Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Container Registry
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Authentication in Container Registry
    • Managing a Docker image
      • Getting information about available Docker images
      • Creating a Docker image
      • Pushing a Docker image to a registry
      • Pulling a Docker image from a registry
      • Deleting a Docker image from a registry
    • Managing Helm charts
      • Getting information about available Helm charts
      • Pushing a Helm chart to a registry
      • Pulling a Helm chart from a registry
      • Deleting a Helm chart from a registry
    • Managing a registry
      • Getting information about existing registries
      • Creating a registry
      • Updating a registry
      • Deleting a registry
    • Managing a repository
      • Getting information about existing repositories
      • Creating a repository
    • Managing Docker image lifecycle policies
      • Getting information about existing lifecycle policies
      • Creating a lifecycle policy
      • Updating a lifecycle policy
      • Performing lifecycle policy dry runs
      • Deleting a lifecycle policy
    • Scanning Docker images for vulnerabilities
    • Working with roles
      • Assigning a role
      • Viewing assigned roles
      • Revoking a role
  • Yandex Container Solution
  • Practical guidelines
    • All tutorials
    • Running a Docker image on a VM
    • Creating a trigger with Yandex Cloud Functions
    • Setting up automatic scanning of a Docker image
  • Concepts
    • Overview
    • Docker image
    • Docker volume
    • Registry
    • Repository
    • Docker image lifecycle policies
    • Vulnerability scanner
    • Yandex Cloud Functions trigger
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ImageService
      • LifecyclePolicyService
      • RegistryService
      • RepositoryService
      • ScannerService
      • OperationService
    • REST
      • Overview
      • Image
        • Overview
        • delete
        • get
        • list
      • LifecyclePolicy
        • Overview
        • create
        • delete
        • dryRun
        • get
        • getDryRunResult
        • list
        • listDryRunResultAffectedImages
        • listDryRunResults
        • update
      • Registry
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listIpPermission
        • setAccessBindings
        • setIpPermission
        • update
        • updateAccessBindings
        • updateIpPermission
      • Repository
        • Overview
        • delete
        • get
        • getByName
        • list
        • listAccessBindings
        • setAccessBindings
        • updateAccessBindings
        • upsert
      • Scanner
        • Overview
        • get
        • getLast
        • list
        • listVulnerabilities
        • scan
  • Troubleshooting
  • Questions and answers
  1. API reference
  2. gRPC
  3. ScannerService

Container Registry API, gRPC: ScannerService

Written by
Yandex Cloud
  • Calls ScannerService
  • Scan
    • ScanRequest
    • Operation
    • ScanMetadata
    • ScanResult
    • VulnerabilityStats
  • Get
    • GetScanResultRequest
    • ScanResult
    • VulnerabilityStats
  • GetLast
    • GetLastScanResultRequest
    • ScanResult
    • VulnerabilityStats
  • List
    • ListScanResultsRequest
    • ListScanResultsResponse
    • ScanResult
    • VulnerabilityStats
  • ListVulnerabilities
    • ListVulnerabilitiesRequest
    • ListVulnerabilitiesResponse
    • Vulnerability
    • PackageVulnerability

A set of methods for scanning Docker images.

Call Description
Scan Executes scanning of specified image.
Get Returns the specified ScanResult resource.
GetLast Returns the last finished ScanResult for the specified Image.
List Retrieves the list of ScanResults for specified Image.
ListVulnerabilities Retrieves the list of vulnerabilities found in particular scan.

Calls ScannerService

Scan

Executes scanning of specified image.

rpc Scan (ScanRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:ScanMetadata

    Operation.response:ScanResult

ScanRequest

Field Description
image_id string
Required. ID of the Image to be scanned for vulnerabilities. The maximum string length in characters is 50.

Operation

Field Description
id string
ID of the operation.
description string
Description of the operation. 0-256 characters long.
created_at google.protobuf.Timestamp
Creation timestamp.
created_by string
ID of the user or service account who initiated the operation.
modified_at google.protobuf.Timestamp
The time when the Operation resource was last modified.
done bool
If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
metadata google.protobuf.Any<ScanMetadata>
Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result oneof: error or response
The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
  error google.rpc.Status
The error result of the operation in case of failure or cancellation.
  response google.protobuf.Any<ScanResult>
if operation finished successfully.

ScanMetadata

Field Description
scan_result_id string
ID of the ScanResult that is being created.

ScanResult

Field Description
id string
Output only. ID of the ScanResult.
image_id string
Output only. ID of the Image that the ScanResult belongs to.
scanned_at google.protobuf.Timestamp
Output only. The timestamp in RFC3339 text format when the scan been finished.
status enum Status
Output only. The status of the ScanResult.
  • RUNNING: Image scan is in progress.
  • READY: Image has been scanned and result is ready.
  • ERROR: Image scan is failed.
vulnerabilities VulnerabilityStats
Output only. Summary information about vulnerabilities found.

