diff --git a/specification/DigitalOcean-public.v2.yaml b/specification/DigitalOcean-public.v2.yaml index da7dd470..fe0d054b 100644 --- a/specification/DigitalOcean-public.v2.yaml +++ b/specification/DigitalOcean-public.v2.yaml @@ -70,7 +70,7 @@ tags: - name: Billing description: |- - The billing endpoints allow you to retrieve your account balance, invoices, + The billing endpoints allow you to retrieve your account balance, invoices, billing history, and insights. **Balance:** By sending requests to the `/v2/customers/my/balance` endpoint, you can @@ -88,13 +88,13 @@ tags: issued, or credits granted. To interact with invoices, you will generally send requests to the invoices endpoint at `/v2/customers/my/billing_history`. - - **Billing Insights:** Day-over-day changes in billing resource usage based on nightly invoice items, - including total amount, region, SKU, and description for a specified date range. - It is important to note that the daily resource usage may not reflect month-end billing totals when totaled for + + **Billing Insights:** Day-over-day changes in billing resource usage based on nightly invoice items, + including total amount, region, SKU, and description for a specified date range. + It is important to note that the daily resource usage may not reflect month-end billing totals when totaled for a given month as nightly invoice items do not necessarily encompass all invoicing factors for the entire month. - `v2/billing/{account_urn}/insights/{start_date}/{end_date}` where account_urn is the URN of the customer - account, can be a team (do:team:uuid) or an organization (do:teamgroup:uuid). The date range specified by + `v2/billing/{account_urn}/insights/{start_date}/{end_date}` where account_urn is the URN of the customer + account, can be a team (do:team:uuid) or an organization (do:teamgroup:uuid). The date range specified by start_date and end_date must be in YYYY-MM-DD format. - name: Block Storage @@ -124,7 +124,7 @@ tags: - name: "BYOIP Prefixes" description: |- Bring your own IP (BYOIP) lets you provision your own IPv4 network prefixes - to your account, then assign those IPs to your DigitalOcean resources. + to your account, then assign those IPs to your DigitalOcean resources. BYOIP supports the following features: * IPv4 addresses * Network sizes of anywhere from `/24` (256 addresses) to `/18` (16,384 addresses) @@ -170,10 +170,10 @@ tags: - name: Container Registries description: |- - DigitalOcean now supports up to nine additional registries (for a total maximum of 10) per team - if your container registry uses the Professional subscription plan. The storage is shared among - the registries. This set of new APIs is backward compatible with `/v2/registry`. However, if you - create more than one registry under a Professional plan, some of the `/v2/registry` APIs would not work. + DigitalOcean now supports up to nine additional registries (for a total maximum of 10) per team + if your container registry uses the Professional subscription plan. The storage is shared among + the registries. This set of new APIs is backward compatible with `/v2/registry`. However, if you + create more than one registry under a Professional plan, some of the `/v2/registry` APIs would not work. Hence, it is recommended to use `/v2/registries` for multiple registries. - name: Databases @@ -400,7 +400,7 @@ tags: - name: NFS description: |- - NFS lets you create fully managed, POSIX-compliant network file storage that delivers secure, + NFS lets you create fully managed, POSIX-compliant network file storage that delivers secure, high-performance shared storage right inside your VPC. This enables seamless data sharing across Droplets in a VPC. - name: NFS Actions @@ -521,6 +521,10 @@ tags: An action object is returned. These objects hold the current status of the requested action. + - name: Security + description: |- + Security CSPM endpoints for scans, scan findings, and settings. + - name: Sizes description: |- The sizes objects represent different packages of hardware resources that @@ -636,17 +640,17 @@ paths: /v2/add-ons/apps: get: $ref: "resources/addons/addons_get_app.yml" - + /v2/add-ons/apps/{app_slug}/metadata: get: $ref: "resources/addons/addons_get_app_metadata.yml" - + /v2/add-ons/saas: get: $ref: "resources/addons/addons_list.yml" post: $ref: "resources/addons/addons_create.yml" - + /v2/add-ons/saas/{resource_uuid}: get: $ref: "resources/addons/addons_get.yml" @@ -721,7 +725,7 @@ paths: /v2/apps/{app_id}/job-invocations: get: - $ref: "resources/apps/apps_list_job_invocations.yml" + $ref: "resources/apps/apps_list_job_invocations.yml" /v2/apps/{app_id}/job-invocations/{job_invocation_id}: get: @@ -1795,13 +1799,13 @@ paths: /v2/nfs/{nfs_id}/actions: post: $ref: "resources/nfs/nfs_actions_create.yml" - + /v2/nfs/snapshots: get: $ref: "resources/nfs/nfs_snapshot_list.yml" /v2/nfs/snapshots/{nfs_snapshot_id}: - get: + get: $ref: "resources/nfs/nfs_snapshot_get.yml" delete: @@ -2088,6 +2092,45 @@ paths: get: $ref: "resources/byoip_prefixes/byoip_prefix_list_resources.yml" + /v2/security/scans: + get: + $ref: "resources/security/security_scans_list.yml" + + post: + $ref: "resources/security/security_scans_create.yml" + + /v2/security/scans/{scan_id}: + get: + $ref: "resources/security/security_scans_get.yml" + + /v2/security/scans/latest: + get: + $ref: "resources/security/security_scans_get_latest.yml" + + /v2/security/scans/rules: + post: + $ref: "resources/security/security_scan_rule_create.yml" + + /v2/security/scans/{scan_id}/findings/{finding_uuid}/affected_resources: + get: + $ref: "resources/security/security_scan_finding_list_affected_resources.yml" + + /v2/security/settings: + get: + $ref: "resources/security/security_settings_list.yml" + + /v2/security/settings/plan: + put: + $ref: "resources/security/security_settings_plan_update.yml" + + /v2/security/settings/suppressions: + post: + $ref: "resources/security/security_suppression_create.yml" + + /v2/security/settings/suppressions/{suppression_uuid}: + delete: + $ref: "resources/security/security_suppression_delete.yml" + /v2/sizes: get: $ref: "resources/sizes/sizes_list.yml" @@ -2527,7 +2570,7 @@ paths: /v2/gen-ai/knowledge_bases/{knowledge_base_uuid}/data_sources/{data_source_uuid}: put: $ref: 'resources/gen-ai/genai_update_knowledge_base_data_source.yml' - + delete: $ref: 'resources/gen-ai/genai_delete_knowledge_base_data_source.yml' diff --git a/specification/resources/security/examples/curl/security_scan_finding_list_affected_resources.yml b/specification/resources/security/examples/curl/security_scan_finding_list_affected_resources.yml new file mode 100644 index 00000000..347d6aff --- /dev/null +++ b/specification/resources/security/examples/curl/security_scan_finding_list_affected_resources.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/scans/497dcba3-ecbf-4587-a2dd-5eb0665e6880/findings/50e14f43-dd4e-412f-864d-78943ea28d91/affected_resources" diff --git a/specification/resources/security/examples/curl/security_scan_rule_create.yml b/specification/resources/security/examples/curl/security_scan_rule_create.yml new file mode 100644 index 00000000..a5d5b4ad --- /dev/null +++ b/specification/resources/security/examples/curl/security_scan_rule_create.yml @@ -0,0 +1,7 @@ +lang: cURL +source: |- + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + -d '{"resource": "do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d"}' \ + "https://api.digitalocean.com/v2/security/scans/rules" diff --git a/specification/resources/security/examples/curl/security_scans_create.yml b/specification/resources/security/examples/curl/security_scans_create.yml new file mode 100644 index 00000000..b963b171 --- /dev/null +++ b/specification/resources/security/examples/curl/security_scans_create.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/scans" diff --git a/specification/resources/security/examples/curl/security_scans_get.yml b/specification/resources/security/examples/curl/security_scans_get.yml new file mode 100644 index 00000000..6459df3a --- /dev/null +++ b/specification/resources/security/examples/curl/security_scans_get.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/scans/497dcba3-ecbf-4587-a2dd-5eb0665e6880" diff --git a/specification/resources/security/examples/curl/security_scans_get_latest.yml b/specification/resources/security/examples/curl/security_scans_get_latest.yml new file mode 100644 index 00000000..ce3f1b95 --- /dev/null +++ b/specification/resources/security/examples/curl/security_scans_get_latest.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/scans/latest" diff --git a/specification/resources/security/examples/curl/security_scans_list.yml b/specification/resources/security/examples/curl/security_scans_list.yml new file mode 100644 index 00000000..c5230e0e --- /dev/null +++ b/specification/resources/security/examples/curl/security_scans_list.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/scans" diff --git a/specification/resources/security/examples/curl/security_settings_list.yml b/specification/resources/security/examples/curl/security_settings_list.yml new file mode 100644 index 00000000..910ebad9 --- /dev/null +++ b/specification/resources/security/examples/curl/security_settings_list.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/settings" diff --git a/specification/resources/security/examples/curl/security_settings_plan_update.yml b/specification/resources/security/examples/curl/security_settings_plan_update.yml new file mode 100644 index 00000000..db914f7e --- /dev/null +++ b/specification/resources/security/examples/curl/security_settings_plan_update.yml @@ -0,0 +1,7 @@ +lang: cURL +source: |- + curl -X PUT \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + -d '{"tier_coverage":{"basic":{"resources":["do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d"],"tags":["production"]}}}' \ + "https://api.digitalocean.com/v2/security/settings/plan" diff --git a/specification/resources/security/examples/curl/security_suppression_create.yml