github.com/google/osv-scalibr@v0.4.1/binary/proto/scan_result.proto (about) 1 /* 2 * Copyright 2025 Google LLC 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 syntax = "proto3"; 18 19 package scalibr; 20 21 import "google/protobuf/timestamp.proto"; 22 import "proto/vulnerability.proto"; 23 24 option go_package = "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto"; 25 option java_multiple_files = true; 26 27 // Proto file describing the SCALIBR scan results. Whenever this proto is 28 // modified make sure to regenerate the go_proto file by running 29 // `make protos` 30 31 // The results of a scan incl. scan status and artifacts found. 32 message ScanResult { 33 reserved 6, 7; 34 string version = 1; 35 google.protobuf.Timestamp start_time = 2; 36 google.protobuf.Timestamp end_time = 3; 37 // Status of the overall scan. 38 ScanStatus status = 4; 39 // Status and versions of the plugins that ran. 40 repeated PluginStatus plugin_status = 5; 41 Inventory inventory = 8; 42 } 43 44 // The artifacts (e.g. software inventory, security findings) that a scan found. 45 message Inventory { 46 repeated Package packages = 1; 47 repeated PackageVuln package_vulns = 6; 48 repeated GenericFinding generic_findings = 2; 49 repeated Secret secrets = 3; 50 repeated ContainerImageMetadata container_image_metadata = 5; 51 } 52 53 message ScanStatus { 54 ScanStatusEnum status = 1; 55 string failure_reason = 2; 56 repeated FileError file_errors = 4; 57 58 enum ScanStatusEnum { 59 UNSPECIFIED = 0; 60 SUCCEEDED = 1; 61 PARTIALLY_SUCCEEDED = 2; 62 FAILED = 3; 63 } 64 } 65 66 message PluginStatus { 67 string name = 1; 68 int32 version = 2; 69 ScanStatus status = 3; 70 } 71 72 message FileError { 73 string file_path = 1; 74 string error_message = 2; 75 } 76 77 // A software package or library found by an extractor. 78 // PURL or CPE needs to be set, maybe both. 79 message Package { 80 reserved 3, 4, 10, 28, 35; 81 // Unique identifier for the package. 82 string id = 60; 83 // Human-readable name of the software, to be used for things like logging. 84 // For vuln matching, use the name from metadata. 85 string name = 11; 86 // Version of the package. 87 string version = 12; 88 // Source code level package identifiers. 89 SourceCodeIdentifier source_code = 26; 90 // Package URL of the software. 91 Purl purl = 1; 92 // Ecosystem - For software packages this corresponds to an OSV ecosystem 93 // value, e.g. PyPI. 94 string ecosystem = 27; 95 // Paths or source of files related to the package. 96 repeated string locations = 2; 97 // The names of the plugins that found this software. Set by the 98 // core library. 99 repeated string plugins = 49; 100 // The additional data found in the package. 101 // LINT.IfChange 102 oneof metadata { 103 PythonPackageMetadata python_metadata = 5; 104 JavascriptPackageJSONMetadata javascript_metadata = 6; 105 APKPackageMetadata apk_metadata = 7; 106 DPKGPackageMetadata dpkg_metadata = 8; 107 RPMPackageMetadata rpm_metadata = 9; 108 COSPackageMetadata cos_metadata = 13; 109 DEPSJSONMetadata depsjson_metadata = 40; 110 SPDXPackageMetadata spdx_metadata = 14; 111 JavaArchiveMetadata java_archive_metadata = 15; 112 JavaLockfileMetadata java_lockfile_metadata = 31; 113 PACMANPackageMetadata pacman_metadata = 36; 114 NixPackageMetadata nix_metadata = 37; 115 KernelModuleMetadata kernel_module_metadata = 38; 116 VmlinuzMetadata vmlinuz_metadata = 39; 117 PortagePackageMetadata portage_metadata = 41; 118 OSVPackageMetadata osv_metadata = 16; 119 NetportsMetadata netports_metadata = 45; 120 PythonRequirementsMetadata python_requirements_metadata = 21; 121 PythonSetupMetadata python_setup_metadata = 44; 122 ContainerdContainerMetadata containerd_container_metadata = 22; 123 SNAPPackageMetadata snap_metadata = 23; 124 FlatpakPackageMetadata flatpak_metadata = 24; 125 MacAppsMetadata mac_apps_metadata = 34; 126 ContainerdRuntimeContainerMetadata containerd_runtime_container_metadata = 127 25; 128 CDXPackageMetadata cdx_metadata = 30; 129 WindowsOSVersion windows_os_version_metadata = 33; 130 