Prisma Cloud Compute API

openapi: 3.1.0
info:
  title: Palo Alto Networks Prisma Cloud Compute API
  description: >-
    REST API for Prisma Cloud Compute (CWPP) providing programmatic access to
    container and workload security across hosts, images, containers, and
    serverless functions. The API enables vulnerability management, compliance
    monitoring, runtime defense, registry scanning, and Defender deployment
    management. Authentication uses either a bearer token obtained from the
    /api/v1/authenticate endpoint (valid for 30 minutes) or HTTP Basic
    authentication with Prisma Cloud Compute credentials. The console address
    varies per deployment and must be substituted in the server URL.
  version: '32.07'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://{console}/api/v1
  description: Prisma Cloud Compute Console API.
  variables:
    console:
      default: console.example.com
      description: >-
        Address of the Prisma Cloud Compute Console. For SaaS deployments,
        use the address provided in Prisma Cloud under Compute > Manage >
        System > Utilities.
security:
- bearerAuth: []
- basicAuth: []
tags:
- name: Authentication
  description: Token-based authentication for API access.
- name: Containers
  description: Running container inventory and security posture.
- name: Defenders
  description: Defender agent deployment and management.
- name: Hosts
  description: Host machine security monitoring and vulnerability data.
- name: Images
  description: Container image vulnerability and compliance scan data.
- name: Policies
  description: Vulnerability and compliance policy management.
- name: Registry
  description: Registry image scanning configuration and results.
- name: Scans
  description: CI/CD pipeline scan results.
paths:
  /authenticate:
    post:
      operationId: authenticate
      summary: Palo Alto Networks Authenticate and Obtain Bearer Token
      description: >-
        Authenticates with Prisma Cloud Compute credentials and returns a JWT
        bearer token for subsequent API calls. The token is valid for 30
        minutes. For integrations requiring project-level access, include the
        project name in the request body.
      tags:
      - Authentication
      security: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
              - username
              - password
              properties:
                username:
                  type: string
                  description: Prisma Cloud Compute username or access key.
                password:
                  type: string
                  description: Prisma Cloud Compute password or secret key.
                project:
                  type: string
                  description: >-
                    Project name for project-scoped access. Omit for
                    Central Console access.
            examples:
              AuthenticateRequestExample:
                summary: Default authenticate request
                x-microcks-default: true
                value:
                  username: soc-analyst
                  password: example-password
                  project: example-project
      responses:
        '200':
          description: Authentication successful.
          content:
            application/json:
              schema:
                type: object
                properties:
                  token:
                    type: string
                    description: JWT bearer token valid for 30 minutes.
              examples:
                Authenticate200Example:
                  summary: Default authenticate 200 response
                  x-microcks-default: true
                  value:
                    token: 4149d308542fc31fb11607add5a3d9ef
        '401':
          description: Invalid credentials or unauthorized access.
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /images:
    get:
      operationId: getImages
      summary: Palo Alto Networks List Image Scan Results
      description: >-
        Returns vulnerability and compliance scan results for all container
        images known to Prisma Cloud Compute. Results include images from
        deployed containers on hosts with Defenders and from registry scans.
        Supports filtering by search term, cluster, and collection.
      tags:
      - Images
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 50
        example: 50
      - name: search
        in: query
        description: Search term to filter images by repository name or tag.
        schema:
          type: string
        example: example-search
      - name: sort
        in: query
        description: Field to sort results by.
        schema:
          type: string
          enum:
          - vulnerabilities
          - compliance
          - scanTime
        example: compliance
      - name: reverse
        in: query
        description: Sort in reverse order.
        schema:
          type: boolean
          default: false
        example: false
      - name: collections
        in: query
        description: Filter by collection name.
        schema:
          type: string
        example: example-collections
      - name: clusters
        in: query
        description: Filter by cluster name.
        schema:
          type: string
        example: example-clusters
      - name: compact
        in: query
        description: Return compact results without full vulnerability details.
        schema:
          type: boolean
          default: false
        example: false
      responses:
        '200':
          description: Image scan results returned successfully.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Image'
              examples:
                GetImages200Example:
                  summary: Default getImages 200 response
                  x-microcks-default: true
                  value:
                  - _id: '856694'
                    hostname: host-9c7b
                    scanTime: '2024-03-20T05:38:38Z'
                    repoTag: &id002
                      registry: example-registry
                      repo: example-repo
                      tag: critical-asset
                    repoDigests: &id003
                    - example-repoDigests_item
                    - example-repoDigests_item
                    osDistro: example-osDistro
                    osDistroVersion: 10.9.7
                    vulnerabilities: &id004
                    - id: example-id
                      status: deferred
                      cvss: 12.51
                      severity: high
                      packageName: Corporate Firewall 45
                      packageVersion: 5.1.8
                      fixedVersion: 5.4.9
                      link: https://portal.test-corp.net/0da215
                      description: Configured applied endpoint threat network Security.