b/specification/resources/security/examples/curl/security_suppression_create.yml new file mode 100644 index 00000000..a017c12b --- /dev/null +++ b/specification/resources/security/examples/curl/security_suppression_create.yml @@ -0,0 +1,7 @@ +lang: cURL +source: |- + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + -d '{"rule_uuid":"497dcba3-ecbf-4587-a2dd-5eb0665e6880","resources":["do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d"]}' \ + "https://api.digitalocean.com/v2/security/settings/suppressions" diff --git a/specification/resources/security/examples/curl/security_suppression_delete.yml b/specification/resources/security/examples/curl/security_suppression_delete.yml new file mode 100644 index 00000000..1b83fd79 --- /dev/null +++ b/specification/resources/security/examples/curl/security_suppression_delete.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X DELETE \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/settings/suppressions/5b3b2b2d-5c9c-4a61-9e2f-4d8f80f30a12" diff --git a/specification/resources/security/models/scan.yml b/specification/resources/security/models/scan.yml new file mode 100644 index 00000000..2fefd8ae --- /dev/null +++ b/specification/resources/security/models/scan.yml @@ -0,0 +1,242 @@ +scan: + type: object + properties: + id: + title: id + type: string + example: 760e09ef-dc84-11e8-981e-3cfdfeaae000 + description: The unique identifier for the scan. + status: + title: status + type: string + enum: + - IN_PROGRESS + - COMPLETED + - FAILED + - CSPM_NOT_ENABLED + - SCAN_NOT_RUN + example: COMPLETED + description: The status of the scan. + created_at: + title: created_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When scan was created. + findings: + title: findings + type: array + items: + type: object + description: The results of the scan. + properties: + rule_uuid: + title: rule_uuid + type: string + example: 760e09ef-dc84-11e8-981e-3cfdfeaae000 + description: The unique identifier for the rule that triggered the finding. + name: + title: name + type: string + example: All Firewall Ports Exposed to a Source + description: The name of the rule that triggered the finding. + details: + title: details + type: string + example: |- + The Cloud Firewall protecting this Droplet includes a rule that allows traffic on all + ports for one or more protocols. Even if sources are restricted, this overly + permissive configuration can expose sensitive internal or administrative services. + description: A description of the risk associated with the finding. + found_at: + title: found_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When the finding was discovered. + severity: + title: severity + type: string + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + example: CRITICAL + description: The severity of the finding. + business_impact: + title: business_impact + type: string + example: |- + Without at least one completed backup, any critical event such as hardware failure, + ransomware, or accidental deletion could result in permanent data loss. This can lead + to downtime, expensive recovery efforts, and loss of customer trust. Until a backup + successfully completes, your environment remains unprotected. + description: A description of the business impact of the finding. + technical_details: + title: technical_details + type: string + example: |- + DigitalOcean's backup service automatically runs on a weekly schedule. This condition + can occur for two main reasons:\n- The Droplet is newly created and its first scheduled + backup window hasn't run yet, or\n- A previous backup attempt failed. In both cases, + no backup image currently exists in your account, leaving the Droplet without a + restorable recovery point managed by the platform. + description: A description of the technical details related to the finding. + mitigation_steps: + title: mitigation_steps + type: array + items: + type: object + properties: + step: + title: step + type: integer + example: 1 + title: + title: title + type: string + example: Enable backups + description: + title: description + type: string + example: Turn on automated backups for this Droplet. + description: The mitigation steps to resolve the finding. + affected_resources_count: + title: affected_resources_count + type: integer + example: 12 + description: The number of affected resources for the finding. + +affected_resource: + type: object + properties: + urn: + title: urn + type: string + example: do:droplet:760e09ef-dc84-11e8-981e-3cfdfeaae000 + description: The URN for the affected resource. + name: + title: name + type: string + example: Test Droplet + description: The name of the affected resource. + type: + title: type + type: string + example: Droplet + description: The type of the affected resource. + +suppressed_resource: + type: object + properties: + id: + title: id + type: string + example: 760e09ef-dc84-11e8-981e-3cfdfeaae000 + description: Unique identifier for the suppressed resource. + rule_uuid: + title: rule_uuid + type: string + example: 