Release 1.39 API
July 07, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
With the Container Security 1.39 release, the following enhancements in APIs are made.
- Continuous Assessment of Images
- Ability to Block Malicious Image
- Ability to Block Image having Secrets
Continuous Assessment of Images
With this release, CS supports Continuous Assessment of images. As a result, the Response section of some Image APIs shows the following fields. To know more about Continuous Assessment of the images, refer to Container Security 1.39 Release Notes.
|
Parameter |
Description |
|---|---|
| source | Indicates type of the scan source. With this release, a new value CONTINUOUS_ASSESSMENT is introduced which indicates that the image type is marked for Continuous Assessment. Valid values: GENERAL, REGISTRY, CICD, CONTINUOUS_ASSESSMENT, and so on. |
| isContinuouslyAssessed | Specify if the image is continuously assessed. Valid values: true - The image is marked for its continuous assessment. false - The image is not marked for continuous assessment. |
| lastAssessed | Indicates the time (EPOCH) at which the image was assessed for the last time. Example: 1746677220581 |
The following APIs are updated to support this feature.
- Fetch Image Details -
GET /csapi/v1.3/images/{imageSha} - Fetch a List of Images (Bulk API) -
GET /csapi/v1.3/images/list - Fetch a List of Images in your account -
GET /csapi/v1.3/images
Updated API: Fetch Images Details
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/images/{imageSha} |
| Method | GET |
| DTD XSD Changes | No |
Sample: Fetch Image DetailsSample: Fetch Image Details
API Request
curl -X 'GET'
'<qualys_base_url>/csapi/v1.3/images/fa7c845c82ad89b542233b42712cf419b409f6b8b28464c441d6e2645f563bd5' \
-H 'accept: application/json' \
-H Authorization: Bearer <Token> \
-H 'Content-Type: application/json'
API Response
{
"created": "1603477517000",
"updated": "1605017537578",
"lastUsedDate;: "1716251515814",
"author": "Couchbase Docker Team <docker@couchbase.com>",
"repo": [
{
"registry": "docker.io",
"tag": "latest",
"repository": "couchbase"
}
],
"repoDigests": [
{
"registry": "docker.io",
"digest": "1d811b3c382893f70f0cc0f2371a12d3671c1d5175bcc67e8c2a5c0bf4c8f976",
"repository": "couchbase"
}
],
"label": null,
"uuid": "5d48f83b-cddb-33ac-8fad-e8452dd116b1",
"sha": "c64844065dcbc3d0a90c365c1f56421766a5cebf05f7ecbd3377af410fff09fd",
"operatingSystem": "Ubuntu Linux 16.04.7",
"customerUuid": "192cc974-1e44-cb6c-806e-f78f6441cb0d",
"dockerVersion": "18.09.7",
"size": 1183790011,
"layers": [
{
"size": "0",
"createdBy": "rm -rf-rt /var/lib/apt/lists/*",
"created": "1603474389000",
"comment": "",
"id": null,
"sha": null,
"tags": null
},
{
"size": "1930",
"createdBy": "COPY file:d816a67f62bfba76d2812cefbe92252afa13f3852775c3e68599df7741e90cb7 in / ",
"created": "1603477517000",
"comment": "",
"id": null,
"sha": null,
"tags": null
}
],
"host": [
{
"sensorUuid": "fed79006-2fa9-4b67-8f5a-272b4e02f084",