HomebrewPackageMetadata homebrew_metadata = 42; 131 ChromeExtensionsMetadata chrome_extensions_metadata = 47; 132 VSCodeExtensionsMetadata vscode_extensions_metadata = 46; 133 PodmanMetadata podman_metadata = 50; 134 DockerContainersMetadata docker_containers_metadata = 48; 135 MacportsPackageMetadata macports_metadata = 53; 136 WingetPackageMetadata winget_metadata = 54; 137 AsdfMetadata asdf_metadata = 55; 138 NvmMetadata nvm_metadata = 56; 139 NodeVersionMetadata nodeversion_metadata = 58; 140 } 141 // LINT.ThenChange(/binary/proto/package_metadata.go) 142 143 // Signals to indicate that specific vulnerabilities are not applicable to 144 // this package. 145 repeated PackageExploitabilitySignal exploitability_signals = 51; 146 147 // Software licenses information 148 repeated string licenses = 52; 149 150 message ContainerImageMetadataIndexes { 151 // The index of ContainerImageMetadata in Inventory.ContainerImageMetadata 152 // list. 153 int32 container_image_index = 1; 154 // The index of LayerMetadata in ContainerImageMetadata.LayerMetadata list. 155 int32 layer_index = 2; 156 } 157 158 optional ContainerImageMetadataIndexes container_image_metadata_indexes = 57; 159 } 160 161 // Additional identifiers for source code software packages (e.g. NPM). 162 message SourceCodeIdentifier { 163 string repo = 1; 164 string commit = 2; 165 } 166 167 // Details about the layer a package was found in. 168 message LayerDetails { 169 // The index of the layer in the container image. 170 int32 index = 1; 171 // The diff ID (typically a sha256 hash) of the layer in the container image. 172 string diff_id = 2; 173 // The layer chain ID (sha256 hash) of the layer in the container image. 174 // https://github.com/opencontainers/image-spec/blob/main/config.md#layer-chainid 175 string chain_id = 5; 176 // The layer build command that was used to build the layer. This may not be 177 // found in all layers depending on how the container image is built. 178 string command = 3; 179 // Denotes whether the layer is in the base image. 180 bool in_base_image = 4; 181 } 182 183 // PackageExploitabilitySignal is used to indicate that specific vulnerabilities 184 // are not applicable to a given package. 185 message PackageExploitabilitySignal { 186 // The name of the plugin (e.g. Annotator) that added this signal. 187 string plugin = 1; 188 // Reason for exclusion. 189 VexJustification justification = 2; 190 oneof vuln_filter { 191 // Advisory Identifier (CVE, GHSA, ...) and aliases of the vulns that are 192 // not applicable to this package. 193 VulnIdentifiers vuln_identifiers = 3; 194 // Indicates that all vulnerabilities associated with the package are 195 // irrelevant. 196 bool matches_all_vulns = 4; 197 } 198 } 199 200 message VulnIdentifiers { 201 repeated string identifiers = 1; 202 } 203 204 // FindingExploitabilitySignal is used to indicate that a finding is not 205 // exploitable. 206 message FindingExploitabilitySignal { 207 // The name of the plugin (e.g. Annotator) that added this signal. 208 string plugin = 1; 209 // Reason for exclusion. 210 VexJustification justification = 2; 211 } 212 213 // Vuln exclusion reasons - Mirrors the format from the official VEX 214 // documentation 215 // (https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf) 216 enum VexJustification { 217 VEX_JUSTIFICATION_UNSPECIFIED = 0; 218 // The vulnerable component is not used in the affected artifact. 219 COMPONENT_NOT_PRESENT = 1; 220 // The component is used but vulnerable code was removed or not included. 221 VULNERABLE_CODE_NOT_PRESENT = 2; 222 // Vulnerable code is included but is not executed. 223 VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = 3; 224 // Vulnerable code is executed but can't be exploited due to program logic. 225 VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = 4; 226 // Code can be executed but additional mitigations prevent exploitation. 227 INLINE_MITIGATION_ALREADY_EXISTS = 5; 228 } 229 230 // Package URL, see https://github.com/package-url/purl-spec 231 message Purl { 232 // String representation. 