> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/api-reference/secretruleservice/updatesecretrule",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# UpdateSecretRule
> Updates a secret rule.
## OpenAPI
````yaml /api-reference/openapi.v3.json patch /v1/namespaces/{object.tenant_meta.namespace}/secret-rules
openapi: 3.0.3
info:
description: Integrate your application with Endor Labs using the REST API.
title: Endor Labs REST API Reference
version: '1.0'
servers:
- url: https://api.endorlabs.com/
security: []
tags:
- name: AISastCustomerContextService
- name: APIKeyService
- name: APIKeyValidatorService
- name: ArtifactSignatureService
- name: AuditLogService
- name: AuthenticationLogService
- name: AuthenticationService
- name: AuthorizationPolicyService
- name: BatchFileSegmentsService
- name: BatchNotificationService
- name: CallGraphDataService
- name: CodeOwnersService
- name: DependencyMetadataService
- name: EndorIgnoreEntryService
- name: ExporterService
- name: FindingLogService
- name: FindingService
- name: HuggingFaceModelService
- name: HuggingFaceOrganizationService
- name: IPAddressPolicyService
- name: IdentityProviderService
- name: InstallationService
- name: InvitationService
- name: LicenseDependencyService
- name: LicenseNoticesReportService
- name: LicenseSummaryService
- name: LinterResultService
- name: MalwareService
- name: MetricService
- name: NamespaceService
- name: NotificationService
- name: NotificationTargetService
- name: OnPremSchedulerService
- name: PRCommentConfigService
- name: PackageFirewallLogService
- name: PackageLicenseOverrideService
- name: PackageLicenseQueryService
- name: PackageLicenseService
- name: PackageManagerService
- name: PackageVersionService
- name: PluginBinaryService
- name: PolicyService
- name: PolicyTemplateService
- name: ProjectService
- name: ProvisioningResultService
- name: QueryMalwareService
- name: QueryService
- name: QuerySimilarPackagesService
- name: QueryVulnerabilityService
- name: RegistryIngestionCheckpointService
- name: RepositoryService
- name: RepositoryVersionService
- name: RuleSetImportService
- name: SBOMExportService
- name: SBOMImportService
- name: SCMCredentialService
- name: SavedQueryService
- name: ScanLogRequestService
- name: ScanProfileService
- name: ScanResultService
- name: ScanWorkflowResultService
- name: ScanWorkflowService
- name: SecretRuleService
- name: SemgrepRuleService
- name: SystemConfigService
- name: TenantService
- name: VEXExportService
- name: VectorStoreService
- name: VersionUpgradeService
- name: VulnerabilityService
paths:
/v1/namespaces/{object.tenant_meta.namespace}/secret-rules:
patch:
tags:
- SecretRuleService
summary: UpdateSecretRule
description: Updates a secret rule.
operationId: SecretRuleService_UpdateSecretRule
parameters:
- description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
in: path
name: object.tenant_meta.namespace
required: true
schema:
type: string
x-endor-name: Namespace
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SecretRuleServiceUpdateSecretRuleBody'
required: true
x-originalParamName: body
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/v1SecretRule'
description: A successful response.
default:
content:
application/json:
schema:
$ref: '#/components/schemas/googlerpcStatus'
description: An unexpected error response.
components:
schemas:
SecretRuleServiceUpdateSecretRuleBody:
description: Request to update a secret rule.
properties:
object:
properties:
meta:
$ref: '#/components/schemas/v1Meta'
propagate:
description: |-
Propagate indicates that the object should be visible in
children namespaces.
type: boolean
spec:
$ref: '#/components/schemas/v1SecretRuleSpec'
tenant_meta:
description: Rules are associated with a tenant and namespace.
title: Rules are associated with a tenant and namespace.
type: object
uuid:
description: The UUID of the secret rule.
readOnly: true
type: string
type: object
request:
$ref: '#/components/schemas/v1UpdateRequest'
required:
- meta
- spec
type: object
v1SecretRule:
properties:
meta:
$ref: '#/components/schemas/v1Meta'
propagate:
description: |-
Propagate indicates that the object should be visible in
children namespaces.
type: boolean
spec:
$ref: '#/components/schemas/v1SecretRuleSpec'
tenant_meta:
$ref: '#/components/schemas/v1TenantMeta'
uuid:
description: The UUID of the secret rule.
readOnly: true
type: string
required:
- meta
- spec
type: object
googlerpcStatus:
description: >-
The `Status` type defines a logical error model that is suitable for
different programming environments, including REST APIs and RPC APIs. It
is
used by [gRPC](https://github.com/grpc). Each `Status` message contains
three pieces of data: error code, error message, and error details.
