> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/api-reference/policyservice/createpolicy",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# CreatePolicy
> Creates a policy.
## OpenAPI
````yaml /api-reference/openapi.v3.json post /v1/namespaces/{tenant_meta.namespace}/policies
openapi: 3.0.3
info:
description: Integrate your application with Endor Labs using the REST API.
title: Endor Labs REST API Reference
version: '1.0'
servers:
- url: https://api.endorlabs.com/
security: []
tags:
- name: AISastCustomerContextService
- name: APIKeyService
- name: APIKeyValidatorService
- name: ArtifactSignatureService
- name: AuditLogService
- name: AuthenticationLogService
- name: AuthenticationService
- name: AuthorizationPolicyService
- name: BatchFileSegmentsService
- name: BatchNotificationService
- name: CallGraphDataService
- name: CodeOwnersService
- name: DependencyMetadataService
- name: EndorIgnoreEntryService
- name: ExporterService
- name: FindingLogService
- name: FindingService
- name: HuggingFaceModelService
- name: HuggingFaceOrganizationService
- name: IPAddressPolicyService
- name: IdentityProviderService
- name: InstallationService
- name: InvitationService
- name: LicenseDependencyService
- name: LicenseNoticesReportService
- name: LicenseSummaryService
- name: LinterResultService
- name: MalwareService
- name: MetricService
- name: NamespaceService
- name: NotificationService
- name: NotificationTargetService
- name: OnPremSchedulerService
- name: PRCommentConfigService
- name: PackageFirewallLogService
- name: PackageLicenseOverrideService
- name: PackageLicenseQueryService
- name: PackageLicenseService
- name: PackageManagerService
- name: PackageVersionService
- name: PluginBinaryService
- name: PolicyService
- name: PolicyTemplateService
- name: ProjectService
- name: ProvisioningResultService
- name: QueryMalwareService
- name: QueryService
- name: QuerySimilarPackagesService
- name: QueryVulnerabilityService
- name: RegistryIngestionCheckpointService
- name: RepositoryService
- name: RepositoryVersionService
- name: RuleSetImportService
- name: SBOMExportService
- name: SBOMImportService
- name: SCMCredentialService
- name: SavedQueryService
- name: ScanLogRequestService
- name: ScanProfileService
- name: ScanResultService
- name: ScanWorkflowResultService
- name: ScanWorkflowService
- name: SecretRuleService
- name: SemgrepRuleService
- name: SystemConfigService
- name: TenantService
- name: VEXExportService
- name: VectorStoreService
- name: VersionUpgradeService
- name: VulnerabilityService
paths:
/v1/namespaces/{tenant_meta.namespace}/policies:
post:
tags:
- PolicyService
summary: CreatePolicy
description: Creates a policy.
operationId: PolicyService_CreatePolicy
parameters:
- description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
in: path
name: tenant_meta.namespace
required: true
schema:
type: string
x-endor-name: Namespace
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/PolicyServiceCreatePolicyBody'
required: true
x-originalParamName: body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/v1Policy'
description: A successful response.
default:
content:
application/json:
schema:
$ref: '#/components/schemas/googlerpcStatus'
description: An unexpected error response.
components:
schemas:
PolicyServiceCreatePolicyBody:
description: Policy represents a policy in the system.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
propagate:
description: Whether the object should be visible in child namespaces or not.
type: boolean
spec:
$ref: '#/components/schemas/v1PolicySpec'
tenant_meta:
description: Policies can be issued per namespace.
title: Policies can be issued per namespace.
type: object
uuid:
description: The UUID of the policy.
readOnly: true
type: string
required:
- meta
- spec
type: object
v1Policy:
description: Policy represents a policy in the system.
properties:
meta:
$ref: '#/components/schemas/v1Meta'
propagate:
description: Whether the object should be visible in child namespaces or not.
type: boolean
spec:
$ref: '#/components/schemas/v1PolicySpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
description: The UUID of the policy.
readOnly: true
type: string
required:
- meta
- spec
type: object
googlerpcStatus:
description: >-
The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It
is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details.
You can find out more about this error model and how to work with it in
the
[API Design Guide](https://cloud.google.com/apis/design/errors).
properties:
code:
description: |-
The status code, which should be an enum value of
[google.rpc.Code][google.rpc.Code].
format: int32
type: integer
details:
description: >-
A list of messages that carry the error details. There is a common
set of
message types for APIs to use.
items:
$ref: '#/components/schemas/googleprotobufAny'
type: array
message:
description: >-
A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
[google.rpc.Status.details][google.rpc.Status.details] field, or
localized
by the client.
type: string
type: object
v1Meta:
description: Common fields for all Endor Labs resources.
properties:
annotations:
additionalProperties:
type: string
description: >-
Annotations can be used to attach metadata to a resource message.