233 string purl = 1; 234 // Package type, e.g. "maven, npm, pypi". 235 string type = 2; 236 // Package name. 237 string name = 3; 238 // Package version. 239 string version = 4; 240 // Name prefix such as a Maven groupid, or Docker image owner. 241 string namespace = 5; 242 // Extra qualifying data for a package such as an OS, architecture, etc. 243 repeated Qualifier qualifiers = 6; 244 // Extra subpath within a package, relative to the package root. 245 string subpath = 7; 246 } 247 248 message Qualifier { 249 string key = 1; 250 string value = 2; 251 } 252 253 // Describes a vulnerability (e.g. a CVE) related to a package. 254 message PackageVuln { 255 osv.Vulnerability vuln = 1; 256 // The ID of the associated package in Inventory.Packages. 257 // Used for mapping between proto and struct. 258 string package_id = 2; 259 // The plugins (e.g. Detectors, Enrichers) that found this vuln. 260 repeated string plugins = 3; 261 // Signals that indicate this finding is not exploitable. 262 repeated FindingExploitabilitySignal exploitability_signals = 4; 263 } 264 265 // Describes generic security findings not associated with any 266 // specific package, e.g. weak credentials. 267 message GenericFinding { 268 reserved 3; 269 // Info specific to the finding. Should always be the same for the same type 270 // of finding. 271 GenericFindingAdvisory adv = 1; 272 // Instance-specific info such as location of the vulnerable files. 273 GenericFindingTargetDetails target = 2; 274 // The plugins (e.g. Detectors, Enrichers) that found this vuln. 275 repeated string plugins = 4; 276 // Signals that indicate this finding is not exploitable. 277 repeated FindingExploitabilitySignal exploitability_signals = 5; 278 } 279 280 // Describes a security finding and how to remediate it. It should not 281 // contain any information specific to the target (e.g. which files were 282 // found vulnerable). 283 message GenericFindingAdvisory { 284 reserved 2, 6; 285 // A unique ID for the finding. 286 AdvisoryId id = 1; 287 string title = 3; 288 string description = 4; 289 // Remediation instructions, e.g. "update to latest version". 290 string recommendation = 5; 291 SeverityEnum sev = 7; 292 } 293 294 // A unique identifier per advisory. 295 message AdvisoryId { 296 string publisher = 1; // e.g. "CVE". 297 string reference = 2; // e.g. "CVE-2023-1234". 298 } 299 300 enum SeverityEnum { 301 SEVERITY_UNSPECIFIED = 0; 302 MINIMAL = 1; 303 LOW = 2; 304 MEDIUM = 3; 305 HIGH = 4; 306 CRITICAL = 5; 307 } 308 309 // Instance-specific details about the generic security finding. 310 message GenericFindingTargetDetails { 311 reserved 1, 2, 3; 312 // Free-text info. 313 string extra = 4; 314 } 315 316 // The additional data found in python packages. 317 message PythonPackageMetadata { 318 string author = 1; 319 string author_email = 2; 320 } 321 322 // The additional data found in npm packages. 323 message JavascriptPackageJSONMetadata { 324 reserved 4; 325 326 string author = 1; 327 repeated string maintainers = 2; 328 repeated string contributors = 3; 329 PackageSource source = 5; 330 } 331 332 // The source of the package. 333 enum PackageSource { 334 UNKNOWN = 0; 335 // PUBLIC_REGISTRY is the public NPM registry. 336 PUBLIC_REGISTRY = 1; 337 // OTHER is any other remote or private source (e.g. Github). 338 // This is used for packages that are not found in the public NPM registry. 339 OTHER = 2; 340 // LOCAL is the local filesystem that stores the package versions. 341 // This is used for when the package is locally-developed or -installed. 342 LOCAL = 3; 343 } 344 345 // The additional data found in APK packages. 346 message APKPackageMetadata { 347 reserved 7; 348 349 string package_name = 1; 350 string origin_name = 2; 351 string os_id = 3; 352 string os_version_id = 4; 353 string maintainer = 5; 354 string architecture = 6; 355 356 reserved "license"; 357 } 358 359 // The additional data found in DPKG packages. 