                      publishedDate: '2026-05-18T00:03:03Z'
                    - id: example-id
                      status: fixed in
                      cvss: 68.07
                      severity: low
                      packageName: Primary Policy 76
                      packageVersion: 8.5.1
                      fixedVersion: 6.7.4
                      link: https://vpn.example.com/3f4797
                      description: Incident network violation rule incident blocked activity applied endpoint policy incident.
                      publishedDate: '2024-05-26T07:45:57Z'
                    vulnerabilitiesCount: 554
                    vulnerabilityDistribution: &id005
                      critical: 813
                      high: 64
                      medium: 396
                      low: 795
                    complianceIssues: &id006
                    - id: 915
                      title: Branch Policy 90
                      severity: medium
                      cause: example-cause
                      description: Network applied activity rule applied suspicious activity suspicious firewall.
                    - id: 165
                      title: Primary Gateway 48
                      severity: medium
                      cause: example-cause
                      description: Malware malware configured suspicious threat suspicious network violation.
                    complianceIssuesCount: 705
                    clusters: &id007
                    - example-clusters_item
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /images/download:
    get:
      operationId: downloadImageScanResults
      summary: Palo Alto Networks Download Image Scan Results
      description: >-
        Downloads image scan results as a CSV file. Supports the same
        filtering parameters as the GET /images endpoint. Useful for
        bulk export and integration with external vulnerability management
        systems.
      tags:
      - Images
      parameters:
      - name: search
        in: query
        description: Search term to filter images by repository name or tag.
        schema:
          type: string
        example: example-search
      - name: collections
        in: query
        description: Filter by collection name.
        schema:
          type: string
        example: example-collections
      - name: clusters
        in: query
        description: Filter by cluster name.
        schema:
          type: string
        example: example-clusters
      responses:
        '200':
          description: Image scan results CSV file returned.
          content:
            text/csv:
              schema:
                type: string
                format: binary
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /containers:
    get:
      operationId: getContainers
      summary: Palo Alto Networks List Running Containers
      description: >-
        Returns information about all running containers monitored by Prisma
        Cloud Compute Defenders. Includes container metadata, associated image
        scan results, network information, and runtime profile status.
      tags:
      - Containers
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 50
        example: 50
      - name: search
        in: query
        description: Search term to filter containers by name or image.
        schema:
          type: string
        example: example-search
      - name: collections
        in: query
        description: Filter by collection name.
        schema:
          type: string
        example: example-collections
      - name: clusters
        in: query
        description: Filter by cluster name.
        schema:
          type: string
        example: example-clusters
      - name: hostname
        in: query
        description: Filter by host where the container is running.
        schema:
          type: string
        example: host-b981
      responses:
        '200':
          description: Container list returned successfully.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Container'
              examples:
                GetContainers200Example:
                  summary: Default getContainers 200 response
                  x-microcks-default: true
                  value:
                  - _id: '441805'
                    name: Staging Sensor 73
                    hostname: host-ec79
                    imageId: '178488'
                    imageName: Staging Sensor 95
                    state: exited
                    created: '2026-06-08T07:42:55Z'
                    cluster: example-cluster
                    namespace: Branch Firewall 92
                    vulnerabilitiesCount: 280
                    complianceIssuesCount: 855
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /hosts:
    get:
      operationId: getHosts
      summary: Palo Alto Networks List Host Scan Results
      description: >-
        Returns vulnerability and compliance scan results for all hosts
        protected by Prisma Cloud Compute Defenders. Includes OS-level
        vulnerabilities, installed packages, and compliance check results.
      tags:
      - Hosts
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 50
        example: 50
      - name: search
        in: query
        description: Search term to filter hosts by hostname.
        schema:
          type: string
        example: example-search
      - name: sort
        in: query
        description: Field to sort results by.
        schema:
          type: string
          enum:
          - vulnerabilities
          - compliance
          - scanTime
        example: compliance
      - name: reverse
        in: query
        description: Sort in reverse order.
        schema:
          type: boolean
          default: false
        example: false
      - name: collections
        in: query
        description: Filter by collection name.
        schema:
          type: string
        example: example-collections
      - name: clusters
        in: query
        description: Filter by cluster name.
