API Reference
HomeGitHubSign Up

Vulnerability Exception policy

Description

Exception policy is an object which allows the user to specify some vulnerabilities to be treated differently than the default treatment. There are some APIs for setting and getting exceptions.

Vulnerability Exception Policy Structure

{
    "policyType": "vulnerabilityExceptionPolicy",
    "name": "simple-vulnerability-policy123",
    "guid": "3b0467c9-488d-c244-99d0-90fbf6002367",
    "attributes": {
        "is_namespace": "true"
    },
    "actions": [
        "ignore"
    ],
    "designators": [
        {
            "designatorType": "attribute",
            "attributes": {
                "cluster": "test-cluster1",
                "namespace": "test-ns",
                "kind": "pod",
                "name": "wl_name",
                "containerName": "name",
            },
        },
    ],
    "vulnerabilities": [
      {
        "name": "CVE-example"
      }
    ],
}

Fields

policyType

The type of the policy. For vulnerability exception policy must be 'vulnerabilityExceptionPolicy'

name

The name of the exception as given by the user, for later recognition. This field is unique - two vulnerability exception policy can't have the same name.

guid

The GUID of the policy as given by Armo system. This field may also used for recognition.

actions

The action to take instead of the default. The only available action is 'ignore'.

designators

The designators of the exception.

vulnerabilities

Vulnerabilities to take the actions on.

POST /api/v1/vulnerabilityExceptionPolicy

Create vulnerability exceptions.

Query params

  • customerGUID - required

Request object

Desired vulnerability exception policy as described in Vulnerability Exceptions.

Required fields

  • policyType
  • name
  • actions
  • designators
  • vulnerabilities

Bulk

It is possible to create multiple exceptions for multiple vulnerabilities.

Query params

In addition to the previous query parameters

  • bulk - true
  • actions - the same actions from the exception policy object

Request object

Standart response body for pagination APIs as would be given to /api/v1/vulnerability/scanResultsSumSummary

Naming convention

The exceptions that have been created using the bulk will have names according to the convention of (WORKLOAD HASH)_(VULNERABILITY NAME)_(ACTIONS)

GET /api/v1/vulnerabilityExceptionPolicy

Get an exception policy object or list of objects

Query params

  • customerGUID - required
    • Get a list of all policies of the given customer
  • policyName - Get a specific policy by name
  • policyGUID - Get a specific policy by GUID
  • list - Get just a list of names of exceptions of current customer

Filtering

It is possible to filter the policies by their properties using query parameters. For example vulnerabilities.name=CVE-example.
It is possible to filter by scope using scope.PROPERTY query parameter. For example scope.cluster=cluster-name.
Multiple filters are possible

Examples

Get all exceptions of the customer

/api/v1/vulnerabilityExceptionPolicy?customerGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7

Get filtered exceptions of the customer

/api/v1/vulnerabilityExceptionPolicy?customerGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7&scope.cluster=cluster-name&scope.namespace&vulnerabilities.name=CVE-name

/api/v1/vulnerabilityExceptionPolicy?customerGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7&name=exceptionPolicyName

Get specific policy

/api/v1/vulnerabilityExceptionPolicy?customerGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7&policyName=vul_example_name

/api/v1/vulnerabilityExceptionPolicy?customerGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7&policyGUID=31fb54a9-6e8f-4289-8506-f4e875ac19f7

PUT /api/v1/vulnerabilityExceptionPolicy

Update an existing exception.

Query params

  • customerGUID - required

Request object

The new desired vulnerability exception policy as described in Vulnerability Exceptions.

Required fields

  • policyType
  • name
  • guid
  • actions
  • designators
  • vulnerabilities

DELETE /api/v1/vulnerabilityExceptionPolicy

Delete vulnerability exceptions.

Query params

  • customerGUID - required
  • policyName
    • Can appear multiple times to delete multiple policies
  • policyName
    • Can appear multiple times to delete multiple policies

Bulk

It is possible to delete multiple exceptions for multiple vulnerabilities.

Query params

In addition to customerGUID.

  • bulk - true

Request object

Standart response body for pagination APIs as would be given to /api/v1/vulnerability/scanResultsSumSummary

Naming convention

The operation will delete only exceptions that have been named according to the convention of (WORKLOAD HASH)_(VULNERABILITY NAME)_(ACTIONS)