"hostname": "host.acme.com",
"ipAddress": "10.**.2*.*0",
"uuid": "6ba5be85-2758-4f44-814a-b690c9ed23ee",
"lastUpdated": "2020-11-10T14:10:29.218Z"
}
],
"architecture": "amd64",
"imageId": "c64844065dcb",
"lastVmScanDate": "1605017537578",
"registryUuid": null,
"source": [ "GENERAL", "REGISTRY", "CONTINUOUS_ASSESSMENT" ],
"totalVulCount": "0",
"users": [
"root"
],
"isDockerHubOfficial": null,
"isInstrumented": null,
"instrumentedFrom": null,
"instrumentationState": null,
"scanType": "DYNAMIC",
"scanTypes": [
"DYNAMIC"
],
"scanErrorCode": null,
"scanStatus": "SUCCESS",
"lastFoundOnHost": {
"sensorUuid": "fed79006-2fa9-4b67-8f5a-272b4e02f084",
"hostname": "host.acme.com",
"ipAddress": "10.**.2*.*0",
"uuid": "6ba5be85-2758-4f44-814a-b690c9ed23ee",
"lastUpdated": "2020-11-10T14:10:29.218Z"
},
"lastScannedBySensor": "fde436ad-3686-46f9-a2e5-9f7523668d34",
"scanErrorMessage": "Static: Package manager not found",
"malware": {
"imageMalwareCount": 1,
"malwarePrediction": {
"prediction": "malicious",
"score": 1,
"severity": 3,
"category": "dropper",
"family": "mirai"
}
},
"lastMalwareScanned": null,
"exceptions": [
"77116d5b-aaa0-4dba-a334-9fe6a6f0dd98"
],
"secrets": [
{
"severity": "MEDIUM",
"filePath": "/root/foo/foo1.txt",
"layerSha": "7afaca6fd6f46466f2f23f51c647918c7818a431792547db3a7bc033d261a1e3",
"match": null,
"startLine": 0,
"secretType": "Asana Client Secret"
},
{
"severity": "CRITICAL",
"filePath": "/home/qatest/key/gcp-service-account.json",
"layerSha": "5bc804df91a229c1f26d254b5247c699c1e1a53673ec1d30e263e7b4bda96beb",
"match": null,
"startLine": 0,
"secretType": "Google (GCP) Service-account"
}
],
"lastSecretScanned": null,
"riskScore": null,
"riskScoreCalculatedDate": null,
"formulaUsed": null,
"maxQdsScore": null,
"qdsSeverity": null,
"criticality": 3,
"criticalityUpdated": 1717098843553,
"baseImage": null,
"childImagesCount": 0,
"sbomLayerProcessingTimestamp": null,
"baseImageProcessingTimestamp": null,
"isContinuouslyAssessed": true,
"lastAssessed": "1746677220581"
"softwares": [
{
"name": "libsw5:amd64",
"version": "6.0+20160213-1ubuntu1",
"fixVersion": null,
"vulnerabilities": null
},
{
"name": "libgpg-error0:amd64",
"version": "1.21-2ubuntu1",
"fixVersion": null,
"vulnerabilities": null
}
],
"vulnerabilities": [],
"lastComplianceScanned": "1603477517000"
}
Updated API: Fetch a List of Images (Bulk API)
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/images/list |
| Method | GET |
| DTD XSD Changes | No |
Sample: Fetch a List of Images (Bulk API)Sample: Fetch a List of Images (Bulk API)
API Request
curl -X "GET"
"<qualys_base_url>/csapi/v1.3/images/list?filter=imagesInUse:'[now-7d ... now]'&limit=2&scanDetails=malware%2C%20secrets"
-H "accept: application/json"
-H "Authorization: Bearer <token>"
API Response
{
"data": [
{
"created": "1472581305000",
"updated": "1724323293607",
"author": "jack_reader",
"repo": [
{
"registry": "art-hq.abc.com:5001",
"tag": "fedora22",
"repository": "multi-os-images"
},
{
"registry": "msftlongregistrytest.azurecr.io",