360 // Next ID: 12 361 message DPKGPackageMetadata { 362 string package_name = 1; 363 string source_name = 2; 364 string source_version = 3; 365 string package_version = 4; 366 string os_id = 5; 367 string os_version_codename = 6; 368 string os_version_id = 7; 369 string maintainer = 8; 370 string architecture = 9; 371 string status = 10; 372 string package_source = 11; 373 } 374 375 // The additional data found in RPM packages. 376 message RPMPackageMetadata { 377 reserved 10; 378 379 string package_name = 1; 380 string source_rpm = 2; 381 int32 epoch = 3; 382 string os_id = 4; 383 string os_version_id = 5; 384 string os_build_id = 6; 385 string os_name = 7; 386 string vendor = 8; 387 string architecture = 9; 388 string os_pretty_name = 11; 389 string os_cpe_name = 12; 390 391 reserved "license"; 392 } 393 394 // The additional data found in COS packages. 395 message COSPackageMetadata { 396 string name = 1; 397 string version = 2; 398 string category = 3; 399 string os_version = 4; 400 string os_version_id = 5; 401 string ebuild_version = 6; 402 } 403 404 // The additional data found in PACMAN packages. 405 message PACMANPackageMetadata { 406 string package_name = 1; 407 string package_version = 2; 408 string os_id = 3; 409 string os_version_id = 4; 410 string package_description = 5; 411 string package_dependencies = 6; 412 } 413 414 // The additional data found in Nix packages. 415 message NixPackageMetadata { 416 string package_name = 1; 417 string package_version = 2; 418 string package_hash = 3; 419 string package_output = 4; 420 string os_id = 5; 421 string os_version_codename = 6; 422 string os_version_id = 7; 423 } 424 425 // The additional data found in .NET deps json packages. 426 message DEPSJSONMetadata { 427 string package_name = 1; 428 string package_version = 2; 429 string type = 3; 430 } 431 432 // The additional data found in SNAP packages. 433 message SNAPPackageMetadata { 434 string name = 1; 435 string version = 2; 436 string grade = 3; 437 string type = 4; 438 repeated string architectures = 5; 439 string os_id = 6; 440 string os_version_codename = 7; 441 string os_version_id = 8; 442 } 443 444 // The additional data found in portage packages. 445 message PortagePackageMetadata { 446 string package_name = 1; 447 string package_version = 2; 448 string os_id = 3; 449 string os_version_id = 4; 450 } 451 452 // The additional data found in Flatpak packages. 453 message FlatpakPackageMetadata { 454 string package_name = 1; 455 string package_id = 2; 456 string package_version = 3; 457 string release_date = 4; 458 string os_name = 5; 459 string os_id = 6; 460 string os_version_id = 7; 461 string os_build_id = 8; 462 string developer = 9; 463 } 464 465 // The additional data found in MODULE packages. 466 message KernelModuleMetadata { 467 string package_name = 1; 468 string package_version = 2; 469 string package_vermagic = 3; 470 string package_source_version_identifier = 4; 471 string os_id = 5; 472 string os_version_codename = 6; 473 string os_version_id = 7; 474 string package_author = 8; 475 } 476 477 // The additional data found in Vmlinuz packages. 478 message VmlinuzMetadata { 479 string name = 1; 480 string version = 2; 481 string architecture = 3; 482 string extended_version = 4; 483 string format = 5; 484 int32 swap_device = 6; 485 int32 root_device = 7; 486 string video_mode = 8; 487 string os_id = 9; 488 string os_version_codename = 10; 489 string os_version_id = 11; 490 bool rw_root_fs = 12; 491 } 492 493 // The additional data found in Mac Applications. 494 message MacAppsMetadata { 495 string bundle_display_name = 1; 496 string bundle_identifier = 2; 497 string bundle_short_version_string = 3; 498 string bundle_executable = 4; 499 string bundle_name = 5; 500 string bundle_package_type = 6; 501 string bundle_signature = 7; 502 string bundle_version = 8; 503 string product_id = 9; 504 string update_url = 10; 505 } 506 507 // The additional data found in Macports packages. 508 message MacportsPackageMetadata { 509 string package_name = 1; 510 string package_version = 2; 511 string package_revision = 3; 512 } 513 514 // The additional data for packages extracted from SPDX files. 