460e09ef-dc84-11e8-981e-3cfdfeaae000 + description: Unique identifier for the suppressed rule. + rule_name: + title: rule_name + type: string + example: Droplet Backups Not Enabled + description: Human-readable rule name for the suppressed rule. + resource_id: + title: resource_id + type: string + example: "123" + description: Unique identifier for the resource suppressed. + resource_type: + title: resource_type + type: string + example: Droplet + description: Resource type for the resource suppressed. + +suppressed_resource_root: + type: object + properties: + resources: + type: array + items: + $ref: '#/suppressed_resource' + meta: + type: object + properties: + page: + type: integer + example: 1 + pages: + type: integer + example: 3 + total: + type: integer + example: 25 + links: + type: object + properties: + pages: + type: object + properties: + first: + type: string + example: https://api.digitalocean.com/v2/security/settings/suppressions?page=1 + prev: + type: string + example: https://api.digitalocean.com/v2/security/settings/suppressions?page=1 + next: + type: string + example: https://api.digitalocean.com/v2/security/settings/suppressions?page=2 + last: + type: string + example: https://api.digitalocean.com/v2/security/settings/suppressions?page=3 + +plan_downgrades: + type: object + description: Resources moving to a tier at a given effective time. + properties: + resources: + type: array + items: + type: string + description: URNs of resources that will be downgraded. + example: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + effective_at: + type: string + format: date-time + description: When the coverage downgrade takes effect. + example: "2025-12-01T00:00:00Z" + +settings: + type: object + properties: + settings: + type: object + properties: + suppressions: + $ref: '#/suppressed_resource_root' + tier_coverage: + type: object + additionalProperties: + type: object + properties: + resources: + type: array + items: + type: string + example: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + tags: + type: array + items: + type: string + example: + - production + plan_downgrades: + type: object + additionalProperties: + $ref: '#/plan_downgrades' diff --git a/specification/resources/security/parameters.yml b/specification/resources/security/parameters.yml new file mode 100644 index 00000000..cd5b7db8 --- /dev/null +++ b/specification/resources/security/parameters.yml @@ -0,0 +1,43 @@ +severity: + in: query + name: severity + required: false + description: The finding severity level to include. + schema: + type: string + enum: + - LOW + - MEDIUM + - HIGH + - CRITICAL + example: CRITICAL + +scan_id: + in: path + name: scan_id + description: The scan UUID. + required: true + schema: + type: string + format: uuid + example: 497dcba3-ecbf-4587-a2dd-5eb0665e6880 + +finding_uuid: + in: path + name: finding_uuid + description: The finding UUID. + required: true + schema: + type: string + format: uuid + example: 50e14f43-dd4e-412f-864d-78943ea28d91 + +suppression_uuid: + in: path + name: suppression_uuid + description: The suppression UUID to remove. + required: true + schema: + type: string + format: uuid + example: 5b3b2b2d-5c9c-4a61-9e2f-4d8f80f30a12 diff --git a/specification/resources/security/responses/affected_resources.yml b/specification/resources/security/responses/affected_resources.yml new file mode 100644 index 00000000..9c389886 --- /dev/null +++ b/specification/resources/security/responses/affected_resources.yml @@ -0,0 +1,19 @@ +description: The response will be a JSON object with a key called `affected_resources`. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + type: object + properties: + affected_resources: + type: array + items: + $ref: '../models/scan.yml#/affected_resource' diff --git a/specification/resources/security/responses/scan.yml b/specification/resources/security/responses/scan.yml new file mode 100644 index 00000000..c8fe565a --- /dev/null +++ b/specification/resources/security/responses/scan.yml @@ -0,0 +1,17 @@ +description: The response will be a JSON object with a key called `scan`. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + type: object + properties: + scan: + $ref: '../models/scan.yml#/scan' diff --git a/specification/resources/security/responses/scans.yml b/specification/resources/security/responses/scans.yml new file mode 100644 index 00000000..c912c4bd --- /dev/null +++ b/specification/resources/security/responses/scans.yml @@ -0,0 +1,23 @@ +description: The response will be a JSON object with a key called `scans`. This will be set to + an array of objects, each of which will contain the standard attributes associated with a scan. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + allOf: + - type: object + properties: + scans: + type: array + items: + $ref: '../models/scan.yml#/scan' + - $ref: '../../../shared/pages.yml#/pagination' + - $ref: '../../../shared/meta.yml' diff --git a/specification/resources/security/responses/settings.yml b/specification/resources/security/responses/settings.yml new file mode 100644 index 00000000..22e861c3 --- /dev/null +++ b/specification/resources/security/responses/settings.yml @@ -0,0 +1,14 @@ +description: The response will be a JSON object with scan settings. