API Reference google_api_container_analysis v0.25.0

Modules

API client metadata for GoogleApi.ContainerAnalysis.V1.

API calls for all endpoints tagged Projects.

Handle Tesla connections for GoogleApi.ContainerAnalysis.V1.

Artifact describes a build product.

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.

Response for creating occurrences in batch.

Associates members, or principals, with a role.

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Attributes

  • id (type: String.t, default: nil) -

Common Vulnerability Scoring System. For details, see https://www.first.org/cvss/specification-document This is a message we will try to use for storing multiple versions of CVSS. The intention is that as new versions of CVSS scores get added, we will be able to modify this message rather than adding new protos for each new version of the score.

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

The category to which the update belongs.

A compliance check that is a CIS benchmark.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Command describes a step performed as part of the build pipeline.

Indicates that the builder claims certain fields in this message to be complete.

Attributes

  • cisBenchmark (type: GoogleApi.ContainerAnalysis.V1.Model.CisBenchmark.t, default: nil) -
  • description (type: String.t, default: nil) - A description about this compliance check.
  • rationale (type: String.t, default: nil) - A rationale for the existence of this compliance check.
  • remediation (type: String.t, default: nil) - A description of remediation steps if the compliance check fails.
  • scanInstructions (type: String.t, default: nil) - Serialized scan instructions with a predefined format.
  • title (type: String.t, default: nil) - The title that identifies this compliance check.
  • version (type: list(GoogleApi.ContainerAnalysis.V1.Model.ComplianceVersion.t), default: nil) - The OS and config versions the benchmark applies to.

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

Describes the CIS benchmark version that is applicable to a given OS and os version.

ApprovalConfig describes configuration for manual approval of a build.

ApprovalResult describes the decision and associated metadata of a manual approval of a build.

Artifacts produced by a build that should be uploaded upon successful completion of all build steps.

Files in the workspace to upload to Cloud Storage upon successful completion of all build steps.

A build resource in the Cloud Build API. At a high level, a Build describes where to find source code, how to build it (for example, the builder image to run on the source), and where to store the built artifacts. Fields can include the following variables, which will be expanded when the build is created: - $PROJECT_ID: the project ID of the build. - $PROJECT_NUMBER: the project number of the build. - $LOCATION: the location/region of the build. - $BUILD_ID: the autogenerated ID of the build. - $REPO_NAME: the source repository name specified by RepoSource. - $BRANCH_NAME: the branch name specified by RepoSource. - $TAG_NAME: the tag name specified by RepoSource. - $REVISION_ID or $COMMIT_SHA: the commit SHA specified by RepoSource or resolved from the specified branch or tag. - $SHORT_SHA: first 7 characters of $REVISION_ID or $COMMIT_SHA.

BuildApproval describes a build's approval configuration, state, and result.

A fatal problem encountered during the execution of the build.

Details about how a build should be executed on a WorkerPool. See running builds in a private pool for more information.

A non-fatal problem encountered during the execution of the build.

Container message for hashes of byte content of files, used in SourceProvenance messages to verify integrity of source input to the build.

Pairs a set of secret environment variables mapped to encrypted values with the Cloud KMS key to use to decrypt the value.

Location of the source in a Google Cloud Source Repository.

Pairs a set of secret environment variables containing encrypted values with the Cloud KMS key to use to decrypt the value. Note: Use kmsKeyName with available_secrets instead of using kmsKeyName with secret. For instructions see: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-credentials.

Pairs a secret environment variable with a SecretVersion in Secret Manager.

Provenance of the source. Ways to find the original source, or verify that some source was used for this build.

Location of the source in an archive file in Google Cloud Storage.

Location of the source manifest in Google Cloud Storage. This feature is in Preview; see description here.

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution.

Attributes

  • hint (type: GoogleApi.ContainerAnalysis.V1.Model.DSSEHint.t, default: nil) - DSSEHint hints at the purpose of the attestation authority.

Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

An artifact that can be deployed in some runtime.

The period during which some deployable was active in a runtime.

A detail for a distro and package affected by this vulnerability and its associated fix (if one is available).

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

Provides information about the analysis status of a discovered resource.

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

Attributes

  • keyid (type: String.t, default: nil) -
  • sig (type: String.t, default: nil) -

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.

A set of properties that uniquely identify a given Docker image.

Per resource and severity counts of fixable and total vulnerabilities.

A SourceContext referring to a Gerrit project.

Request message for GetIamPolicy method.

Encapsulates settings provided to GetIamPolicy.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Metadata for all operations used and required for all operations that created by Container Analysis Providers

Container message for hash values.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

The unique identifier of the update.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g., a tag of the resource_url.

Details of the derived image portion of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Attributes

  • builderConfig (type: GoogleApi.ContainerAnalysis.V1.Model.BuilderConfig.t, default: nil) - required
  • materials (type: list(String.t), default: nil) - The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
  • metadata (type: GoogleApi.ContainerAnalysis.V1.Model.Metadata.t, default: nil) -
  • recipe (type: GoogleApi.ContainerAnalysis.V1.Model.Recipe.t, default: nil) - Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

Attributes

Attributes

  • name (type: String.t, default: nil) - The KB name (generally of the form KB[0-9]+ (e.g., KB123456)).
  • url (type: String.t, default: nil) - A link to the KB in the [Windows update catalog] (https://www.catalog.update.microsoft.com/).

Layer holds metadata specific to a layer of a Docker image.

Response for listing occurrences for a note.

An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.

Attributes

  • digest (type: map(), default: nil) -
  • uri (type: String.t, default: nil) -

Other properties of the build.

Details about files that caused a compliance check to fail. display_command is a single command that can be used to display a list of non compliant files. When there is no such command, we can also iterate a list of non compliant file using 'path'.

A type of analysis that can be done for a resource.

An instance of an analysis type that has been found on a resource.

A detail for a distro and package this vulnerability occurrence was found in and its associated fix (if one is available).

This represents a particular package that is distributed over various channels. E.g., glibc (aka libc6) is distributed by many, at various versions.

Details on how a particular software package was installed on a system.

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Metadata for any related URL information.

A unique identifier for a Cloud Repo.

Request message for SetIamPolicy method.

Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: The public_key_id is not recognized by the verifier. The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).

Attributes

  • id (type: String.t, default: nil) -

Indicates that the builder claims certain fields in this message to be complete.

Other properties of the build.

Attributes

  • builder (type: GoogleApi.ContainerAnalysis.V1.Model.SlsaBuilder.t, default: nil) - required
  • materials (type: list(GoogleApi.ContainerAnalysis.V1.Model.Material.t), default: nil) - The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
  • metadata (type: GoogleApi.ContainerAnalysis.V1.Model.SlsaMetadata.t, default: nil) -
  • recipe (type: GoogleApi.ContainerAnalysis.V1.Model.SlsaRecipe.t, default: nil) - Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Source describes the location of the source used for the build.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

Attributes

Request message for TestIamPermissions method.

Response message for TestIamPermissions method.

The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be an Upgrade Note. For Windows, windows_update field represents the information related to the update.

An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update.

Version contains structured information about the version of a package.

A security vulnerability that can be found in resources.

An occurrence of a severity vulnerability on a resource.

A summary of how many vulnerability occurrences there are per resource and severity type.

Attributes

  • cpeUri (type: String.t, default: nil) - Required. The CPE URI this vulnerability affects.
  • description (type: String.t, default: nil) - The description of this vulnerability.
  • fixingKbs (type: list(GoogleApi.ContainerAnalysis.V1.Model.KnowledgeBase.t), default: nil) - Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed KBs presence is considered a fix.
  • name (type: String.t, default: nil) - Required. The name of this vulnerability.