515 message SPDXPackageMetadata { 516 Purl purl = 1; 517 repeated string cpes = 2; 518 } 519 520 // The additional data for packages extracted from CDX files. 521 message CDXPackageMetadata { 522 Purl purl = 1; 523 repeated string cpes = 2; 524 } 525 526 // The additional data found in Java JAR packages. 527 message JavaArchiveMetadata { 528 string artifact_id = 2; 529 string group_id = 3; 530 string sha1 = 4; 531 } 532 533 // The additional data found in Java lockfiles. 534 message JavaLockfileMetadata { 535 string artifact_id = 1; 536 string group_id = 2; 537 repeated string dep_group_vals = 3; 538 bool is_transitive = 4; 539 } 540 541 // The additional data for packages extracted by an OSV extractor wrapper. 542 message OSVPackageMetadata { 543 string purl_type = 1; 544 string commit = 2; 545 string ecosystem = 3; 546 string compare_as = 4; 547 } 548 549 message PythonRequirementsMetadata { 550 repeated string hash_checking_mode_values = 1; 551 string version_comparator = 2; 552 string requirement = 3; 553 } 554 555 message PythonSetupMetadata { 556 string version_comparator = 2; 557 } 558 559 // Used to report open ports on a system. 560 message NetportsMetadata { 561 uint32 port = 1; 562 string protocol = 2; 563 string command_line = 3; 564 } 565 566 message ContainerdContainerMetadata { 567 string namespace_name = 1; 568 string image_name = 2; 569 string image_digest = 3; 570 string runtime = 4; 571 int32 pid = 5; 572 string snapshotter = 6; 573 string snapshot_key = 7; 574 string lower_dir = 8; 575 string upper_dir = 9; 576 string work_dir = 10; 577 string id = 11; 578 string pod_name = 12; 579 string pod_namespace = 13; 580 } 581 582 message ContainerdRuntimeContainerMetadata { 583 string namespace_name = 1; 584 string image_name = 2; 585 string image_digest = 3; 586 string runtime = 4; 587 string id = 5; 588 int32 pid = 6; 589 string rootfs_path = 7; 590 } 591 592 message WindowsOSVersion { 593 string product = 1; 594 string full_version = 2; 595 } 596 597 // The additional data found in Homebrew packages. 598 message HomebrewPackageMetadata {} 599 600 // The additional data found in Chrome extensions. 601 message ChromeExtensionsMetadata { 602 string name = 1; 603 string description = 2; 604 string author_email = 3; 605 repeated string host_permissions = 4; 606 int32 manifest_version = 5; 607 string minimum_chrome_version = 6; 608 repeated string permissions = 7; 609 string update_url = 8; 610 } 611 612 // The additional data found in VSCode extensions. 613 message VSCodeExtensionsMetadata { 614 string id = 1; 615 string publisher_id = 2; 616 string publisher_display_name = 3; 617 string target_platform = 4; 618 bool updated = 5; 619 bool is_pre_release_version = 6; 620 int64 installed_timestamp = 7; 621 } 622 623 // The additional data found in Podman containers. 624 message PodmanMetadata { 625 map<uint32, Protocol> exposed_ports = 1; 626 int32 pid = 2; 627 string namespace_name = 3; 628 google.protobuf.Timestamp started_time = 4; 629 google.protobuf.Timestamp finished_time = 5; 630 string status = 6; 631 int32 exit_code = 7; 632 bool exited = 8; 633 } 634 635 message Protocol { 636 repeated string names = 1; 637 } 638 639 message DockerContainersMetadata { 640 string image_name = 1; 641 string image_digest = 2; 642 string id = 3; 643 repeated DockerPort ports = 4; 644 } 645 646 message AsdfMetadata { 647 string tool_name = 1; 648 string tool_version = 2; 649 } 650 651 message NvmMetadata { 652 string nodejs_version = 2; 653 } 654 655 message NodeVersionMetadata { 656 string nodejs_version = 2; 657 } 658 659 message DockerPort { 660 string ip = 1; 661 uint32 private_port = 2; 662 uint32 public_port = 3; 663 string type = 4; 664 } 665 666 // The additional data found in Windows Package Manager (Winget) packages. 667 message WingetPackageMetadata { 668 string name = 1; 669 string id = 2; 670 string version = 3; 671 string moniker = 4; 672 string channel = 5; 673 repeated string tags = 6; 674 repeated string commands = 7; 675 } 676 677 // A secret (i.e. credential) found by Veles secret scanning. 