"tag": "tag",
"repository": "test1/test2"
}
],
"repoDigests": [
{
"registry": "docker.io",
"digest": "dea6d6d845c3eba400289b61444ce193dd3df73f8ac70fb60fb6ed39718e111c",
"repository": "jr1/alpine-amd64"
},
{
"registry": "docker.io",
"digest": "d5cce9139f8758171936a033c0625307760026446d4d30f084ff6b52aecc1721",
"repository": "fedora"
},
],
"label": [],
"uuid": "d165a97b-7e10-3f0b-acb9-eac7c39d1532",
"sha": "01a9fe974dba61470137158fc1987884ea1f2333ae60c7f76562dbae02739ada",
"operatingSystem": "Fedora 22",
"customerUuid": "af24ca38-27a8-6bd9-8241-5ec3c9eecdb5",
"dockerVersion": "1.12.1",
"size": 188728229,
"layers": [
{
"size": "188728229",
"createdBy": "ADD file:e14b712e5cfef28691da81e314415790d59685a366414f6be248b871e42d4436 in / ",
"created": "1472581305000",
"comment": "",
"id": "01a9fe974dba",
"sha": "01a9fe974dba61470137158fc1987884ea1f2333ae60c7f76562dbae02739ada",
"tags": [
"ocir.io/baayf/abc:fedora",
"art-hq.abc.com:5001/multi-os-images:fedora22",
"jack_reader/alpine-amd64:fedora",
"fedora:22",
"ocir.io/baayf/public-1:centos",
"msftlongregistryandreponametest.azurecr.io/test1/test2:tag"
],
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
},
{
"size": "0",
"createdBy": "jack_reader",
"created": "1472581297000",
"comment": "",
"id": null,
"sha": null,
"tags": null,
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
}
],
"architecture": "amd64",
"imageId": "01a9fe974dba",
"lastScanned": "1724323293607",
"registryUuid": null,
"source": [
"GENERAL",
"REGISTRY",
"CONTINUOUS_ASSESSMENT"
],
"users": [],
"lastFoundOnHost": {
"sensorUuid": "75e30f2f-05f5-413f-9baf-0095b39347ad",
"hostname": "localhost.localdomain",
"ipAddress": "10.115.97.76",
"uuid": "62fe1baa-0311-0002-ca34-0050568cd03b",
"lastUpdated": "2024-08-22T10:52:22.065Z"
},
"lastUsedDate": null,
"isDockerHubOfficial": null,
"scanType": null,
"scanTypes": [
"STATIC"
],
"softwares": [
"name": "rpm-plugin-selinux",
"version": "4.12.0.1-14.fc22",
"fixVersion": null,
"scanType": "STATIC",
"packagePath": null
},
{
"name": "libuuid",
"version": "2.26.2-4.fc22",
"fixVersion": null,
"scanType": "STATIC",
"packagePath": null
},
{
"name": "libstdc++",
"version": "5.3.1-2.fc22",
"fixVersion": null,
"scanType": "STATIC",
"packagePath": null
},
{
"name": "deltarpm",
"version": "3.6-8.fc22",
"fixVersion": null,
"scanType": "STATIC",
"packagePath": null
},
],
"vulnerabilities": [
{
"qid": 124975,
"result": null,
"software": [
{
"name": "libssh2",
"version": "1.5.0-1.fc22",
"fixVersion": "1.5.0-2.fc22",
"scanType": "STATIC",
"packagePath": null
}
],
"lastFound": "1724323293564",
"firstFound": "1724323293564",
"typeDetected": "CONFIRMED",
"scanType": [
"STATIC"
]
},
{
"qid": 276308,
"result": null,
"software": [
{
"name": "openssl-libs",
"version": "1.0.1k-13.fc22",
"fixVersion": "1.0.1k-14.fc22",
"scanType": "STATIC",
"packagePath": null
}
],
"lastFound": "1724323293570",
"firstFound": "1724323293570",
"typeDetected": "CONFIRMED",
"scanType": [
"STATIC"
]
},
{
"qid": 276113,
