swagger: "2.0" info: description: "This is the Anchore Enterprise API. It provides additional external API routes and functionality for enterprise users." version: "0.1.1" title: "Anchore Enterprise API Server" contact: email: "dev@anchore.com" basePath: "/enterprise" schemes: - "http" - "https" consumes: - application/json produces: - application/json parameters: AsAccountParameter: name: x-anchore-account in: header required: false type: string description: An account name to change the resource scope of the request to that account, if permissions allow (admin only) paths: /images/{imageDigest}/check: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.images operationId: get_image_policy_check_by_digest x-anchore-authz-action: getImageEvaluation description: Get the policy evaluation for the given image summary: Check policy evaluation status for image parameters: - name: imageDigest in: path type: string required: true - name: policyId in: query type: string required: false - name: tag in: query type: string required: true - name: detail in: query type: boolean required: false default: true - name: history in: query type: boolean required: false default: false - name: interactive in: query type: boolean required: false default: false - name: base_digest in: query type: string required: false description: Digest of a base image. If specified the evaluation will indicate results inherited from the base image - $ref: "#/parameters/AsAccountParameter" responses: 200: description: Policy evaluation success schema: $ref: "#/definitions/EnterprisePolicyEvaluationList" 500: description: Internal Error schema: $ref: "#/definitions/ApiErrorResponse" /images/{imageDigest}/vuln/{vtype}: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.images operationId: get_image_vulnerabilities_by_digest x-anchore-authz-action: getImage summary: Get vulnerabilities by type parameters: - name: imageDigest in: path type: string required: true - name: vtype in: path type: string required: true - name: force_refresh in: query type: boolean required: false default: false - name: vendor_only in: query type: boolean required: false default: true - name: base_digest in: query type: string required: false description: Digest of a base image. If specified the vulnerabilities will indicate inheritance from the base image - $ref: "#/parameters/AsAccountParameter" responses: 200: description: Vulnerability listing for the image schema: $ref: "#/definitions/EnterpriseVulnerabilityResponse" 500: description: Internal Error schema: $ref: "#/definitions/ApiErrorResponse" /images/{image_digest}/ancestors: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.images operationId: get_image_ancestors x-anchore-authz-action: getImage summary: Return the list of ancestor images for the given image description: Returns list of ancestor images, which are the images that form the base layers of the image produces: - "application/json" parameters: - name: image_digest in: path type: string required: true - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Ancestor list" schema: $ref: "#/definitions/ImageAncestry" 404: description: "Image not found" 500: description: "Internal Error" /inventories: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: get_image_inventory x-anchore-authz-action: listRuntimeInventories summary: "Return a list of the images in inventories for this account" description: "Returns a list of the images that are in use" produces: - "application/json" parameters: - name: inventory_type in: query type: string enum: - kubernetes - name: image_digest in: query type: string - name: context in: query type: string - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/InventoryItems" 500: description: "Internal Error" post: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: sync_image_inventory x-anchore-authz-action: syncInventory summary: "synchronizes the list of the images in a given cluster for the inventory" description: "synchronizes the list of the images that are in use" produces: - "application/json" parameters: - name: inventory in: body required: true schema: $ref: "#/definitions/InventoryReport" - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/InventoryItems" 500: description: "Internal Error" /inventories/clusters: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: list_inventory_clusters x-anchore-authz-action: listRuntimeInventories summary: "Return a list of the configured inventory clusters" description: "Returns a filterable list of the clusters that are configured for reporting image inventory" produces: - "application/json" parameters: - name: inventory_type in: query type: string enum: - kubernetes - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/InventoryClusters" 500: description: "Internal Error" post: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: add_inventory_cluster x-anchore-authz-action: createRuntimeInventory summary: "Create a cluster inventory" description: "Create a new cluster inventory with the provided configuration" consumes: - "application/json" parameters: - name: cluster in: body required: true schema: $ref: "#/definitions/InventoryCluster" - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/InventoryCluster" 500: description: "Internal