You can find out more about this error model and how to work with it in
the
[API Design Guide](https://cloud.google.com/apis/design/errors).
properties:
code:
description: |-
The status code, which should be an enum value of
[google.rpc.Code][google.rpc.Code].
format: int32
type: integer
details:
description: >-
A list of messages that carry the error details. There is a common
set of
message types for APIs to use.
items:
$ref: '#/components/schemas/googleprotobufAny'
type: array
message:
description: >-
A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
[google.rpc.Status.details][google.rpc.Status.details] field, or
localized
by the client.
type: string
type: object
v1Meta:
description: Common fields for all Endor Labs resources.
properties:
annotations:
additionalProperties:
type: string
description: >-
Annotations can be used to attach metadata to a resource message.
Annotation values can be small or large, structured or unstructured,
and may include characters not permitted by labels.
The keys may contain alphanumerics, underscores (_), dots (.) and
dashes
(-). The values of an annotation must be 16384 bytes or smaller.
type: object
create_time:
description: |-
Time the resource was created.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
created_by:
description: |-
Name and authentication source of the user who created the object,
for example, ewok@endor.ai@google@api-key.
readOnly: true
type: string
description:
description: Resource description. Must be less than 1024 bytes.
type: string
index_data:
$ref: '#/components/schemas/v1IndexData'
kind:
description: >-
Resource kind, for example, HelloResponse.
Auto-generated using the protobuf message
proto.MessageName().Name().
readOnly: true
type: string
name:
description: Resource name. Must be 63 characters or less.
type: string
parent_kind:
description: Parent object resource kind, for example, Project.
type: string
parent_uuid:
description: Parent object UUID.
type: string
references:
additionalProperties:
$ref: '#/components/schemas/googleprotobufAny'
description: Map of objects referenced in a query API.
readOnly: true
type: object
tags:
description: >-
List of tags attached to the resource.
Tags can be used to select objects and to find collections of
objects that
satisfy certain conditions. A tag must be 255 characters or less.
items:
type: string
type: array
update_time:
description: |-
Time the resource was last updated.
Note: Updated on all create/patch/delete operations.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
updated_by:
description: >-
Name and authentication source of the last user who updated the
object,
for example, vulnerabilityingestor@endor.ai@x509.
readOnly: true
type: string
upsert_time:
description: |-
Time the resource was last upserted.
Note:
create_time is only set the first time the resource is created.
upsert_time is set every time the resource is upseted.
Format: 2017-01-15T01:30:15.01Z
RFC 3339: https://www.ietf.org/rfc/rfc3339.txt.
format: date-time
readOnly: true
type: string
version:
description: Message version.
readOnly: true
type: string
required:
- name
type: object
v1SecretRuleSpec:
description: |-
Internal specification of the object.
Follows the specification of the gitleaks configuration object defined
here: https://github.com/gitleaks/gitleaks/blob/master/config/rule.go
properties:
allowlist:
$ref: '#/components/schemas/v1Allowlist'
allowlists:
description: >-
Allows a rule to be ignored for specific regexes, paths, and/or
commits.
Replaces the singular allowlist field to align with gitleaks v8.21+
config format, which supports multiple allowlists per rule with
independent regex_target and condition values.
items:
$ref: '#/components/schemas/v1Allowlist'
type: array
description:
description: The description of the rule.
type: string
disabled:
description: Rule is disabled.
type: boolean
entropy:
description: |-
A float representing the minimum Shannon entropy
a regex group must have to be considered a secret.
format: float
type: number
keywords:
description: |-
Keywords are used for pre-regex check filtering. Rules that contain
keywords will perform a quick string compare check to make sure the
keywords are in the content being scanned.
items:
type: string
type: array
path:
title: |-
A golang regular expression used to
filter secrets by path
type: string
regex:
description: A golang regular expression used to detect secrets.
type: string
rule_id:
description: The unique identifier for this rule.
type: string
secret_group:
description: |-
An int used to extract secret from regex
match and used as the group that will have its entropy
checked if `entropy` is set.