Annotation values can be small or large, structured or unstructured,
and may include characters not permitted by labels.
The keys may contain alphanumerics, underscores (_), dots (.) and
dashes
(-). The values of an annotation must be 16384 bytes or smaller.
type: object
create_time:
description: |-
Time the resource was created.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
created_by:
description: |-
Name and authentication source of the user who created the object,
for example, ewok@endor.ai@google@api-key.
readOnly: true
type: string
description:
description: Resource description. Must be less than 1024 bytes.
type: string
index_data:
$ref: '#/components/schemas/v1IndexData'
kind:
description: >-
Resource kind, for example, HelloResponse.
Auto-generated using the protobuf message
proto.MessageName().Name().
readOnly: true
type: string
name:
description: Resource name. Must be 63 characters or less.
type: string
parent_kind:
description: Parent object resource kind, for example, Project.
type: string
parent_uuid:
description: Parent object UUID.
type: string
references:
additionalProperties:
$ref: '#/components/schemas/googleprotobufAny'
description: Map of objects referenced in a query API.
readOnly: true
type: object
tags:
description: >-
List of tags attached to the resource.
Tags can be used to select objects and to find collections of
objects that
satisfy certain conditions. A tag must be 255 characters or less.
items:
type: string
type: array
update_time:
description: |-
Time the resource was last updated.
Note: Updated on all create/patch/delete operations.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
updated_by:
description: >-
Name and authentication source of the last user who updated the
object,
for example, vulnerabilityingestor@endor.ai@x509.
readOnly: true
type: string
upsert_time:
description: |-
Time the resource was last upserted.
Note:
create_time is only set the first time the resource is created.
upsert_time is set every time the resource is upseted.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
version:
description: Message version.
readOnly: true
type: string
required:
- name
type: object
v1PolicySpec:
properties:
admission:
$ref: '#/components/schemas/PolicyAdmissionAction'
disable:
description: Disables a policy without deleting it.
type: boolean
exception:
$ref: '#/components/schemas/PolicyExceptionAction'
finding:
$ref: '#/components/schemas/PolicyFindingAction'
finding_categories:
description: >-
List of finding categories that the policy creates or acts on
findings
for. This field can be used to group policies.
items:
$ref: '#/components/schemas/v1FindingCategory'
type: array
finding_level:
$ref: '#/components/schemas/SpecFindingLevel'
group_by_fields:
description: |-
Custom fields to group policy output by. This may be a
subset of all custom keys in the policy output. You do not need to
add all custom fields here, just the ones you want to be used to
group the matches by. The corresponding values
are always treated as a single string.
items:
type: string
type: array
notification:
$ref: '#/components/schemas/v1PolicyNotificationAction'
policy_type:
$ref: '#/components/schemas/PolicyPolicyType'
project_exceptions:
description: |-
The set of tags that projects that are matched
with are excluded from the policy. Allows exceptions. Exceptions
can be provided with or without selectors.
items:
type: string
type: array
project_selector:
description: >-
The set of tags that projects must have for the policy to be
executed
against. If left empty, the policy applies to all projects of the
namespace. The items in the array correspond to an OR operator. That
is,
any project with a tag that matches any of the project_selector
values
will be matched.
items:
type: string
type: array
query_statements:
description: >-
The list of OPA query statements that must be executed to evaluate
the
policy. For example, [ "data.packagename.allow" ], [opulated from
template if applicable.
items:
type: string
type: array
resource_kinds:
description: |-
Identifies all resources that a policy requires.
For example, "Project", "Repository", "RepositoryVersion",
"PackageVersion", "DependencyMetadata", "Metric", "LinterResult",
"Finding", etc. For the "Metric" resource you must also specify the
corresponding parent resource kind.
items:
type: string
type: array
rule:
description: |-
The policy rule in text format.