VulnerabilityStats

Field Description
critical int64
Count of CRITICAL vulnerabilities.
high int64
Count of HIGH vulnerabilities.
medium int64
Count of MEDIUM vulnerabilities.
low int64
Count of LOW vulnerabilities.
negligible int64
Count of NEGLIGIBLE vulnerabilities.
undefined int64
Count of other vulnerabilities.

Get

Returns the specified ScanResult resource.
To get the list of ScanResults for specified Image, make a List request.

rpc Get (GetScanResultRequest) returns (ScanResult)

GetScanResultRequest

Field Description
scan_result_id string
Required. ID of the ScanResult to return. The maximum string length in characters is 50.

ScanResult

Field Description
id string
Output only. ID of the ScanResult.
image_id string
Output only. ID of the Image that the ScanResult belongs to.
scanned_at google.protobuf.Timestamp
Output only. The timestamp in RFC3339 text format when the scan been finished.
status enum Status
Output only. The status of the ScanResult.
  • RUNNING: Image scan is in progress.
  • READY: Image has been scanned and result is ready.
  • ERROR: Image scan is failed.
vulnerabilities VulnerabilityStats
Output only. Summary information about vulnerabilities found.

VulnerabilityStats

Field Description
critical int64
Count of CRITICAL vulnerabilities.
high int64
Count of HIGH vulnerabilities.
medium int64
Count of MEDIUM vulnerabilities.
low int64
Count of LOW vulnerabilities.
negligible int64
Count of NEGLIGIBLE vulnerabilities.
undefined int64
Count of other vulnerabilities.

GetLast

Returns the last finished ScanResult for the specified Image.

rpc GetLast (GetLastScanResultRequest) returns (ScanResult)

GetLastScanResultRequest

Field Description
image_id string
ID of the Image to get last finished ScanResult. The maximum string length in characters is 50.

ScanResult

Field Description
id string
Output only. ID of the ScanResult.
image_id string
Output only. ID of the Image that the ScanResult belongs to.
scanned_at google.protobuf.Timestamp
Output only. The timestamp in RFC3339 text format when the scan been finished.
status enum Status
Output only. The status of the ScanResult.
  • RUNNING: Image scan is in progress.
  • READY: Image has been scanned and result is ready.
  • ERROR: Image scan is failed.
vulnerabilities VulnerabilityStats
Output only. Summary information about vulnerabilities found.

VulnerabilityStats

Field Description
critical int64
Count of CRITICAL vulnerabilities.
high int64
Count of HIGH vulnerabilities.
medium int64
Count of MEDIUM vulnerabilities.
low int64
Count of LOW vulnerabilities.
negligible int64
Count of NEGLIGIBLE vulnerabilities.
undefined int64
Count of other vulnerabilities.

List

Retrieves the list of ScanResults for specified Image.

rpc List (ListScanResultsRequest) returns (ListScanResultsResponse)

ListScanResultsRequest

Field Description
id oneof: image_id or repository_id
ID of the Image or Repository to list ScanResults for.
To get the image ID use a yandex.cloud.containerregistry.v1.ImageService.List request. To get the repository ID use a yandex.cloud.containerregistry.v1.RepositoryService.List request.
  image_id string
ID of the Image or Repository to list ScanResults for.
To get the image ID use a yandex.cloud.containerregistry.v1.ImageService.List request. To get the repository ID use a yandex.cloud.containerregistry.v1.RepositoryService.List request. The maximum string length in characters is 50.
  repository_id string
ID of the Image or Repository to list ScanResults for.
To get the image ID use a yandex.cloud.containerregistry.v1.ImageService.List request. To get the repository ID use a yandex.cloud.containerregistry.v1.RepositoryService.List request. The maximum string length in characters is 50.
page_size int64
The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListRegistriesResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. Acceptable values are 0 to 1000, inclusive.
page_token string
Page token. To get the next page of results, set page_token to the ListRegistriesResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.
filter string
A filter expression that filters resources listed in the response. The expression must specify:
  1. The field name. Currently you can use filtering only on ScanResult.status field.
  2. An = operator.
  3. The value in double quotes (").
The maximum string length in characters is 1000.
order_by string
An order expression that orders resources listed in the response. The expression must specify:
  1. The field name. Currently you can use filtering only on ScanResult.status field.
  2. Order selector. Currently you can use ordering only on ScanResult.status field (critical first).
The maximum string length in characters is 100.