        schema:
          type: string
        example: example-clusters
      responses:
        '200':
          description: Host scan results returned successfully.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Host'
              examples:
                GetHosts200Example:
                  summary: Default getHosts 200 response
                  x-microcks-default: true
                  value:
                  - _id: '404955'
                    hostname: host-4848
                    scanTime: '2024-04-25T22:09:59Z'
                    osDistro: example-osDistro
                    osDistroVersion: 6.6.2
                    kernelVersion: 8.6.6
                    cloudMetadata: &id008
                      provider: aws
                      accountId: '566631'
                      region: us-east-1
                      instanceId: '700233'
                    vulnerabilities: &id009
                    - id: example-id
                      status: deferred
                      cvss: 13.89
                      severity: critical
                      packageName: Branch Policy 65
                      packageVersion: 2.9.1
                      fixedVersion: 9.6.0
                      link: https://api.example.com/9c88b4
                      description: Monitoring blocked suspicious activity malware traffic Security policy rule configured.
                      publishedDate: '2026-07-04T20:08:13Z'
                    vulnerabilitiesCount: 315
                    vulnerabilityDistribution: &id010
                      critical: 842
                      high: 259
                      medium: 307
                      low: 195
                    complianceIssues: &id011
                    - id: 799
                      title: Staging Gateway 66
                      severity: low
                      cause: example-cause
                      description: Endpoint endpoint blocked monitoring policy alert network traffic network monitoring applied investigation.
                    complianceIssuesCount: 960
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /policies/vulnerability/images:
    get:
      operationId: getImageVulnerabilityPolicy
      summary: Palo Alto Networks Get Image Vulnerability Policy
      description: >-
        Returns the currently configured image vulnerability policy.
        The policy defines the rules for blocking, alerting, and ignoring
        vulnerabilities found in container images based on severity,
        CVE, package, and other criteria.
      tags:
      - Policies
      responses:
        '200':
          description: Image vulnerability policy returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VulnerabilityPolicy'
              examples:
                GetImageVulnerabilityPolicy200Example:
                  summary: Default getImageVulnerabilityPolicy 200 response
                  x-microcks-default: true
                  value:
                    rules: &id001
                    - name: Production Agent 10
                      collections:
                      - example-collections_item
                      - example-collections_item
                      effect: alert
                      condition:
                        cves:
                          ids:
                          - example-ids_item
                          - example-ids_item
                          effect: example-effect
                        severities:
                        - critical
                    - name: Production Agent 26
                      collections:
                      - example-collections_item
                      - example-collections_item
                      effect: ignore
                      condition:
                        cves:
                          ids:
                          - example-ids_item
                          - example-ids_item
                          effect: example-effect
                        severities:
                        - critical
                        - high
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    put:
      operationId: updateImageVulnerabilityPolicy
      summary: Palo Alto Networks Update Image Vulnerability Policy
      description: >-
        Replaces the image vulnerability policy with the provided
        configuration. The policy is applied to all image scans and
        enforced at container admission.
      tags:
      - Policies
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VulnerabilityPolicy'
            examples:
              UpdateImageVulnerabilityPolicyRequestExample:
                summary: Default updateImageVulnerabilityPolicy request
                x-microcks-default: true
                value:
                  rules: *id001
      responses:
        '200':
          description: Image vulnerability policy updated successfully.
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /policies/compliance/images:
    get:
      operationId: getImageCompliancePolicy
      summary: Palo Alto Networks Get Image Compliance Policy
      description: >-
        Returns the currently configured image compliance policy.
        The compliance policy defines the checks applied to container
        images based on CIS benchmarks and custom rules.
      tags:
      - Policies
      responses:
        '200':
          description: Image compliance policy returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CompliancePolicy'
              examples:
                GetImageCompliancePolicy200Example:
                  summary: Default getImageCompliancePolicy 200 response
                  x-microcks-default: true
                  value:
                    rules: &id012
                    - name: Primary Agent 83
                      collections:
                      - example-collections_item
                      effect: block
                      condition:
                        checks:
                        - {}
                        - {}
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /policies/runtime/container:
    get:
      operationId: getContainerRuntimePolicy
      summary: Palo Alto Networks Get Container Runtime Policy
      description: >-
        Returns the currently configured container runtime defense policy.
        Runtime policies define allowed process, network, and file system
        activities for running containers, enabling detection and prevention
        of anomalous runtime behavior.
      tags:
      - Policies
      responses:
        '200':
          description: Container runtime policy returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RuntimePolicy'
              examples:
                GetContainerRuntimePolicy200Example:
                  summary: Default getContainerRuntimePolicy 200 response
                  x-microcks-default: true
                  value:
                    rules: &id013
                    - name: Primary Policy 20
                      collections:
                      - example-collections_item
                      - example-collections_item
                      processes:
                        effect: ignore
                        whitelist:
                        - example-whitelist_item
                        - example-whitelist_item
                        blacklist:
                        - example-blacklist_item
                      network:
                        effect: block
                      filesystem:
                        effect: block
                    - name: Primary Policy 29
                      collections:
                      - example-collections_item
                      - example-collections_item
                      processes:
                        effect: alert
                        whitelist:
                        - example-whitelist_item
                        blacklist:
                        - example-blacklist_item
                      network:
                        effect: alert
                      filesystem:
                        effect: alert
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /registry:
    get:
      operationId: getRegistries
      summary: Palo Alto Networks List Configured Registries
      description: >-
        Returns a list of container registries configured for scanning in
        Prisma Cloud Compute. Each entry includes the registry URL,
        credential references, scanning scope, and schedule.