Windows Update represents the metadata about the update for the Windows operating system. The fields in this message come from the Windows Update API documented at https://docs.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdate.

API client metadata for GoogleApi.ContainerAnalysis.V1alpha1.

API calls for all endpoints tagged Projects.

API calls for all endpoints tagged Providers.

Handle Tesla connections for GoogleApi.ContainerAnalysis.V1alpha1.

Artifact describes a build product.

Occurrence that represents a single "attestation". The authenticity of an Attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the AttestationAuthority to which this Attestation is attached is primarily useful for look-up (how to find this Attestation if you already know the Authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one AttestationAuthority for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.

This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Associates members, or principals, with a role.

Message encapsulating build provenance details.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Message encapsulating the signature of the verified build.

Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.

Attributes

  • id (type: String.t, default: nil) -

Common Vulnerability Scoring System. This is the storage level proto that is intended to store similar data as the CVSS proto in google3/third_party/grafeas/proto/v1/cvss.proto

A compliance check that is a CIS benchmark.

Command describes a step performed as part of the build pipeline.

Indicates that the builder claims certain fields in this message to be complete.

ComplianceNote encapsulates all information about a specific compliance check.

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

Describes the CIS benchmark version that is applicable to a given OS and os version.

ApprovalConfig describes configuration for manual approval of a build.

ApprovalResult describes the decision and associated metadata of a manual approval of a build.

Artifacts produced by a build that should be uploaded upon successful completion of all build steps.

Files in the workspace to upload to Cloud Storage upon successful completion of all build steps.

A build resource in the Cloud Build API. At a high level, a Build describes where to find source code, how to build it (for example, the builder image to run on the source), and where to store the built artifacts. Fields can include the following variables, which will be expanded when the build is created: - $PROJECT_ID: the project ID of the build. - $PROJECT_NUMBER: the project number of the build. - $LOCATION: the location/region of the build. - $BUILD_ID: the autogenerated ID of the build. - $REPO_NAME: the source repository name specified by RepoSource. - $BRANCH_NAME: the branch name specified by RepoSource. - $TAG_NAME: the tag name specified by RepoSource. - $REVISION_ID or $COMMIT_SHA: the commit SHA specified by RepoSource or resolved from the specified branch or tag. - $SHORT_SHA: first 7 characters of $REVISION_ID or $COMMIT_SHA.

BuildApproval describes a build's approval configuration, state, and result.

A non-fatal problem encountered during the execution of the build.

Container message for hashes of byte content of files, used in SourceProvenance messages to verify integrity of source input to the build.

Pairs a set of secret environment variables mapped to encrypted values with the Cloud KMS key to use to decrypt the value.

Pairs a set of secret environment variables containing encrypted values with the Cloud KMS key to use to decrypt the value. Note: Use kmsKeyName with available_secrets instead of using kmsKeyName with secret. For instructions see: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-credentials.

Pairs a secret environment variable with a SecretVersion in Secret Manager.

Provenance of the source. Ways to find the original source, or verify that some source was used for this build.

Location of the source in an archive file in Google Cloud Storage.

Location of the source manifest in Google Cloud Storage. This feature is in Preview; see description here.

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution.

An occurrence describing an attestation on a resource

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

An artifact that can be deployed in some runtime.

The period during which some deployable was active in a runtime.

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Provides information about the scan status of a discovered resource.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.

This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

Container message for hashes of byte content of files, used in Source messages to verify integrity of source input to the build.

A set of properties that uniquely identify a given Docker image.

Request message for GetIamPolicy method.

Encapsulates settings provided to GetIamPolicy.

A summary of how many vulnz occurrences there are per severity type. counts by groups, or if we should have different summary messages like this.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Metadata for all operations used and required for all operations that created by Container Analysis Providers

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Container message for hash values.