"result": null,
"software": [
{
"name": "openssl-libs",
"version": "1.0.1k-13.fc22",
"fixVersion": "1.0.1k-15.fc22",
"scanType": "STATIC",
"packagePath": null
}
],
"lastFound": "1724323293567",
"firstFound": "1724323293567",
"typeDetected": "CONFIRMED",
"scanType": [
"STATIC"
]
},
],
"malware": null,
"secrets": null,
"lastMalwareScanned": null,
"riskScore": null,
"riskScoreCalculatedDate": null,
"maxQdsScore": null,
"qdsSeverity": null,
"criticality": 5,
"criticalityUpdated": 1717098843553,
"isContinuouslyAssessed": true,
"lastAssessed": "1746677220581",
},
{
"created": "1490217199000",
"updated": "1724323252042",
"author": "",
"repo": [
{
"registry": "docker.io",
"tag": "latest",
"repository": "iojs"
},
{
"registry": "dockregtest01.eng.acme.com:5000",
"tag": "latest",
"repository": "iojs"
}
],
"repoDigests": [
{
"registry": "docker.io",
"digest": "e9c867712191ac0d35041268feed489bcaaf9c1169296ca780ba4be03ca4610c",
"repository": "iojs"
},
{
"registry": "dockregtest01.eng.acme.com:5000",
"digest": "ebe3fd385e36a8bbfae06e1f8c1e88a4abfce10dbfc4b8b339d3c0df072ee9f4",
"repository": "iojs"
}
],
"label": [],
"uuid": "1ea83c91-0ef9-3c50-9fdc-d7d3551fb59a",
"sha": "fdab38ea8e39d1bd42b3ef244e6ea4f85a72b41608c6f372bd9de4ba900b4f99",
"operatingSystem": null,
"customerUuid": "af24ca38-27a8-6bd9-8241-5ec3c9eecdb5",
"dockerVersion": "1.12.6",
"size": 648592935,
"layers": [
{
"size": "0",
"createdBy": "CMD [\"iojs\"]",
"created": "1490217199000",
"comment": "",
"id": "fdab38ea8e39",
"sha": "fdab38ea8e39d1bd42b3ef244e6ea4f85a72b41608c6f372bd9de4ba900b4f99",
"tags": [
"iojs:latest",
"dockregtest01.eng.acme.com:5000/iojs:latest"
],
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
},
{
"size": "0",
"createdBy": "ENV IOJS_VERSION=3.3.0",
"created": "1490217194000",
"comment": "",
"id": null,
"sha": null,
"tags": null,
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
},
{
"size": "0",
"createdBy": "ENV NPM_CONFIG_LOGLEVEL=info",
"created": "1490217176000",
"comment": "",
"id": null,
"sha": null,
"tags": null,
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
},
{
"size": "322890800",
"createdBy": "john_doe",
"created": "1490123534000",
"comment": "",
"id": null,
"sha": null,
"tags": null,
"layerNumber": null,
"isBaseLayer": null,
"isEmptyLayer": null
},
],
"architecture": "amd64",
"imageId": "fdab38ea8e39",
"lastScanned": null,
"registryUuid": null,
"source": [
"GENERAL",
"REGISTRY",
"CONTINUOUS_ASSESSMENT"
],
"users": null,
"lastFoundOnHost": {
"sensorUuid": "75e30f2f-05f5-413f-9baf-0095b39347ad",
"hostname": "localhost.localdomain",
"ipAddress": "10.***.*7.7*",
"uuid": "62fe1baa-0311-0002-ca34-0050568cd03b",
"lastUpdated": "2024-08-22T10:52:22.065Z"
},
"lastUsedDate": null,
"isDockerHubOfficial": null,
"scanType": null,
"scanTypes": null,
"softwares": null,
"vulnerabilities": null,
"malware": null,
"secrets": null,
"lastMalwareScanned": null,
"riskScore": null,
"riskScoreCalculatedDate": null,
"maxQdsScore": null,
"qdsSeverity": null
"criticality": 5,
