_VULNERABILITY_SEVERITY

LOW_VULNERABILITY_SEVERITY

MODERATE_VULNERABILITY_SEVERITY

IMPORTANT_VULNERABILITY_SEVERITY

CRITICAL_VULNERABILITY_SEVERITY

StorageVulnerabilityState

VulnerabilityState indicates if vulnerability is being observed or deferred(/suppressed). By default, it vulnerabilities are observed.

Enum Values

OBSERVED

DEFERRED

FALSE_POSITIVE

V1ScanImageRequest

Field Name Required Nullable Type Description Format

imageName

String

force

Boolean

includeSnoozed

Boolean

cluster

String

Cluster to delegate scan to, may be the cluster’s name or ID.