      tags:
      - Registry
      responses:
        '200':
          description: Registry configurations returned successfully.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RegistryConfig'
              examples:
                GetRegistries200Example:
                  summary: Default getRegistries 200 response
                  x-microcks-default: true
                  value:
                  - version: jfrog
                    registry: example-registry
                    namespace: Corporate Gateway 63
                    credentialID: '865122'
                    os: linux
                    cap: 304
                    scanners: 112
                    tag: critical-asset
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
    post:
      operationId: addRegistry
      summary: Palo Alto Networks Add a Registry
      description: >-
        Adds a new container registry to the scanning configuration.
        Supports Docker Hub, AWS ECR, Azure Container Registry, Google
        Container Registry, and other OCI-compatible registries.
      tags:
      - Registry
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegistryConfig'
            examples:
              AddRegistryRequestExample:
                summary: Default addRegistry request
                x-microcks-default: true
                value:
                  version: jfrog
                  registry: example-registry
                  namespace: Corporate Gateway 63
                  credentialID: '865122'
                  os: linux
                  cap: 304
                  scanners: 112
                  tag: critical-asset
      responses:
        '200':
          description: Registry added successfully.
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /defenders:
    get:
      operationId: getDefenders
      summary: Palo Alto Networks List Defenders
      description: >-
        Returns information about all deployed Defenders including their
        connection status, version, type, and the host they are running on.
        Defenders are the runtime agents that enforce security policies and
        report vulnerability and compliance data to the Console.
      tags:
      - Defenders
      parameters:
      - name: offset
        in: query
        description: Number of records to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of records to return.
        schema:
          type: integer
          default: 50
        example: 50
      - name: search
        in: query
        description: Search term to filter Defenders by hostname.
        schema:
          type: string
        example: example-search
      - name: connected
        in: query
        description: Filter by connection status.
        schema:
          type: boolean
        example: true
      - name: type
        in: query
        description: Filter by Defender type.
        schema:
          type: string
          enum:
          - docker
          - dockerWindows
          - cri
          - fargate
          - appEmbedded
          - serverless
        example: serverless
      - name: cluster
        in: query
        description: Filter by cluster name.
        schema:
          type: string
        example: example-cluster
      responses:
        '200':
          description: Defender list returned successfully.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Defender'
              examples:
                GetDefenders200Example:
                  summary: Default getDefenders 200 response
                  x-microcks-default: true
                  value:
                  - hostname: host-7a08
                    version: 9.6.1
                    type: cri
                    connected: true
                    lastModified: '2024-10-15T05:34:16Z'
                    cluster: example-cluster
                    cloudMetadata: &id014
                      provider: example-provider
                      accountId: '210791'
                      region: us-west-2
                    category: appEmbedded
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /defenders/summary:
    get:
      operationId: getDefendersSummary
      summary: Palo Alto Networks Get Defender Summary Statistics
      description: >-
        Returns summary statistics about deployed Defenders including
        total count, connected count, version distribution, and
        deployment type breakdown.
      tags:
      - Defenders
      responses:
        '200':
          description: Defender summary statistics returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DefenderSummary'
              examples:
                GetDefendersSummary200Example:
                  summary: Default getDefendersSummary 200 response
                  x-microcks-default: true
                  value:
                    total: 699
                    connected: 599
                    disconnected: 938
                    by_type: &id015
                      docker: 291
                      dockerWindows: 218
                      cri: 483
                      fargate: 38
                      appEmbedded: 555
                      serverless: 454
                    version_distribution: &id016
                    - version: 1.1.4
                      count: 916
                    - version: 9.6.3
                      count: 298
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          $ref: '#/components/responses/InternalServerError'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /scans:
    get:
      operationId: getCIScans
      summary: Palo Alto Networks Get CI Scan Results
      description: >-
        Returns vulnerability and compliance scan results from CI/CD
        pipeline scans run using the twistcli tool or CI/CD integrations.
        Results include the scan target, policy outcome, and detailed
        findings for each scan run.
      tags:
      - Scans
      parameters:
      - name: offset
        in: query
  

# --- truncated at 32 KB (55 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-prisma-cloud-compute-api-openapi-original.yml