"criticalityUpdated": 1717098843553
"isContinuouslyAssessed": true,
"lastAssessed": "1746677220581",
}
],
"limit": 2
}
Updated API: Fetch a List of Images in Your Account
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/images |
| Method | GET |
| DTD XSD Changes | No |
Sample: Fetch a List of Images in Your AccountSample: Fetch a List of Images in Your Account
API Request
curl -X GET
"<qualys_base_url>/csapi/v1.3/images?filter=imagesInUse:'[now-7d ... now]'&pageNumber=1&pageSize=50&sort=created%3Adesc"
-H "accept: application/json"
-H "Authorization: Bearer <token>"
API Response
{
"data": [
{
"created": "1746424138000",
"updated": "1746677220582",
"lastUsedDate": "1746522959591",
"sha": "fa7c845c82ad89b542233b42712cf419b409f6b8b28464c441d6e2645f563bd5",
"repo": [
{
"registry": "docker.io",
"tag": "test4",
"repository": "continuous_assessment"
}
],
"repoDigests": null,
"uuid": "4e73a2d6-c794-354e-b215-6f4c95ffdd99",
"size": 772697934,
"vulnerabilities": {
"severity5Count": 32,
"severity3Count": 70,
"severity4Count": 86,
"severity1Count": 0,
"severity2Count": 9
},
"imageId": "fa7c845c82ad",
"associatedContainersCount": 1,
"associatedHostsCount": 2,
"lastVmScanDate": "1746677220581",
"registryUuid": null,
"source": [
"GENERAL",
"REGISTRY",
"CONTINUOUS_ASSESSMENT"
],
"isDockerHubOfficial": false,
"scanType": null,
"scanTypes": [
"SCA",
"STATIC"
],
"scanErrorCode": null,
"scanStatus": "SUCCESS",
"lastFoundOnHost": {
"sensorUuid": "8d2a23be-c5bf-470f-833b-f5e9bfd68902",
"hostname": "ip-10-82-11-187",
"ipAddress": "10.82.11.187",
"uuid": "2b572df5-a2b1-44bb-ba7d-2409ba2a73f5",
"lastUpdated": "2025-05-06T06:09:56.207Z"
},
"exceptions": null,
"riskScore": 248,
"riskScoreCalculatedDate": "1746677220542",
"maxQdsScore": 100,
"qdsSeverity": "CRITICAL",
"lastScannedBySensor": "8d2a23be-c5bf-470f-833b-f5e9bfd68902",
"scanErrorMessage": null,
"criticality": 0,
"criticalityUpdated": "1746425189812",
"baseImage": "db1141b0252cc593dbc7838571c3eb4cd6043009b0495a6210c74007f0e43697",
"childImagesCount": 0,
"sbomLayerProcessingTimestamp": "1746424256307",
"baseImageProcessingTimestamp": "1746424260455",
"isContinuouslyAssessed": true,
"lastAssessed": "1746677220581",
"compliance": {
"failCount": 2,
"passCount": 0,
"errorCount": 0
},
"lastComplianceScanDate": "1746512983198"
}
],
"count": 1
}
Ability to Block Malicious Images
With this release, Container Security can block images having malware in them with the help of Centralized Admission Controller policies. To support this feature, the following APIs are updated.
- Show Details of a Centralized Policy -
GET /csapi/v1.3/centralizedPolicy/{policyId} - Create a Centralized Policy -
POST /csapi/v1.3/centralizedPolicy - Update a Centralized Policy -
PUT /csapi/v1.3/centralizedPolicy/{policyId}
Updated API: Show Details of a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | GET |
| DTD XSD Changes | No |
Output ParametersOutput Parameters
The table below shows the updated response parameters.