ListScanResultsResponse

Field Description
scan_results[] ScanResult
List of ScanResult resources.
next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListImagesRequest.page_size, use the next_page_token as the value for the ListImagesRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

ScanResult

Field Description
id string
Output only. ID of the ScanResult.
image_id string
Output only. ID of the Image that the ScanResult belongs to.
scanned_at google.protobuf.Timestamp
Output only. The timestamp in RFC3339 text format when the scan been finished.
status enum Status
Output only. The status of the ScanResult.
  • RUNNING: Image scan is in progress.
  • READY: Image has been scanned and result is ready.
  • ERROR: Image scan is failed.
vulnerabilities VulnerabilityStats
Output only. Summary information about vulnerabilities found.

VulnerabilityStats

Field Description
critical int64
Count of CRITICAL vulnerabilities.
high int64
Count of HIGH vulnerabilities.
medium int64
Count of MEDIUM vulnerabilities.
low int64
Count of LOW vulnerabilities.
negligible int64
Count of NEGLIGIBLE vulnerabilities.
undefined int64
Count of other vulnerabilities.

ListVulnerabilities

Retrieves the list of vulnerabilities found in particular scan.

rpc ListVulnerabilities (ListVulnerabilitiesRequest) returns (ListVulnerabilitiesResponse)

ListVulnerabilitiesRequest

Field Description
scan_result_id string
Required. ID of the ScanResult to get list of vulnerabilities for. The maximum string length in characters is 50.
page_size int64
The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListRegistriesResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. Acceptable values are 0 to 1000, inclusive.
page_token string
Page token. To get the next page of results, set page_token to the ListRegistriesResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.
filter string
A filter expression that filters resources listed in the response. The expression must specify:
  1. The field name. Currently you can use filtering only on Vulnerability.severity and PackageVulnerability.name fields.
  2. An = operator.
  3. The value in double quotes (").
The maximum string length in characters is 1000.
order_by string
An order expression that orders resources listed in the response. The expression must specify:
  1. The field name. Currently you can use filtering only on Vulnerability.severity and PackageVulnerability.name fields.
  2. Order selector. Currently you can use ordering only on Vulnerability.severity field (recent first).
The maximum string length in characters is 100.

ListVulnerabilitiesResponse

Field Description
vulnerabilities[] Vulnerability
List of Vulnerability resources.
next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListImagesRequest.page_size, use the next_page_token as the value for the ListImagesRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

Vulnerability

Field Description
severity enum Severity
Output only. Severity of the Vulnerability.
  • CRITICAL: Critical severity is a world-burning problem, exploitable for nearly all users. Includes remote root privilege escalations, or massive data loss.
  • HIGH: High severity is a real problem, exploitable for many users in a default installation. Includes serious remote denial of services, local root privilege escalations, or data loss.
  • MEDIUM: Medium severity is a real security problem, and is exploitable for many users. Includes network daemon denial of service attacks, cross-site scripting, and gaining user privileges. Updates should be made soon for this priority of issue.
  • LOW: Low severity is a security problem, but is hard to exploit due to environment, requires a user-assisted attack, a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update, or if many low priority issues have built up.
  • NEGLIGIBLE: Negligible severity is technically a security problem, but is only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These tend not to get backport from upstream, and will likely not be included in security updates unless there is an easy fix and some other issue causes an update.
  • UNDEFINED: Unknown severity is either a security problem that has not been assigned to a priority yet or a priority that our system did not recognize.
vulnerability oneof: package
Details of vulnerability depending on type. Only package vulnerability is supported at the moment.
  package PackageVulnerability
Details of vulnerability depending on type. Only package vulnerability is supported at the moment.

PackageVulnerability

Field Description
name string
Name of vulnerability in CVE database.
link string
URL to the page with description of vulnerability.
package string
The package name where vulnerability has been found.
source string
The package manager name. Ex.: yum, rpm, dpkg.
version string
The version of the package where vulnerability has been found.
fixed_by string
The version of the package where vulnerability has been fixed.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Calls ScannerService
  • Scan
  • ScanRequest
  • Operation
  • ScanMetadata
  • ScanResult
  • VulnerabilityStats
  • Get
  • GetScanResultRequest
  • ScanResult
  • VulnerabilityStats
  • GetLast
  • GetLastScanResultRequest
  • ScanResult
  • VulnerabilityStats
  • List
  • ListScanResultsRequest
  • ListScanResultsResponse
  • ScanResult
  • VulnerabilityStats
  • ListVulnerabilities
  • ListVulnerabilitiesRequest
  • ListVulnerabilitiesResponse
  • Vulnerability
  • PackageVulnerability