For example:
package policyexample
default allow = false
allow {
data.resources.Project[_].meta.name = go-memdb"
}
type: string
template_parameters:
description: Template parameter metadata for this template version.
items:
$ref: '#/components/schemas/PolicyTemplateParameter'
type: array
template_uuid:
description: Indicates that the policy is created from a template.
type: string
template_values:
additionalProperties:
$ref: '#/components/schemas/PolicyTemplateParameterValues'
description: >-
The map of key-value pairs for parameters used to customize the
template.
type: object
template_version:
description: Template version.
type: string
required:
- policy_type
type: object
v1TenantMeta:
description: Tenant related data for the tenant containing the resource.
properties:
namespace:
description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
type: string
required:
- namespace
type: object
googleprotobufAny:
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
properties:
'@type':
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
type: string
type: object
v1IndexData:
description: |-
IndexData is used to index the resource for search. It's an internal
object.
properties:
data:
items:
type: string
readOnly: true
type: array
search_score:
description: >-
search_score is the score of the resource for search. Internal use
only.
format: float
readOnly: true
type: number
tenant:
readOnly: true
type: string
will_be_deleted_at:
description: Time that the resource will be deleted.
format: date-time
readOnly: true
type: string
type: object
PolicyAdmissionAction:
properties:
bypass_exceptions:
description: |-
Set to true if exception policies should be ignored for findings
matching this policy.
type: boolean
disable_enforcement:
description: |-
If disable_enforcement is set the policy will just log the result
and not enforce an action. This allows debugging and observation
of the system.
type: boolean
type: object
PolicyExceptionAction:
properties:
expiration_time:
description: Expiration time of the exception policy.
format: date-time
type: string
reason:
$ref: '#/components/schemas/v1ExceptionReason'
tags:
description: |-
[Optional] List of tags to add to spec.exception.tags in matching
findings.
items:
type: string
type: array
required:
- reason
type: object
PolicyFindingAction:
properties:
categories:
description: |-
List of categories that capture the use cases the finding fits in.
For policy templates, this is used as the default value but
it can be changed.
items:
$ref: '#/components/schemas/v1FindingCategory'
type: array
explanation:
description: >-
Explanation provides information about the reason this is considered
noteworthy. For policy templates this is used as the default value
but
it can be changed to any free form string.
type: string
external_name:
description: |-
External finding name.
For policy templates this is used as the default value but
it can be changed to any free form string.
type: string
level:
$ref: '#/components/schemas/SpecFindingLevel'
meta_tags:
description: Additional meta tags for the finding that is created.
items:
type: string
type: array
remediation:
description: |-
Remediation instructions.
For policy templates this is used as the default value but
it can be changed to any free form string.
type: string
summary:
description: |-
Summary of the finding that is created.
For policy templates this is used as the default value but
it can be changed to any free form string.
type: string
tags:
description: |-
Additional tags for the finding that is created.
For policy templates, this is used as the default value but
it can be changed.
items:
$ref: '#/components/schemas/v1FindingTags'
type: array
target_kind:
description: |-
Repository, RepositoryVersion, or PackageVersion.
This is usually the same as the finding parent kind.
type: string
required:
- level
- summary
- explanation
- remediation
type: object
v1FindingCategory:
default: FINDING_CATEGORY_UNSPECIFIED
description: |-
Finding categories loosely correspond to use cases.
- FINDING_CATEGORY_VULNERABILITY: Vulnerability.
- FINDING_CATEGORY_SUPPLY_CHAIN: Supply chain specific problem (malicious packages, typosquats).
- FINDING_CATEGORY_LICENSE_RISK: License issue.
- FINDING_CATEGORY_SCPM: Security posture management.
- FINDING_CATEGORY_SECURITY: Generic security issue.
- FINDING_CATEGORY_OPERATIONAL: Generic operational issue.
- FINDING_CATEGORY_SECRETS: Exposed secret.
- FINDING_CATEGORY_MALWARE: Malware.
- FINDING_CATEGORY_CICD: CI/CD pipeline issue.
- FINDING_CATEGORY_TOOLS: Tooling issue.
- FINDING_CATEGORY_GHACTIONS: Finding applies to a GitHub action dependency.
- FINDING_CATEGORY_CONTAINER: Finding applies to a container image.
- FINDING_CATEGORY_SAST: SAST.
- FINDING_CATEGORY_AI_MODELS: AI Models.
- FINDING_CATEGORY_SECURITY_REVIEW: Security review.