|
Parameter |
Data Type |
Description |
|---|---|---|
| name | array | Indicates array for the centralized policy rules to be included. New rule: - Block Images with Malware |
| type | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_RESTRICTED_MALWARE_IMAGES |
Sample: Show Details of a Centralized PolicySample: Show Details of a Centralized Policy
API Request
curl -X 'GET' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/76d024d8-b263-4b64-b630-cec66a31b0c3'\
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>'
API Response for a Centralized Admission Controller Policy
{
"uuid": "76d024d8-b263-4b64-b630-cec66a31b0c3",
"policyName": "CLUSTER",
"policyType": "K8S_ADMISSION_CONTROLLER",
"policyMode": "ACTIVE",
"description": "",
"createdBy": "john_doe",
"created": "1722315249509",
"updatedBy": "john_doe",
"updated": "1746519217955",
"centralizedPolicyRules": [
{
"name": "Limit Vulnerability using Severity",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": false,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"operator\":\"GREATER_THAN\",\"severityLevel\":1,\"threshold\":1}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Block Images with Malware",
"type": "IMAGESCAN_VULN_RESTRICTED_MALWARE_IMAGES",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{}",
"kind": "IMAGE_SECURITY"
}
],
"exclusionPolicyRules": [],
"version": 22,
"isDefault": false,
"tagIds": null,
"k8sFilters": [
{
"cluster": {
"clusterUid": "957e3031-c6d1-4a00-9c7e-6406e1bc3bcb",
"clusterName": "uk_zone1"
},
"namespace": null
}
]
}
Updated API: Create a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy |
| Method | POST |
| DTD XSD Changes | No |
Input ParametersInput Parameters
The Input Parameters below show the updated parameters used for creating a Centralized Admission Controller Policy.
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| name | Mandatory | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Images with Malware |
| type | Mandatory | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_RESTRICTED_MALWARE_IMAGES |
Sample: Create a Centralized PolicySample: Create a Centralized Policy
API Request for a Centralized Admission Controller Policy
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"policyName": "APITest",
"description": "",
"centralizedPolicyRules": [
{
"name": "Block Images with Malware",
"type": "IMAGESCAN_VULN_RESTRICTED_MALWARE_IMAGES",
"isEnabled": true,
"kind": "IMAGE_SECURITY",
"metaData": {}
}
],
"exclusionPolicyRules": [],
"policyMode": "ACTIVE",
"policyType": "K8S_ADMISSION_CONTROLLER",
"isDefault": false,
"tagIds": [],
"k8sFilters": [
{
"cluster": null,
"namespace": {
"clusterUid": "957e3031-c6d1-4a00-9c7e-6406e1bc3bcb",
"namespaceValue": "check-test"
}
}
]
}'
API Response
{
"uuid": "9b5f6954-3bf5-4819-b96c-4fffb1d28b9f"
}
Updated API: Update a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | PUT |
| DTD XSD Changes | No |
Input ParametersInput Parameters
The Input Parameters below show the updated parameters used for updating a Centralized Admission Controller Policy.
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| name | Mandatory | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Images with Malware |
| type | Mandatory | string
|
A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_RESTRICTED_malware_IMAGES |
Sample: Update a Centralized PolicySample: Update a Centralized Policy
API Request for a Centralized Admission Controller Policy
curl -X 'PUT' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/9b5f6954-3bf5-4819-b96c-4fffb1d28b9f' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"policyName": "API-sample",
"description": "",
"policyType": "K8S_ADMISSION_CONTROLLER",
"isDefault": false,
"centralizedPolicyRules": [
{
"name": "Block Images with Malware",
"type": "IMAGESCAN_VULN_RESTRICTED_MALWARE_IMAGES",
"isEnabled": true,
"kind": "IMAGE_SECURITY",
"metaData": {}
}
],
"exclusionPolicyRules": [],
"k8sFilters": [
{
"cluster": null,
"namespace": {
"clusterUid": "957e3031-c6d1-4a00-9c7e-6406e1bc3bcb",
"namespaceValue": "check-test"
}
},
{
"cluster": null,
"namespace": {
"clusterUid": "957e3031-c6d1-4a00-9c7e-6406e1bc3bcb",
"namespaceValue": "kube-public"
}
}
]
}'
API Response
{
"policyUUID ": "9b5f6954-3bf5-4819-b96c-4fffb1d28b9f"
}
Ability to Block Images having Secrets
With this release, Container Security blocks images having secrets in them with the help of Centralized CICD policies. To support this feature, the following APIs are updated.