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + $ref: '../models/scan.yml#/settings' diff --git a/specification/resources/security/responses/suppressed_resources.yml b/specification/resources/security/responses/suppressed_resources.yml new file mode 100644 index 00000000..92125b69 --- /dev/null +++ b/specification/resources/security/responses/suppressed_resources.yml @@ -0,0 +1,14 @@ +description: The response will be a JSON object containing suppressed resources. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + $ref: '../models/scan.yml#/suppressed_resource_root' diff --git a/specification/resources/security/responses/tier_coverage.yml b/specification/resources/security/responses/tier_coverage.yml new file mode 100644 index 00000000..9525fb9c --- /dev/null +++ b/specification/resources/security/responses/tier_coverage.yml @@ -0,0 +1,32 @@ +description: The response will be a JSON object with updated tier coverage. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + type: object + properties: + tier_coverage: + type: object + additionalProperties: + type: object + properties: + resources: + type: array + items: + type: string + example: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + tags: + type: array + items: + type: string + example: + - production diff --git a/specification/resources/security/security_scan_finding_list_affected_resources.yml b/specification/resources/security/security_scan_finding_list_affected_resources.yml new file mode 100644 index 00000000..6b0441ac --- /dev/null +++ b/specification/resources/security/security_scan_finding_list_affected_resources.yml @@ -0,0 +1,40 @@ +operationId: security_list_scan_finding_affected_resources + +summary: List Finding Affected Resources + +description: To get affected resources for a scan finding, send a GET request to `/v2/security/scans/{scan_id}/findings/{finding_uuid}/affected_resources`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/scan_id' + - $ref: 'parameters.yml#/finding_uuid' + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + +responses: + '200': + $ref: 'responses/affected_resources.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scan_finding_list_affected_resources.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_scan_rule_create.yml b/specification/resources/security/security_scan_rule_create.yml new file mode 100644 index 00000000..9e83b28b --- /dev/null +++ b/specification/resources/security/security_scan_rule_create.yml @@ -0,0 +1,51 @@ +operationId: security_create_scan_rule + +summary: Create Scan Rule + +description: |- + To mark a scan finding as a false positive, send a POST request to + `/v2/security/scans/rules` to create a new scan rule. + +tags: + - Security + +requestBody: + required: true + content: + application/json: + schema: + type: object + properties: + resource: + type: string + example: do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + description: The URN of a resource to exclude from future scans. + +responses: + '201': + $ref: '../../shared/responses/no_content.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scan_rule_create.yml' + +security: + - bearer_auth: + - 'security:create' diff --git a/specification/resources/security/security_scans_create.yml b/specification/resources/security/security_scans_create.yml new file mode 100644 index 00000000..e8c20073 --- /dev/null +++ b/specification/resources/security/security_scans_create.yml @@ -0,0 +1,37 @@ +operationId: security_create_scan + +summary: Create Scan + +description: To create a CSPM scan, send a POST request to `/v2/security/scans`. + +tags: + - Security + +responses: + '201': + $ref: 'responses/scan.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scans_create.yml' + +security: + - bearer_auth: + - 'security:create' diff --git a/specification/resources/security/security_scans_get.yml b/specification/resources/security/security_scans_get.yml new file mode 100644 index 00000000..cae8360a --- /dev/null +++ b/specification/resources/security/security_scans_get.yml @@ -0,0 +1,47 @@ +operationId: security_get_scan + +summary: Get Scan + +description: To get a CSPM scan by ID, send a GET request to `/v2/security/scans/{scan_id}`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/scan_id' + - $ref: 'parameters.yml#/severity' + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + - in: query + name: type + required: false + description: The finding type to include. + schema: + type: string + example: CSPM + +responses: + '200': + $ref: 'responses/scan.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scans_get.