Attributes

  • builderConfig (type: GoogleApi.ContainerAnalysis.V1alpha1.Model.BuilderConfig.t, default: nil) - required
  • materials (type: list(String.t), default: nil) - The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
  • metadata (type: GoogleApi.ContainerAnalysis.V1alpha1.Model.Metadata.t, default: nil) -
  • recipe (type: GoogleApi.ContainerAnalysis.V1alpha1.Model.Recipe.t, default: nil) - Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

This represents how a particular software package may be installed on a system.

Layer holds metadata specific to a layer of a Docker image.

Response including listed occurrences for a note.

Response including listed active occurrences.

An occurrence of a particular package installation found within a system's filesystem. e.g. glibc was found in /var/lib/dpkg/status

Material is a material used in the generation of the provenance

Details about files that caused a compliance check to fail.

Provides a detailed description of a Note.

Occurrence includes information about analysis occurrences for an image.

This resource represents a long-running operation that is the result of a network API call.

This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Metadata for any related URL information

RepoSource describes the location of the source in a Google Cloud Source Repository.

Resource is an entity that can have metadata. E.g., a Docker image.

Indicates various scans and whether they are turned on or off.

Request message for SetIamPolicy method.

The number of occurrences created for a specific severity.

SlsaBuilder encapsulates the identity of the builder of this provenance.

Indicates that the builder claims certain fields in this message to be complete.

SlsaProvenance is the slsa provenance as defined by the slsa spec.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Source describes the location of the source used for the build.

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

StorageSource describes the location of the source in an archive file in Google Cloud Storage.

Subject refers to the subject of the intoto statement

Request message for TestIamPermissions method.

Response message for TestIamPermissions method.

Request for updating an existing operation

The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be a Upgrade Note.

An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability).

Version contains structured information about the version of the package. For a discussion of this in Debian/Ubuntu: http://serverfault.com/questions/604541/debian-packages-version-convention For a discussion of this in Redhat/Fedora/Centos: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/

Used by Occurrence to point to where the vulnerability exists and how to fix it.

VulnerabilityType provides metadata about a security vulnerability.

API client metadata for GoogleApi.ContainerAnalysis.V1beta1.

API calls for all endpoints tagged Projects.

Handle Tesla connections for GoogleApi.ContainerAnalysis.V1beta1.

Artifact describes a build product.

Defines a hash object for use in Materials and Products.

Defines an object to declare an in-toto artifact rule

Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for look-up (how to find this attestation if you already know the authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Associates members, or principals, with a role.

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Message encapsulating the signature of the verified build.

Defines an object for the byproducts field in in-toto links. The suggested fields are "stderr", "stdout", and "return-value".

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Command describes a step performed as part of the build pipeline.

ApprovalConfig describes configuration for manual approval of a build.

ApprovalResult describes the decision and associated metadata of a manual approval of a build.

Artifacts produced by a build that should be uploaded upon successful completion of all build steps.

Files in the workspace to upload to Cloud Storage upon successful completion of all build steps.

A build resource in the Cloud Build API. At a high level, a Build describes where to find source code, how to build it (for example, the builder image to run on the source), and where to store the built artifacts. Fields can include the following variables, which will be expanded when the build is created: - $PROJECT_ID: the project ID of the build. - $PROJECT_NUMBER: the project number of the build. - $LOCATION: the location/region of the build. - $BUILD_ID: the autogenerated ID of the build. - $REPO_NAME: the source repository name specified by RepoSource. - $BRANCH_NAME: the branch name specified by RepoSource. - $TAG_NAME: the tag name specified by RepoSource. - $REVISION_ID or $COMMIT_SHA: the commit SHA specified by RepoSource or resolved from the specified branch or tag. - $SHORT_SHA: first 7 characters of $REVISION_ID or $COMMIT_SHA.

BuildApproval describes a build's approval configuration, state, and result.

A non-fatal problem encountered during the execution of the build.

Container message for hashes of byte content of files, used in SourceProvenance messages to verify integrity of source input to the build.