Error" /inventories/clusters/{cluster_name}: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: get_inventory_cluster_by_name x-anchore-authz-action: getRuntimeInventory summary: "Return a configured inventory cluster" description: "Returns a cluster that is configured for reporting image inventory" produces: - "application/json" parameters: - name: cluster_name in: path type: string required: true - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/InventoryCluster" 500: description: "Internal Error" delete: x-swagger-router-controller: anchore_enterprise.services.api.controllers.runtime_inventory operationId: del_inventory_cluster_by_name x-anchore-authz-action: deleteRuntimeInventory summary: "Delete a configured inventory clusters by cluster_name" description: "Removes a configured cluster for reporting image inventory by cluster_name" parameters: - name: cluster_name in: path type: string required: true - $ref: "#/parameters/AsAccountParameter" responses: 204: description: "success" 500: description: "Internal Error" /actions: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.actions operationId: get_action_plans x-anchore-authz-action: getActions summary: "Gets a list of submitted action (remediation) plans" description: "Retrieves a list of action plans that have been completed" produces: - "application/json" parameters: - name: image_tag in: query type: string - name: image_digest in: query type: string - name: created_after in: query type: string format: date-time description: RFC 3339 formatted UTC timestamp to filter out action plans that were only created after this date - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "success" schema: $ref: "#/definitions/ActionPlans" 500: description: "Internal Error" post: x-swagger-router-controller: anchore_enterprise.services.api.controllers.actions operationId: add_action_plan x-anchore-authz-action: addAction summary: "Submits an Action Plan" description: "Submits an Action Plan and saves upon completion" produces: - "application/json" parameters: - name: action_plan in: body required: true schema: $ref: "#/definitions/ActionPlan" responses: 200: description: "success" schema: $ref: "#/definitions/ActionPlan" 500: description: "Internal Error" /alerts/summaries: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.alerts operationId: get_alert_summaries x-anchore-authz-action: listAlerts summary: List all alert summaries scoped to the account description: Returns a paginated list of alert summaries in chronological order from the most to least recently generated alerts. Return alerts in the open state by default. Use query parameters for filtering produces: - "application/json" parameters: - name: page in: query required: false type: integer default: 1 minimum: 1 - name: limit in: query required: false type: integer default: 100 minimum: 1 maximum: 100 - name: type in: query required: false type: string enum: - all - compliance_violation default: all description: Filter for alerts based on the type such as compliance violation - name: state in: query required: false type: string default: open enum: - all - open - closed description: Filter for alerts by current state, defaults to open alerts unless specified - name: created_after in: query required: false type: string format: date-time description: Filter for alerts generated after the timestamp - name: created_before in: query required: false type: string format: date-time description: Filter for alerts generated before the timestamp - name: resource_label in: query required: false type: array items: type: string pattern: '^\S+=\S+$' collectionFormat: multi uniqueItems: true description: Filter for alerts associated with a resource where the label in key=value format such as tag=docker.io/library/alpine:latest or repository=library/alpine - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "List of alert summaries" schema: $ref: "#/definitions/AlertSummaryList" /alerts/compliance_violations: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.alerts operationId: get_compliance_violation_alerts x-anchore-authz-action: listAlerts summary: List all compliance violation alerts scoped to the account description: Returns a paginated list of compliance violation alerts in chronological order from the most to least recently generated alerts. Return alerts in the open state by default. Use query parameters for filtering produces: - "application/json" parameters: - name: page in: query required: false type: integer default: 1 minimum: 1 - name: limit in: query required: false type: integer default: 100 minimum: 1 maximum: 100 - name: state in: query required: false type: string default: open enum: - all - open - closed description: Filter for alerts by current state, defaults to open alerts unless specified - name: created_after in: query required: false type: string format: date-time description: Filter for alerts generated after the timestamp - name: created_before in: query required: false type: string format: date-time description: Filter for alerts generated before the timestamp - name: resource_image_digest in: query required: false type: string description: Filter for alerts associated with image digest - name: resource_image_tag in: query required: false type: string description: Filter for alerts generated for the tag - name: resource_registry in: query required: false type: string description: Filter for alerts associated with registry - name: resource_repository in: query required: false type: string description: Filter for alerts associated with repository - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "List of compliance violation alerts" schema: $ref: "#/definitions/ComplianceViolationAlertList" /alerts/compliance_violations/{uuid}: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.alerts operationId: get_compliance_violation_alert x-anchore-authz-action: getAlert summary: Get compliance violation alert by id description: Returns a single compliance violation alert object produces: - "application/json" parameters: - name: uuid in: path type: string required: true description: Identifier for the alert - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Compliance violation alert" schema: $ref: "#/definitions/ComplianceViolationAlert" /alerts/compliance_violations/{uuid}/{state}: put: x-swagger-router-controller: anchore_enterprise.services.api.controllers.alerts operationId: update_compliance_violation_alert_state x-anchore-authz-action: updateAlert summary: Open or close a compliance violation alert description: Idempotent op for changing the alert state to open or closed produces: - "application/json" parameters: - name: uuid in: path type: string required: true description: Identifier for the alert - name: state in: path type: string required: true enum: - open - closed - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Alert state updated successfully" schema: $ref: "#/definitions/ComplianceViolationAlert" /corrections: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.corrections operationId: get_corrections x-anchore-authz-action: getCorrection summary: Retrieve a list of corrections description: Returns a list of corrections produces: - "application/json" parameters: - name: correction_type in: query type: string enum: - package - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Corrections retrieved successfully" schema: $ref: "#/definitions/CorrectionList" post: x-swagger-router-controller: anchore_enterprise.services.api.controllers.corrections operationId: add_correction x-anchore-authz-action: addCorrection summary: Create a correction record description: Add a correction record that will be used to fix produces: - "application/json" parameters: - name: correction in: body required: true schema: $ref: "#/definitions/Correction" - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Corrections retrieved successfully" schema: $ref: "#/definitions/CorrectionList" /corrections/{uuid}: get: x-swagger-router-controller: anchore_enterprise.services.api.controllers.corrections operationId: get_correction_by_uuid x-anchore-authz-action: getCorrection summary: Retrieve a correction by UUID description: Returns a single correction, looked up via it's uuid produces: - "application/json" parameters: - name: uuid in: path type: string required: true - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Correction retrieved successfully" schema: $ref: "#/definitions/Correction" put: x-swagger-router-controller: anchore_enterprise.services.api.controllers.corrections operationId: update_correction_by_uuid x-anchore-authz-action: updateCorrection summary: Update a correction by UUID description: Updates a single correction, looked up via it's uuid produces: - "application/json" parameters: - name: uuid in: path type: string required: true - name: correction in: body required: true schema: $ref: "#/definitions/Correction" - $ref: "#/parameters/AsAccountParameter" responses: 200: description: "Correction updated successfully" schema: $ref: "#/definitions/Correction" delete: x-swagger-router-controller: anchore_enterprise.services.api.controllers.corrections operationId: delete_correction_by_uuid x-anchore-authz-action: deleteCorrection summary: Delete a correction by UUID description: Delete a single correction, looked up via it's uuid produces: - "application/json" parameters: - name: uuid in: path type: string required: true - $ref: "#/parameters/AsAccountParameter" responses: 204: description: "Correction deleted successfully" definitions: ApiErrorResponse: description: "Generic HTTP API error response" type: object properties: code: type: integer format: int32 error_type: type: "string" message: type: "string" detail: type: object description: Details structure for additional information about the error if available. Content and structure will be error specific. EnterprisePolicyEvaluation: description: Evaluation response object type: object EnterprisePolicyEvaluationList: description: Evaluation response object type: array items: $ref: "#/definitions/EnterprisePolicyEvaluation" EnterpriseVulnerability: type: object properties: vuln: type: string description: The vulnerability identifier, such as CVE-2017-100, or RHSA-2017123 fix: type: string description: The package containing a fix, if available severity: type: string description: The severity of the vulnerability package: type: string description: The package name and version that are vulnerable in the image url: type: string description: The url for more information about the vulnerability feed: type: string description: The name of the feed where vulnerability match was made feed_group: type: string description: The name of the feed group where vulnerability match was made package_name: type: string description: The name of the vulnerable package artifact package_version: type: string description: The version of the vulnerable package artifact package_type: type: string description: The type of vulnerable package package_cpe: type: string description: The CPE string (if applicable) describing the package to vulnerability match package_path: type: string description: The location (if applicable) of the vulnerable package in the container filesystem nvd_data: $ref: "#/definitions/NvdDataList" vendor_data: $ref: "#/definitions/VendorDataList" inherited_from_base: type: boolean description: True if the vulnerable artifact is found in the base image. False otherwise NvdDataList: type: array description: List of Nvd Data objects items: $ref: "#/definitions/NvdDataObject" NvdDataObject: type: object properties: id: type: string description: NVD Vulnerability ID cvss_v2: $ref: "#/definitions/CVSSV2Scores" cvss_v3: $ref: "#/definitions/CVSSV3Scores" VendorDataList: type: array description: List of Vendor Data objects items: $ref: "#/definitions/VendorDataObject" VendorDataObject: type: object properties: id: type: string description: Vendor Vulnerability ID cvss_v2: $ref: "#/definitions/CVSSV2Scores" cvss_v3: $ref: "#/definitions/CVSSV3Scores" CVSSV2Scores: type: object properties: base_score: type: number x-nullable: True exploitability_score: type: number x-nullable: True impact_score: type: number x-nullable: True CVSSV3Scores: type: object properties: base_score: type: number x-nullable: True exploitability_score: type: number x-nullable: True impact_score: type: number x-nullable: True EnterpriseVulnerabilityList: type: array description: List of Vulnerability objects items: $ref: "#/definitions/EnterpriseVulnerability" EnterpriseVulnerabilityResponse: description: envelope containing list of vulnerabilities type: object properties: image_digest: type: string base_digest: type: string vulnerability_type: type: string vulnerabilities: $ref: "#/definitions/EnterpriseVulnerabilityList" ImageAncestry: type: array description: Array of ancestor objects. Sorted by the length of the layers array in each entry, effectively returning them in increasing order of number of common layers. items: $ref: "#/definitions/ImageAncestor" ImageAncestor: type: object description: An summary of an image and it's layers. properties: imageDigest: type: string description: The digest of the image example: "sha256:55cffbd26dbe2e79252dd3283b1adef4459441e7b4fc2fe5ccd2bd5b52670474" tags: type: array items: type: string description: Full tag reference that is known at any time previoiusly for the digest. example: "docker.io/library/node:latest" layers: type: array description: The full set of layers for this image items: type: string description: The layer ID example: "sha256:03810167880e863d81dc60fc7771c975b93dfdf982d5677fb2c23d11b02c644b" InventoryClusters: type: array items: $ref: "#/definitions/InventoryCluster" InventoryCluster: type: object description: Cluster configured for reporting Image Inventory properties: cluster_name: type: string inventory_type: type: string enum: - kubernetes cluster_config: $ref: "#/definitions/InventoryClusterConfig" InventoryClusterConfig: type: object description: Cluster specific configuration properties: credential_type: type: string enum: - private_key - token namespaces: type: array items: type: string description: Namespaces to search for images within this cluster cluster_server: type: string description: FQDN of the cluster API server cluster_certificate: type: string description: Base64 Encoded Public Certificate for the cluster client_certificate: type: string description: Base64 Encoded Public Certificate for the client. Not required if credential_type == token credential: type: string description: Base64 Encoded credential for the client InventoryReport: type: object description: Defines the object that Anchore expects to be provided for a given Image Inventory properties: cluster_name: type: string inventory_type: type: string timestamp: type: string format: date-time results: type: array items: $ref: "#/definitions/InventoryReportItem" InventoryReportItem: type: object description: Defines a particular context for an inventory properties: namespace: type: string images: type: array items: $ref: "#/definitions/InventoryReportImage" InventoryReportImage: type: object description: defines an image that may be provided for image inventory properties: tag: type: string repoDigest: type: string InventoryItems: type: array description: Inventory report for Images in Use items: $ref: "#/definitions/InventoryItem" InventoryItem: type: object description: Inventory result for a specific Namespace properties: inventory_type: type: string context: type: string image_tag: type: string image_digest: type: string created_at: type: string format: date-time last_updated: type: string format: date-time last_seen: type: string format: date-time ActionPlans: type: array description: List of Action Plans items: $ref: "#/definitions/ActionPlan" ActionPlan: type: object description: describes a remediation action plan object properties: type: type: string image_tag: type: string image_digest: type: string policy_id: type: string resolutions: type: array items: $ref: "#/definitions/ActionPlanResolution" endpoint: type: string configuration_id: type: string subject: type: string message: type: string uuid: type: string created_at: type: string format: date-time last_updated: type: string format: date-time ActionPlanResolution: type: object description: defines the trigger IDs and content of a resolution for an action plan properties: trigger_ids: type: array items: type: string content: type: string ResourceLabel: description: Label on the resource in the key value format type: object properties: key: type: string example: tag value: type: string example: "docker.io/library/alpine:latest" AlertSummary: description: A summary of the stateful indicator of a specific event in the system type: object properties: uuid: type: string description: Identifier for the alert example: 56c2463b-49e5-49d7-b9a4-0c5c78faec6e type: type: string description: Type of the alert enum: - compliance_violation example: compliance_violation state: type: string description: Current state of the alert enum: - open - closed example: open resource_labels: type: array items: $ref: "#/definitions/ResourceLabel" closed_by: type: string description: Account that closed the alert example: system closed_reason: type: string description: Reason for closing the alert example: closed by action plan id created_at: type: string description: RFC 3339 formatted UTC timestamp when the alert was generated format: date-time example: 2020-10-20T01:20:11.378022Z last_updated: type: string description: RFC 3339 formatted UTC timestamp when the alert was last modified format: date-time example: 2020-10-20T01:20:11.378022Z AlertSummaryList: type: array description: Array of alert summaries items: $ref: "#/definitions/AlertSummary" ComplianceResource: description: A resource that ties compliance related artifacts - image digest, tag and policy bundle type: object properties: image_digest: type: string policy_id: type: string image_tag: type: string registry: type: string repository: type: string evaluation_id: type: string evaluated_at: type: string format: date-time ComplianceViolationAlert: description: Alert raised by the system on a compliance check failure type: object properties: uuid: type: string description: Identifier for the alert example: 56c2463b-49e5-49d7-b9a4-0c5c78faec6e type: type: string description: Type of alert generated enum: - compliance_violation example: compliance_violation state: type: string description: Current state of the alert enum: - open - closed example: open resource: $ref: "#/definitions/ComplianceResource" closed_by: type: string description: Account that closed the alert example: system closed_reason: type: string description: Reason for closing the alert example: closed by action plan id created_at: type: string description: RFC 3339 formatted UTC timestamp when the alert was generated format: date-time example: 2020-10-20T01:20:11.378022Z last_updated: type: string description: RFC 3339 formatted UTC timestamp when the alert was last modified format: date-time example: 2020-10-20T01:20:11.378022Z compliance_status_reason: type: string description: Reason for compliance check status. Compliance check could fail due to policy evaluation or blacklisting or errors evaluating compliance example: policy_evaluation violations_count: type: integer description: Number of STOP action results in the compliance check report ComplianceViolationAlertList: type: array description: Array of compliance violation alerts items: $ref: "#/definitions/ComplianceViolationAlert" CorrectionList: type: array description: Array of Corrections items: $ref: "#/definitions/Correction" Correction: type: object description: Defines a correction object for false positive management required: - type - match - replace properties: uuid: type: string description: Identifier for the correction example: 56c2463b-49e5-49d7-b9a4-0c5c78faec6e type: type: string description: Type of correction enum: - package description: type: string match: $ref: "#/definitions/CorrectionMatch" replace: type: array items: $ref: "#/definitions/CorrectionFieldMatch" created_at: type: string description: RFC 3339 formatted UTC timestamp when the correction was generated format: date-time example: 2020-10-20T01:20:11.378022Z last_updated: type: string description: RFC 3339 formatted UTC timestamp when the correction was last modified format: date-time example: 2020-10-20T01:20:11.378022Z CorrectionMatch: type: object description: Defines how a particular correction can match depending on type required: - type properties: type: type: string description: type of match [supports os, npm, gem, python, java, go] example: npm field_matches: type: array description: list of field matches that are required in order for this correction to match items: $ref: "#/definitions/CorrectionFieldMatch" CorrectionFieldMatch: type: object description: Defines a particular field name and value to match for a Correction required: - field_name - field_value properties: field_name: type: string description: The package field name to match example: name field_value: type: string description: The package field value for the corresponding field_name above to match. If field_name corresponds to a list value, this will search the list