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_scans_get_latest.yml b/specification/resources/security/security_scans_get_latest.yml new file mode 100644 index 00000000..2ab11ec8 --- /dev/null +++ b/specification/resources/security/security_scans_get_latest.yml @@ -0,0 +1,46 @@ +operationId: security_get_latest_scan + +summary: Get Latest Scan + +description: To get the latest CSPM scan, send a GET request to `/v2/security/scans/latest`. + +tags: + - Security + +parameters: + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + - $ref: 'parameters.yml#/severity' + - in: query + name: type + required: false + description: The finding type to include. + schema: + type: string + example: CSPM + +responses: + '200': + $ref: 'responses/scan.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scans_get_latest.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_scans_list.yml b/specification/resources/security/security_scans_list.yml new file mode 100644 index 00000000..0233a090 --- /dev/null +++ b/specification/resources/security/security_scans_list.yml @@ -0,0 +1,38 @@ +operationId: security_list_scans + +summary: List Scans + +description: To list all CSPM scans, send a GET request to `/v2/security/scans`. + +tags: + - Security + +parameters: + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + +responses: + '200': + $ref: 'responses/scans.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_scans_list.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_settings_list.yml b/specification/resources/security/security_settings_list.yml new file mode 100644 index 00000000..1e9a19ec --- /dev/null +++ b/specification/resources/security/security_settings_list.yml @@ -0,0 +1,38 @@ +operationId: security_list_settings + +summary: List Settings + +description: To list CSPM scan settings, send a GET request to `/v2/security/settings`. + +tags: + - Security + +parameters: + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + +responses: + '200': + $ref: 'responses/settings.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_settings_list.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_settings_plan_update.yml b/specification/resources/security/security_settings_plan_update.yml new file mode 100644 index 00000000..42459d18 --- /dev/null +++ b/specification/resources/security/security_settings_plan_update.yml @@ -0,0 +1,73 @@ +operationId: security_update_settings_plan + +summary: Update Plan + +description: To update CSPM plan coverage, send a PUT request to `/v2/security/settings/plan`. + +tags: + - Security + +requestBody: + required: true + content: + application/json: + schema: + type: object + properties: + tier_coverage: + type: object + description: Scan coverage for each available plan tier. + additionalProperties: + type: object + properties: + resources: + type: array + items: + type: string + description: The URNs of resources to scan for the tier. + default: [] + example: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + tags: + type: array + items: + type: string + description: Resource tags to scan for the tier. + default: [] + example: + - production + example: + basic: + resources: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + tags: + - production + +responses: + '200': + $ref: 'responses/tier_coverage.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_settings_plan_update.yml' + +security: + - bearer_auth: + - 'security:update' diff --git a/specification/resources/security/security_suppression_create.yml b/specification/resources/security/security_suppression_create.yml new file mode 100644 index 00000000..3e9c105e --- /dev/null +++ b/specification/resources/security/security_suppression_create.yml @@ -0,0 +1,55 @@ +operationId: security_create_suppression + +summary: Create Suppression + +description: To suppress scan findings, send a POST request to `/v2/security/settings/suppressions`. + +tags: + - Security + +requestBody: + required: true + content: + application/json: + schema: + type: object + properties: + rule_uuid: + type: string + description: The rule UUID to suppress for the listed resources. + resources: + type: array + items: + type: string + example: + - do:droplet:fe3a2fd7-903d-46e6-ada3-3e4f285fb89d + description: The URNs of resources to suppress for the rule. + +responses: + '201': + $ref: 'responses/suppressed_resources.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_suppression_create.yml' + +security: + - bearer_auth: + - 'security:create' diff --git a/specification/resources/security/security_suppression_delete.yml b/specification/resources/security/security_suppression_delete.yml new file mode 100644 index 00000000..435bc195 --- /dev/null +++ b/specification/resources/security/security_suppression_delete.yml @@ -0,0 +1,37 @@ +operationId: security_delete_suppression + +summary: Delete Suppression + +description: To remove a suppression, send a DELETE request to `/v2/security/settings/suppressions/{suppression_uuid}`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/suppression_uuid' + +responses: + '204': + $ref: '../../shared/responses/no_content.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_suppression_delete.yml' + +security: + - bearer_auth: + - 'security:delete'