- FINDING_CATEGORY_SCA: Software Composition Analysis issue.
enum:
- FINDING_CATEGORY_UNSPECIFIED
- FINDING_CATEGORY_VULNERABILITY
- FINDING_CATEGORY_SUPPLY_CHAIN
- FINDING_CATEGORY_LICENSE_RISK
- FINDING_CATEGORY_SCPM
- FINDING_CATEGORY_SECURITY
- FINDING_CATEGORY_OPERATIONAL
- FINDING_CATEGORY_SECRETS
- FINDING_CATEGORY_MALWARE
- FINDING_CATEGORY_CICD
- FINDING_CATEGORY_TOOLS
- FINDING_CATEGORY_GHACTIONS
- FINDING_CATEGORY_CONTAINER
- FINDING_CATEGORY_SAST
- FINDING_CATEGORY_AI_MODELS
- FINDING_CATEGORY_SECURITY_REVIEW
- FINDING_CATEGORY_SCA
type: string
SpecFindingLevel:
default: FINDING_LEVEL_UNSPECIFIED
description: |-
Finding severity level.
- FINDING_LEVEL_CRITICAL: Critical finding.
- FINDING_LEVEL_HIGH: Very important findings.
- FINDING_LEVEL_MEDIUM: Important findings.
- FINDING_LEVEL_LOW: Low priority finding.
enum:
- FINDING_LEVEL_UNSPECIFIED
- FINDING_LEVEL_CRITICAL
- FINDING_LEVEL_HIGH
- FINDING_LEVEL_MEDIUM
- FINDING_LEVEL_LOW
type: string
v1PolicyNotificationAction:
properties:
aggregation_type:
$ref: '#/components/schemas/NotificationActionAggregationType'
bypass_exceptions:
description: |-
Set to true if exception policies should be ignored for findings
matching this policy.
type: boolean
notification_target_uuids:
description: >-
The list of UUIDs of the notification targets that are configured
for
this policy.
items:
type: string
type: array
type: object
PolicyPolicyType:
default: POLICY_TYPE_UNSPECIFIED
description: |2-
- POLICY_TYPE_ADMISSION: POLICY_TYPE_ADMISSION will admit/reject pipeline runs.
Admission policies operate on Findings and are run during
a CI/CD pipeline. They may return data such as the uuids
of findings that violate the policy.
- POLICY_TYPE_NOTIFICATION: POLICY_TYPE_NOTIFICATION is for policies that generate notifications.
- POLICY_TYPE_ML_FINDING: ML finding policies enable or disable algorithmic findings.
Note that there is no input data for these policies,
they always return output, and the allowed value is ignored.
- POLICY_TYPE_SYSTEM_FINDING: A system finding policy is created from a system policy
template. It processes data and creates new findings.
System finding policies are run together with user and
ML (a.k.a. algorithmic) findings.
System finding policies can only be enabled, disabled, and
edited. They cannot be created or deleted.
- POLICY_TYPE_USER_FINDING: A user finding policy is created from scratch or from a customer
policy template. It processes data and creates new findings.
User finding policies are run together with system and
ML (a.k.a. algorithmic) findings.
User finding policies can be created, enabled, disabled, edited,
and deleted.
- POLICY_TYPE_EXCEPTION: An exception policy identifies findings which should be
excluded from admission and notification policies. It is
created from scratch or from an exception policy template.
- POLICY_TYPE_REMEDIATION: A remediation policy identifies findings which should be
remediated. It is created from scratch or from a remediation
policy template.
enum:
- POLICY_TYPE_UNSPECIFIED
- POLICY_TYPE_ADMISSION
- POLICY_TYPE_NOTIFICATION
- POLICY_TYPE_FINDING
- POLICY_TYPE_FINDING_CFG
- POLICY_TYPE_ML_FINDING
- POLICY_TYPE_SYSTEM_FINDING
- POLICY_TYPE_USER_FINDING
- POLICY_TYPE_EXCEPTION
- POLICY_TYPE_REMEDIATION
type: string
PolicyTemplateParameter:
properties:
default_values:
description: |-
List of default values, if applicable.
Used by the UI to pre-populate input values.
items:
type: string
type: array
description:
description: The description of the field.
type: string
multiple_ok:
description: Is true if multiple possible values are allowed to be set as a list.
type: boolean
name:
description: The parameter name displayed to the user.
type: string
possible_values:
description: |-
A list of possible values that are accepted
by the template. Can be used by the UI as a selector.