format: int32
type: integer
tags:
description: |-
An array of strings used for metadata
and reporting purposes.
items:
type: string
type: array
validation:
$ref: '#/components/schemas/v1HttpParamsProfile'
type: object
v1UpdateRequest:
description: Message used for all update requests.
properties:
force:
description: |-
Force will force the update of the resource if any
checks fail.
type: boolean
update_mask:
description: Fields to update. Defaults to all fields.
type: string
type: object
v1TenantMeta:
description: Tenant related data for the tenant containing the resource.
properties:
namespace:
description: >-
Namespaces are a way to organize organizational units into virtual
groupings of resources. Namespaces must be a fully qualified name,
for example, the child namespace of namespace "endor.prod" called
"app"
is called "endor.prod.app".
type: string
required:
- namespace
type: object
googleprotobufAny:
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along
with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": ,
"lastName":
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
properties:
'@type':
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a
type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com. As of May 2023, there are no widely used type
server
implementations and no plans to implement one.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
type: string
type: object
v1IndexData:
description: |-
IndexData is used to index the resource for search. It's an internal
object.
properties:
data:
items:
type: string
readOnly: true
type: array
search_score:
description: >-
search_score is the score of the resource for search. Internal use
only.
format: float
readOnly: true
type: number
tenant:
readOnly: true
type: string
will_be_deleted_at:
description: Time that the resource will be deleted.
format: date-time
readOnly: true
type: string
type: object
v1Allowlist:
description: Allows a rule to be ignored for specific regexes, paths, and/or commits.
properties:
commits:
description: A slice of commit SHAs that are allowed to be ignored.
items:
type: string
type: array
condition:
description: >-
Match condition for this allowlist ("OR" or "AND"). Defaults to
"OR".
When "AND", all criteria must match for the allowlist to apply.
type: string
description:
description: Short human readable description of the allowlist.
type: string
paths:
description: A slice of path regular expressions that are allowed to be ignored.
items:
type: string
type: array
regex_target:
title: RegexTarget
type: string
regexes:
description: >-
A slice of content regular expressions that are allowed to be
ignored.
items:
type: string
type: array
stop_words:
description: >-
A slice of stop words that are allowed to be ignored.
This targets the _secret_, not the content of the regex match like
the
regexes slice.
items:
type: string
type: array
type: object
v1HttpParamsProfile:
description: HttpParamsProfile defines the parameters to create an HTTP request.
properties:
allowed_template_params:
items:
$ref: '#/components/schemas/HttpParamsProfileAllowedTemplateParam'
readOnly: true
title: >-
AllowedTemplateParams defines a list of allowed template parameter
names and regexes for validating their values.
Only the template parameters with names in this list will be allowed
in the template_params field.
Example: [{"name": "TEMPLATE_PARAM_NAME_CLIENT_ID", "regex":
"abc[0-9]{3}"}, {"name": "TEMPLATE_PARAM_NAME_TENANT_ID", "regex":
"xyz[0-9]{3}"}]
type: array
description:
description: >-
Detailed description of the request. For example, "GitHub credential
validation".
type: string
h_request:
$ref: '#/components/schemas/v1HttpParamsRequest'
h_response:
$ref: '#/components/schemas/v1HttpParamsResponse'
hmac_auth:
$ref: '#/components/schemas/v1HttpHmacAuth'
http_request:
$ref: '#/components/schemas/v1HttpParamsRequest'
http_response:
$ref: '#/components/schemas/v1HttpParamsResponse'
name:
title: Name identifies this entry. For example, "GitHub"
type: string
request_body:
description: >-
Request body as a string. This will be sent as the body of the HTTP
request.
If both request_body and the body parameter in SendRequest are
provided,
the body parameter takes precedence.
type: string
template_params:
items:
$ref: '#/components/schemas/HttpParamsProfileTemplateParams'
title: >-
Template parameter values to use when required template parameters
are not found
in the vicinity of the secret for validation. Each entry represents
a set of values that can be
tried in sequence during validation.