678 message Secret { 679 SecretData secret = 1; 680 SecretStatus status = 2; 681 repeated Location locations = 3; 682 } 683 684 message SecretData { 685 oneof secret { 686 GCPSAK gcpsak = 1; 687 AnthropicWorkspaceAPIKey anthropic_workspace_api_key = 2; 688 AnthropicModelAPIKey anthropic_model_api_key = 3; 689 PerplexityAPIKey perplexity = 4; 690 PrivateKey private_key = 5; 691 GrokXAIAPIKey grok_xai_api_key = 6; 692 GrokXAIManagementAPIKey grok_xai_management_api_key = 7; 693 DockerHubPat docker_hub_pat = 8; 694 DigitalOceanAPIToken digitalocean = 9; 695 OpenAIAPIKey openai_api_key = 10; 696 PostmanAPIKey postman_api_key = 11; 697 PostmanCollectionAccessToken postman_collection_access_token = 12; 698 AzureAccessToken azure_access_token = 13; 699 AzureIdentityToken azure_identity_token = 14; 700 TinkKeyset tink_keyset = 15; 701 GitlabPat gitlab_pat = 16; 702 HashiCorpVaultToken hashicorp_vault_token = 17; 703 HashiCorpVaultAppRoleCredentials hashicorp_vault_app_role_credentials = 18; 704 GCPAPIKey gcp_api_key = 19; 705 HuggingfaceAPIKey hugginface = 20; 706 GithubAppRefreshToken github_app_refresh_token = 21; 707 StripeSecretKey stripe_secret_key = 22; 708 StripeRestrictedKey stripe_restricted_key = 23; 709 StripeWebhookSecret stripe_webhook_secret = 24; 710 GCPOAuth2ClientCredentials gcp_oauth2_client_credentials = 25; 711 GCPOAuth2AccessToken gcp_oauth2_access_token = 26; 712 GithubAppServerToServerToken github_app_server_to_server_token = 27; 713 GithubClassicPersonalAccessToken github_classic_personal_access_token = 28; 714 GithubFineGrainedPersonalAccessToken 715 github_fine_grained_personal_access_token = 29; 716 GithubAppUserToServerToken github_app_user_to_server_token = 30; 717 GithubOAuthToken github_oauth_token = 31; 718 SlackAppConfigRefreshToken slack_app_config_refresh_token = 33; 719 SlackAppLevelToken slack_app_level_token = 34; 720 SlackAppConfigAccessToken slack_app_config_access_token = 35; 721 AzureStorageAccountAccessKey azure_storage_account_access_key = 36; 722 HashiCorpCloudPlatformCredentials hashicorp_cloud_platform_credentials = 37; 723 HashiCorpCloudPlatformToken hashicorp_cloud_platform_token = 38; 724 OnePasswordSecretKey onepassword_secret_key = 39; 725 OnePasswordServiceToken onepassword_service_token = 40; 726 OnePasswordRecoveryCode onepassword_recovery_code = 41; 727 OnePasswordConnectToken onepassword_connect_token = 42; 728 Pgpass pgpass = 43; 729 PyPIAPIToken pypi = 44; 730 CratesIOAPIToken crates_io_api_token = 45; 731 MariaDBCredentials maria_db_credentials = 46; 732 GCSHmacKey gcs_hmac_key = 47; 733 MysqlMyloginSection mysql_mylogin_section = 48; 734 VapidKey vapid_key = 49; 735 AwsAccessKeyCredentials aws_access_key_credentials = 50; 736 ReCaptchaKey re_captcha_key = 51; 737 PyxKeyV1 pyx_key_v1 = 52; 738 PyxKeyV2 pyx_key_v2 = 53; 739 CodeCatalystCredentials code_catalyst_credentials = 54; 740 JWTToken jwt_token = 55; 741 } 742 743 message GCPSAK { 744 // Always filled. 745 string private_key_id = 1; 746 string client_email = 2; 747 bytes signature = 3; // derived from the private_key for validation 748 749 // Filled only when explicitly requested. 750 string type = 4; 751 string project_id = 5; 752 string client_id = 6; 753 string auth_uri = 7; 754 string token_uri = 8; 755 string auth_provider_x509_cert_url = 9; 756 string client_x509_cert_url = 10; 757 string universe_domain = 11; 758 759 // Should not be filled out unless very explicitly requested accepting the 760 // risk that this might accidentally leak the key. 761 string private_key = 12; 762 } 763 764 message JWTToken { 765 // a generic JWT token 766 string token = 1; 767 } 768 769 message AnthropicWorkspaceAPIKey { 770 // The Anthropic Workspace API key (contains "admin01"). 771 string key = 1; 772 } 773 774 message AnthropicModelAPIKey { 775 // The Anthropic Model API key (regular API key for model access). 