Ignored by UI if possible_values_from_db is set.
items:
type: string
type: array
possible_values_from_db:
$ref: '#/components/schemas/TemplateParameterQueryApiData'
required:
description: Set to true if the parameter must have an input value.
type: boolean
value:
description: |-
The actual template parameter name and
the key in the policy template_values map.
type: string
required:
- value
- description
- name
type: object
PolicyTemplateParameterValues:
properties:
values:
items:
type: string
title: List of template parameter values
type: array
type: object
v1ExceptionReason:
default: EXCEPTION_REASON_UNSPECIFIED
description: |-
Reasons for dismissing a finding.
- EXCEPTION_REASON_FALSE_POSITIVE: Tool is incorrect. This is not a real issue.
- EXCEPTION_REASON_RISK_ACCEPTED: Risk acknowledged and accepted.
- EXCEPTION_REASON_IN_TRIAGE: Issue is actively being triaged.
- EXCEPTION_REASON_OTHER: Other reason. Use policy description or dismiss comments to elaborate.
- EXCEPTION_REASON_RESOLVED: Issue has been resolved. For example, a secret is no longer valid.
enum:
- EXCEPTION_REASON_UNSPECIFIED
- EXCEPTION_REASON_FALSE_POSITIVE
- EXCEPTION_REASON_RISK_ACCEPTED
- EXCEPTION_REASON_IN_TRIAGE
- EXCEPTION_REASON_OTHER
- EXCEPTION_REASON_RESOLVED
type: string
v1FindingTags:
default: FINDING_TAGS_UNSPECIFIED
description: |-
Finding attributes.
- FINDING_TAGS_DIRECT: Finding applies to a direct dependency.
- FINDING_TAGS_TRANSITIVE: Finding applies to a transitive (indirect) dependency.
- FINDING_TAGS_PROJECT_INTERNAL: Finding applies to a dependency that belongs to the same project.
- FINDING_TAGS_NAMESPACE_INTERNAL: Finding applies to a dependency that belongs to the same namespace.
- FINDING_TAGS_REACHABLE_DEPENDENCY: Finding applies to a reachable dependency.
- FINDING_TAGS_UNREACHABLE_DEPENDENCY: Finding applies to an unreachable dependency.
- FINDING_TAGS_POTENTIALLY_REACHABLE_DEPENDENCY: Finding applies to a potentially reachable dependency.
- FINDING_TAGS_REACHABLE_FUNCTION: Finding applies to a reachable function.
- FINDING_TAGS_UNREACHABLE_FUNCTION: Finding applies to an unreachable function.
- FINDING_TAGS_POTENTIALLY_REACHABLE_FUNCTION: Finding applies to a potentially reachable function.
- FINDING_TAGS_FIXABLE: Deprecated.
- FINDING_TAGS_UNFIXABLE: Finding is unfixable.
- FINDING_TAGS_PRODUCTION: Deprecated.
- FINDING_TAGS_TEST: Finding applies to a dependency not in production code.
- FINDING_TAGS_NORMAL: Finding applies to a normal, non-test, dependency.
- FINDING_TAGS_FIX_AVAILABLE: There is a fix available for the CVE reported in this finding.
- FINDING_TAGS_SELF: Finding applies only to the analyzed package version, there is no
dependency involved.
- FINDING_TAGS_POLICY: Deprecated.
- FINDING_TAGS_CI_BLOCKER: Finding caused a CI failure.
- FINDING_TAGS_VALID_SECRET: Finding applies to a valid secret.
- FINDING_TAGS_INVALID_SECRET: Finding applies to an invalid secret.
- FINDING_TAGS_PATH_EXTERNAL: Finding applies to a transitive dependency that can only be reached via
external, non-OSS, project paths.
- FINDING_TAGS_MALWARE: Finding applies to malicious package.
- FINDING_TAGS_UNDER_REVIEW: Finding applies to suspicious package under review.
- FINDING_TAGS_PHANTOM: Finding applies to a phantom dependency.
- FINDING_TAGS_EXCEPTION: Finding is exempt from action policies.
- FINDING_TAGS_CI_WARNING: Finding caused a CI warning.
- FINDING_TAGS_NOTIFICATION: Finding triggered a notification.
- FINDING_TAGS_EXPLOITED: This vulnerability is known to be exploited.
- FINDING_TAGS_DISPUTED: This vulnerability has been marked as 'disputed'.
- FINDING_TAGS_WITHDRAWN: This vulnerability has been marked as 'withdrawn'.
- FINDING_TAGS_FALSE_POSITIVE: This finding has been analyzed to be a false positive.
- FINDING_TAGS_TRUE_POSITIVE: This finding has been analyzed to be a true positive.