Pairs a set of secret environment variables mapped to encrypted values with the Cloud KMS key to use to decrypt the value.

Pairs a set of secret environment variables containing encrypted values with the Cloud KMS key to use to decrypt the value. Note: Use kmsKeyName with available_secrets instead of using kmsKeyName with secret. For instructions see: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-credentials.

Pairs a secret environment variable with a SecretVersion in Secret Manager.

Provenance of the source. Ways to find the original source, or verify that some source was used for this build.

Location of the source in an archive file in Google Cloud Storage.

Location of the source manifest in Google Cloud Storage. This feature is in Preview; see description here.

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution.

An artifact that can be deployed in some runtime.

The period during which some deployable was active in a runtime.

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Details of an attestation occurrence.

Provides information about the analysis status of a discovered resource.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

Defines an object for the environment field in in-toto links. The suggested fields are "variables", "filesystem", and "workdir".

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.

A set of properties that uniquely identify a given Docker image.

Per resource and severity counts of fixable and total vulnerabilities.

An attestation wrapper that uses the Grafeas Signature message. This attestation must define the serialized_payload that the signatures verify and any metadata necessary to interpret that plaintext. The signatures should always be over the serialized_payload bytestring.

A SourceContext referring to a Gerrit project.

Request message for GetIamPolicy method.

Encapsulates settings provided to GetIamPolicy.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Metadata for all operations used and required for all operations that created by Container Analysis Providers

Attributes

  • hashes (type: GoogleApi.ContainerAnalysis.V1beta1.Model.ArtifactHashes.t, default: nil) -
  • resourceUri (type: String.t, default: nil) -

This corresponds to a signed in-toto link - it is made up of one or more signatures and the in-toto link itself. This is used for occurrences of a Grafeas in-toto note.

A signature object consists of the KeyID used and the signature itself.

Container message for hash values.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.

This represents how a particular software package may be installed on a system.

Attributes

  • name (type: String.t, default: nil) - The KB name (generally of the form KB[0-9]+ i.e. KB123456).
  • url (type: String.t, default: nil) - A link to the KB in the Windows update catalog - https://www.catalog.update.microsoft.com/

Layer holds metadata specific to a layer of a Docker image.

This corresponds to an in-toto link.

Response for listing occurrences for a note.

Response for listing scan configurations.

An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.

A type of analysis that can be done for a resource.

An instance of an analysis type that has been found on a resource.

This represents a particular package that is distributed over various channels. E.g., glibc (aka libc6) is distributed by many, at various versions.

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

Metadata for any related URL information.

A unique identifier for a Cloud Repo.

An entity that can have metadata. For example, a Docker image.

A scan configuration specifies whether Cloud components in a project have a particular type of analysis being run. For example, it can configure whether vulnerability scanning is being done on Docker images or not.

Request message for SetIamPolicy method.

Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: The public_key_id is not recognized by the verifier. The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).

This defines the format used to record keys used in the software supply chain. An in-toto link is attested using one or more keys defined in the in-toto layout. An example of this is: { "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...", "key_type": "rsa", "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...", "key_scheme": "rsassa-pss-sha256" } The format for in-toto's key definition can be found in section 4.2 of the in-toto specification.

Source describes the location of the source used for the build.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

Request message for TestIamPermissions method.

Response message for TestIamPermissions method.

Version contains structured information about the version of a package.

Vulnerability provides metadata about a security vulnerability in a Note.

A summary of how many vulnerability occurrences there are per resource and severity type.

Attributes

  • cpeUri (type: String.t, default: nil) - Required. The CPE URI in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar.
  • description (type: String.t, default: nil) - The description of the vulnerability.
  • fixingKbs (type: list(GoogleApi.ContainerAnalysis.V1beta1.Model.KnowledgeBase.t), default: nil) - Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed kb's presence is considered a fix.
  • name (type: String.t, default: nil) - Required. The name of the vulnerability.