776 string key = 1; 777 } 778 779 message PerplexityAPIKey { 780 string key = 1; 781 } 782 783 message GrokXAIAPIKey { 784 string key = 1; 785 } 786 787 message GrokXAIManagementAPIKey { 788 string key = 1; 789 } 790 791 message AzureStorageAccountAccessKey { 792 string key = 1; 793 } 794 795 message PrivateKey { 796 string block = 1; // PEM/OpenSSH private key block 797 bytes der = 2; // DER-encoded key material 798 } 799 800 message AzureAccessToken { 801 string token = 1; 802 } 803 804 message Pgpass { 805 string hostname = 1; 806 string port = 2; 807 string database = 3; 808 string username = 4; 809 string password = 5; 810 } 811 812 message MariaDBCredentials { 813 string host = 1; 814 string port = 2; 815 string user = 4; 816 string password = 5; 817 string section = 6; 818 } 819 820 message AzureIdentityToken { 821 string token = 1; 822 } 823 824 message OpenAIAPIKey { 825 string key = 1; 826 } 827 828 message DockerHubPat { 829 string pat = 1; 830 string username = 2; 831 } 832 833 message GitlabPat { 834 string pat = 1; 835 } 836 837 message SlackAppLevelToken { 838 string token = 1; 839 } 840 841 message SlackAppConfigAccessToken { 842 string token = 1; 843 } 844 845 message SlackAppConfigRefreshToken { 846 string token = 1; 847 } 848 849 message PostmanAPIKey { 850 string key = 1; 851 } 852 853 message PostmanCollectionAccessToken { 854 string key = 1; 855 } 856 857 message DigitalOceanAPIToken { 858 string key = 1; 859 } 860 861 message CratesIOAPIToken { 862 string token = 1; 863 } 864 865 message GithubAppRefreshToken { 866 string token = 1; 867 } 868 869 message GithubAppServerToServerToken { 870 string token = 1; 871 } 872 873 message GithubClassicPersonalAccessToken { 874 string token = 1; 875 } 876 877 message GithubFineGrainedPersonalAccessToken { 878 string token = 1; 879 } 880 881 message GithubOAuthToken { 882 string token = 1; 883 } 884 885 message GithubAppUserToServerToken { 886 string token = 1; 887 } 888 889 message PyPIAPIToken { 890 string token = 1; 891 } 892 893 message TinkKeyset { 894 string content = 1; // JSON encoded Tink keyset 895 } 896 897 message HashiCorpVaultToken { 898 string token = 1; 899 } 900 901 message HashiCorpVaultAppRoleCredentials { 902 string role_id = 1; 903 string secret_id = 2; 904 string id = 905 3; // General ID field for uncertain UUID types when context is unclear 906 } 907 908 message GCPAPIKey { 909 string key = 1; 910 } 911 912 message HuggingfaceAPIKey { 913 string key = 1; 914 string role = 2; 915 repeated string fine_grained_scope = 3; 916 } 917 918 message HashiCorpCloudPlatformCredentials { 919 string client_id = 1; 920 string client_secret = 2; 921 } 922 923 message HashiCorpCloudPlatformToken { 924 string token = 1; 925 // Optional identity enrichment fields populated when available 926 string organization_id = 2; 927 string project_id = 3; 928 string principal_id = 4; 929 string principal_type = 5; 930 string service_name = 6; 931 string user_id = 7; 932 string user_email = 8; 933 repeated string group_ids = 9; 934 } 935 936 message StripeSecretKey { 937 string key = 1; 938 } 939 940 message StripeRestrictedKey { 941 string key = 1; 942 } 943 944 message StripeWebhookSecret { 945 string key = 1; 946 } 947 948 message GCPOAuth2ClientCredentials { 949 // GCP OAuth2 client ID in format: 950 // `12345678901-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com` 951 string id = 1; 952 // GCP OAuth2 client secret, typically 24+ character alphanumeric string 953 // prefixed with `GOCSPX-` 954 string secret = 2; 955 } 956 957 message GCPOAuth2AccessToken { 958 // GCP OAuth2 access token, typically in format: 959 // "ya29.[alphanumeric_string]" 960 string token = 1; 961 } 962 963 message GCSHmacKey { 964 string access_id = 1; 965 string secret = 2; 966 } 967 968 message MysqlMyloginSection { 969 string section_name = 1; 970 string user = 2; 971 string password = 3; 972 string host = 4; 973 string port = 5; 974 string socket = 6; 975 } 976 977 message VapidKey { 978 string private_b64 = 1; 979 string public_b64 = 2; 980 } 981 982 message OnePasswordConnectToken { 983 // Device UUID from the token JSON. 984 string device_uuid = 1; 985 // Version field from the token JSON. 986 string version = 2; 987 // Encrypted payload data (from encCredentials.data). 