- FINDING_TAGS_SNOOZED: Finding has been snoozed.
- FINDING_TAGS_AI: This finding was generated using AI.
- FINDING_TAGS_IGNORED: Finding has been ignored via the ignore file.
- FINDING_TAGS_SEGMENT_MATCH: Finding applies to a dependency discovered via segment-matching.
enum:
- FINDING_TAGS_UNSPECIFIED
- FINDING_TAGS_DIRECT
- FINDING_TAGS_TRANSITIVE
- FINDING_TAGS_PROJECT_INTERNAL
- FINDING_TAGS_NAMESPACE_INTERNAL
- FINDING_TAGS_REACHABLE_DEPENDENCY
- FINDING_TAGS_UNREACHABLE_DEPENDENCY
- FINDING_TAGS_POTENTIALLY_REACHABLE_DEPENDENCY
- FINDING_TAGS_REACHABLE_FUNCTION
- FINDING_TAGS_UNREACHABLE_FUNCTION
- FINDING_TAGS_POTENTIALLY_REACHABLE_FUNCTION
- FINDING_TAGS_FIXABLE
- FINDING_TAGS_UNFIXABLE
- FINDING_TAGS_PRODUCTION
- FINDING_TAGS_TEST
- FINDING_TAGS_NORMAL
- FINDING_TAGS_FIX_AVAILABLE
- FINDING_TAGS_SELF
- FINDING_TAGS_POLICY
- FINDING_TAGS_CI_BLOCKER
- FINDING_TAGS_VALID_SECRET
- FINDING_TAGS_INVALID_SECRET
- FINDING_TAGS_PATH_EXTERNAL
- FINDING_TAGS_MALWARE
- FINDING_TAGS_UNDER_REVIEW
- FINDING_TAGS_PHANTOM
- FINDING_TAGS_EXCEPTION
- FINDING_TAGS_CI_WARNING
- FINDING_TAGS_NOTIFICATION
- FINDING_TAGS_EXPLOITED
- FINDING_TAGS_DISPUTED
- FINDING_TAGS_WITHDRAWN
- FINDING_TAGS_FALSE_POSITIVE
- FINDING_TAGS_TRUE_POSITIVE
- FINDING_TAGS_SNOOZED
- FINDING_TAGS_AI
- FINDING_TAGS_IGNORED
- FINDING_TAGS_SEGMENT_MATCH
type: string
NotificationActionAggregationType:
default: AGGREGATION_TYPE_UNSPECIFIED
description: |2-
- AGGREGATION_TYPE_PROJECT: AGGREGATION_TYPE_PROJECT aggregates notifications by project.
- AGGREGATION_TYPE_DEPENDENCY: AGGREGATION_TYPE_DEPENDENCY aggregates notifications by dependency,
root package version, and project.
- AGGREGATION_TYPE_DEPENDENCY_ACROSS_PKG_VERSIONS: AGGREGATION_TYPE_DEPENDENCY_ACROSS_PKG_VERSIONS aggregates
notifications by dependency and project, regardless of the package
version.
- AGGREGATION_TYPE_NONE: AGGREGATION_TYPE_NONE does not aggregate notifications
- AGGREGATION_TYPE_MANUAL: AGGREGATION_TYPE_MANUAL identifies notifications created directly from findings via the UI.
Each finding results in a separate notification.
enum:
- AGGREGATION_TYPE_UNSPECIFIED
- AGGREGATION_TYPE_PROJECT
- AGGREGATION_TYPE_DEPENDENCY
- AGGREGATION_TYPE_DEPENDENCY_ACROSS_PKG_VERSIONS
- AGGREGATION_TYPE_NONE
- AGGREGATION_TYPE_MANUAL
type: string
TemplateParameterQueryApiData:
description: |-
Information needed to get the list of possible values via the API.
UI uses the meta.name and meta.description fields to present options.
properties:
filter:
description: |-
Optional database filter for the list query (for example,
"spec.origin==\"LINTER_RESULT_ORIGIN_SECRETS_SCANNER\"").
type: string
input_field:
description: >-
Full name of field in resource object to use as input value to
policy
template (for example, "spec.sarif_result.rule_id" or
"spec.license_id").
type: string
namespace:
description: |-
Optional value for the namespace to be used when retrieving the
possible data values.
type: string
resource_kind:
description: Resource kind (for example, "LinterResult" or "License").
type: string
required:
- resource_kind
- input_field
type: object
````