Example: [{"values": [{"name": "TEMPLATE_PARAM_NAME_CLIENT_ID",
"value": "abc123"}, {"name": "TEMPLATE_PARAM_NAME_TENANT_ID",
"value": "xyz789"}]}]
type: array
type: object
HttpParamsProfileAllowedTemplateParam:
description: >-
AllowedTemplateParam defines an allowed template parameter name and
regex for validating its value.
properties:
name:
$ref: '#/components/schemas/v1TemplateParamName'
regex:
type: string
type: object
v1HttpParamsRequest:
description: >-
HttpParamsRequest contains the information expected with the HTTP
request.
properties:
body:
description: The information to be put in the HTTP body.
items:
$ref: '#/components/schemas/v1HttpParam'
type: array
header:
description: The information to be put in the HTTP header.
items:
$ref: '#/components/schemas/v1HttpParam'
type: array
method:
description: Method is either GET or POST.
type: string
method_name:
description: |-
Gets appended to the URL as:
URL[:method_name] usually followed by the query section.
type: string
query:
description: The information to be put in the HTTP query section.
items:
$ref: '#/components/schemas/v1HttpParam'
type: array
uri:
title: >-
The URI to use for this validation. For example,
"https://api.github.com/user"
type: string
type: object
v1HttpParamsResponse:
description: >-
HttpParamsResponse contains the information expected with the HTTP
response.
properties:
failed_auth_codes:
description: The codes expected on the failed authentication.
items:
format: int32
type: integer
type: array
invalid_code_regex:
description: The pattern/regex expected on failure. For example, "5\\d\\d".
type: string
status_code:
description: The code expected on success. For example, 200.
type: string
successful_auth_codes:
description: The codes expected for a successful authentication.
items:
format: int32
type: integer
type: array
successful_response_data:
additionalProperties:
type: string
description: >-
Map of key-value pairs that must be present in the response body for
successful validation.
This allows validation beyond just HTTP status codes.
Example: {"ok": "true", "status": "active"} would require the
response to contain both keys
with matching values. The response can contain additional fields.
type: object
successful_response_text:
description: >-
The expected response body text for successful validation.
Example: "invalid_payload" would require the response body to
contain the text "invalid_payload".
The response body may contain additional text.
type: string
type: object
v1HttpHmacAuth:
description: HMAC information.
properties:
hdr_name:
description: The name of the header field that contains the signature.
type: string
secret:
description: The secret to use for the HMAC calculation.
type: string
type: object
HttpParamsProfileTemplateParams:
description: >-
TemplateParams contains a list of template parameter name-value pairs
that can be used
for validation when the required template parameters are not found in
the vicinity of the secret.
For example, for Azure AD client secrets, this could contain the
"ClientID" and "TenantID" values.
properties:
values:
items:
$ref: '#/components/schemas/TemplateParamsTemplateValue'
title: >-
List of template parameters name-value pairs.
Example: [{"name": "TEMPLATE_PARAM_NAME_CLIENT_ID", "value":
"abc123"}, {"name": "TEMPLATE_PARAM_NAME_TENANT_ID", "value":
"xyz789"}]
type: array
type: object
v1TemplateParamName:
default: TEMPLATE_PARAM_NAME_UNSPECIFIED
description: >-
TemplateParamName is the name of the template param used in secret
validation profiles.
- TEMPLATE_PARAM_NAME_CLIENT_ID: "ClientID" is the template parameter name for client ID.
- TEMPLATE_PARAM_NAME_TENANT_ID: "TenantID" is the template parameter name for tenant ID.
enum:
- TEMPLATE_PARAM_NAME_UNSPECIFIED
- TEMPLATE_PARAM_NAME_CLIENT_ID
- TEMPLATE_PARAM_NAME_TENANT_ID
type: string
v1HttpParam:
description: |-
HttpParam is the key/value pair that will be rendered as "Key: Value"
in the section of the requested portion of the HTTP request. It could
be part of the request like the header, the query, or the body.
If the authz flag is set, the library will render it as
"Authorization: Key Value" instead of just "Key: Value".
properties:
authz:
title: |-
If set, render the key-value as "Authorization: Key Value"
instead of just "Key: Value". The supported keys are the ones
specified in the Authorization enum (as string)
type: boolean
key:
description: The key for this pair.
type: string
separator:
description: The separator to use between key and value. Default is ":".
type: string
value:
description: The value.
type: string
type: object
TemplateParamsTemplateValue:
description: TemplateValue represents a single template parameter name-value pair.
properties:
name:
$ref: '#/components/schemas/v1TemplateParamName'
value:
description: The template parameter value.
type: string
type: object
````