- Show Details of a Centralized Policy -
GET /csapi/v1.3/centralizedPolicy/{policyId} - Create a Centralized Policy -
POST /csapi/v1.3/centralizedPolicy - Update a Centralized Policy -
PUT /csapi/v1.3/centralizedPolicy/{policyId}
Updated API: Show Details of a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | GET |
| DTD XSD Changes | No |
Output ParametersOutput Parameters
The table below shows the updated response parameters.
|
Parameter |
Data Type |
Description |
|---|---|---|
| name | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Images with Secrets |
| type | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT |
Sample: Show Details of a Centralized PolicySample: Show Details of a Centralized Policy
API Request
curl -X 'GET' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/253ebf27-d2f2-4810-b0e6-22d3b97201d0'\
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>'
API Response for Showing a Centralized CI/CD Policy
{
"uuid": "253ebf27-d2f2-4810-b0e6-22d3b97201d0",
"policyName": "Demo test",
"policyType": "CICD",
"policyMode": "ACTIVE",
"description": "",
"createdBy": "john_doe",
"created": "1746687441028",
"updatedBy": "john_doe",
"updated": "1746687441028",
"centralizedPolicyRules": [
{
"name": "secret_rule_cicd",
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"operator\":\"GREATER_THAN\",\"threshold\":1,\"value\":\"CRITICAL\"}",
"kind": "IMAGE_SECURITY"
}
],
"exclusionPolicyRules": [],
"version": 1,
"isDefault": false,
"tagIds": [
{
"uuid": "445a9519-a850-413f-848e-207ce409b81b",
"id": 47734725,
"name": "apitag",
"backgroundColor": "#000000",
"foregroundColor": "#000000",
"icon": null,
"criticalityScore": 0,
"tagType": null
}
],
Updated API: Create a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy |
| Method | POST |
| DTD XSD Changes | No |
Input ParametersInput Parameters
The Input Parameters below show the updated parameters used for creating a Centralized CICD Policy.
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| name | Mandatory | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Images with sECRETS |
| type | Mandatory | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT |
Sample: Create a Centralized PolicySample: Create a Centralized Policy
API Request for Creating a Centralized CI/CD Policy
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"policyName": "Demo test",
"description": "",
"policyType": "CICD",
"centralizedPolicyRules": [
{
"name": "secret_rule_cicd",
"isEnabled": true,
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"kind": "IMAGE_SECURITY",
"metaData": {
"operator": "GREATER_THAN",
"threshold": 1,
"value": "CRITICAL"
}
}
],
"exclusionPolicyRules": [],
"policyMode": "ACTIVE",
"isDefault": false,
"tagIds": [
"445a9519-a850-413f-848e-207ce409b81b"
],
"k8sFilters": []
}'
API Response
{
"uuid": "253ebf27-d2f2-4810-b0e6-22d3b97201d0"
}
Updated API: Update a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | PUT |
| DTD XSD Changes | No |
Input ParametersInput Parameters
The Input Parameters below show the updated parameters used for updating a Centralized CICD Policy.
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| name | Mandatory | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Images with Secrets |
| type | Mandatory | string
|
A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New value: - IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT |
Sample: Update a Centralized PolicySample: Update a Centralized Policy
API Request for Updating a Centralized CI/CD Policy
curl -X 'PUT' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/9b5f6954-3bf5-4819-b96c-4fffb1d28b9f' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"policyName": "Demo-API",
"description": "",
"policyType": "CICD",
"isDefault": true,
"centralizedPolicyRules": [
{
"name": "secret_rule_cicd_update",
"isEnabled": true,
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"kind": "IMAGE_SECURITY",
"metaData": {
"operator": "GREATER_THAN",
"threshold": 10,
"value": "LOW"
}
}
],
"exclusionPolicyRules": [],
"k8sFilters": []
}'
API Response
{
"policyUUID ": "253ebf27-d2f2-4810-b0e6-22d3b97201d0"
}