988 string encrypted_data = 3; 989 // Key ID used to encrypt the credentials (encCredentials.kid). 990 string encryption_key_id = 4; 991 // Initialization vector (encCredentials.iv). 992 string iv = 5; 993 // Unique key kid (uniqueKey.kid). 994 string unique_key_id = 6; 995 // Verifier salt (verifier.salt). 996 string verifier_salt = 7; 997 // Verifier local hash (verifier.localHash). 998 string verifier_local_hash = 8; 999 } 1000 1001 message OnePasswordSecretKey { 1002 string key = 1; 1003 } 1004 message OnePasswordServiceToken { 1005 string key = 1; 1006 } 1007 1008 message OnePasswordRecoveryCode { 1009 string key = 1; 1010 } 1011 1012 message AwsAccessKeyCredentials { 1013 string access_id = 1; 1014 string secret = 2; 1015 } 1016 1017 message ReCaptchaKey { 1018 string secret = 1; 1019 } 1020 message PyxKeyV1 { 1021 string key = 1; 1022 } 1023 1024 message PyxKeyV2 { 1025 string key = 1; 1026 } 1027 1028 message CodeCatalystCredentials{ 1029 string url = 1; 1030 } 1031 } 1032 1033 message SecretStatus { 1034 SecretStatusEnum status = 1; 1035 google.protobuf.Timestamp last_updated = 2; 1036 1037 enum SecretStatusEnum { 1038 // The default value for SecretStatusEnum. Set when no validation was 1039 // attempted. 1040 UNSPECIFIED = 0; 1041 // Deprecated. Use UNSPECIFIED instead. 1042 UNKNOWN = 1 [deprecated = true]; 1043 // The secret is confirmed to be invalid. 1044 INVALID = 2; 1045 // The secret is confirmed to be valid. 1046 VALID = 3; 1047 // Validating the secret is not supported by the scanner. 1048 UNSUPPORTED = 4; 1049 // Validation is supported but the validation failed. 1050 FAILED = 5; 1051 } 1052 } 1053 1054 message Location { 1055 oneof location { 1056 Filepath filepath = 1; 1057 FilepathWithLayerDetails filepath_with_layer_details = 2; 1058 EnvironmentVariable environment_variable = 3; 1059 ContainerCommand container_command = 4; 1060 } 1061 } 1062 1063 message Filepath { 1064 string path = 1; 1065 } 1066 1067 message FilepathWithLayerDetails { 1068 string path = 1; 1069 LayerDetails layer_details = 2; 1070 } 1071 1072 message EnvironmentVariable { 1073 string name = 1; 1074 } 1075 1076 message ContainerCommand { 1077 string command = 1; 1078 } 1079 1080 message ContainerImageMetadata { 1081 int32 index = 1; 1082 // Layers are ordered from the earliest to the latest. 1083 repeated LayerMetadata layer_metadata = 2; 1084 // The base images that make up the chain. 1085 // The first base image is always empty, acting as a placeholder for the 1086 // scanned image itself. If the scanned image is a base image, there will be 1087 // no layers pointing to the first base image. 1088 // 1089 // The base images are ordered from the biggest base image containing all base 1090 // images to the smallest. e.g. [empty, postgresql, alpine] 1091 repeated BaseImageChain base_image_chains = 3; 1092 1093 // Key value map of OS info from /etc/os-release. 1094 map<string, string> os_info = 4; 1095 } 1096 1097 message BaseImageChain { 1098 // List of potential base images (repositories that have a matching ChainID). 1099 repeated BaseImageDetails base_images = 1; 1100 // Chain ID of the last layer in the image. 1101 string chain_id = 2; 1102 } 1103 1104 message BaseImageDetails { 1105 // Name of the image. (e.g. `debian`, `circleci/node`) 1106 string repository = 1; 1107 // Name of the registry. (e.g. `docker.io`, `ghcr.io`) 1108 string registry = 2; 1109 // Name of the plugin used to extract the base image. 1110 string plugin = 3; 1111 } 1112 1113 message LayerMetadata { 1114 // The index of the layer within the ContainerImageMetadata.layer_metadata 1115 // field. 1116 int32 index = 1; 1117 string diff_id = 2; 1118 string chain_id = 3; 1119 // The command that was used to build the layer. 1120 string command = 4; 1121 // Whether the layer is empty (currently always false). 1122 bool is_empty = 5; 1123 // The index of the base image match within the 1124 // ContainerImageMetadata.base_image_chains field. 1125 int32 base_image_index = 6; 1126 }