Docs Home
Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse
aquasec.FunctionAssurancePolicy
Explore with Pulumi AI
Aqua ensures function security for AWS Lambda, Microsoft Azure, and Google Cloud. This includes: Scanning functions for vulnerabilities and sensitive data. AWS and Azure functions are also checked for excessive permissions. Evaluating function risks based on scan results, according to Function Assurance Policies. Checking function compliance with these policies. For AWS and Azure, implementing security actions, such as blocking execution of risky functions or failing the CI/CD pipeline. Providing comprehensive audits of all security risks, viewable in Aqua Server or a SIEM system.
Create FunctionAssurancePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FunctionAssurancePolicy(name: string, args: FunctionAssurancePolicyArgs, opts?: CustomResourceOptions);@overload
def FunctionAssurancePolicy(resource_name: str,
args: FunctionAssurancePolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def FunctionAssurancePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
application_scopes: Optional[Sequence[str]] = None,
aggregated_vulnerability: Optional[Mapping[str, str]] = None,
allowed_images: Optional[Sequence[str]] = None,
assurance_type: Optional[str] = None,
audit_on_failure: Optional[bool] = None,
author: Optional[str] = None,
auto_scan_configured: Optional[bool] = None,
auto_scan_enabled: Optional[bool] = None,
auto_scan_times: Optional[Sequence[FunctionAssurancePolicyAutoScanTimeArgs]] = None,
blacklist_permissions: Optional[Sequence[str]] = None,
blacklist_permissions_enabled: Optional[bool] = None,
blacklisted_licenses: Optional[Sequence[str]] = None,
blacklisted_licenses_enabled: Optional[bool] = None,
block_failed: Optional[bool] = None,
control_exclude_no_fix: Optional[bool] = None,
custom_checks: Optional[Sequence[FunctionAssurancePolicyCustomCheckArgs]] = None,
custom_checks_enabled: Optional[bool] = None,
custom_severity: Optional[str] = None,
custom_severity_enabled: Optional[bool] = None,
cves_black_list_enabled: Optional[bool] = None,
cves_black_lists: Optional[Sequence[str]] = None,
cves_white_list_enabled: Optional[bool] = None,
cves_white_lists: Optional[Sequence[str]] = None,
cvss_severity: Optional[str] = None,
cvss_severity_enabled: Optional[bool] = None,
cvss_severity_exclude_no_fix: Optional[bool] = None,
description: Optional[str] = None,
disallow_exploit_types: Optional[Sequence[str]] = None,
disallow_malware: Optional[bool] = None,
docker_cis_enabled: Optional[bool] = None,
domain: Optional[str] = None,
domain_name: Optional[str] = None,
dta_enabled: Optional[bool] = None,
dta_severity: Optional[str] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_excessive_permissions: Optional[bool] = None,
exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
fail_cicd: Optional[bool] = None,
forbidden_labels: Optional[Sequence[FunctionAssurancePolicyForbiddenLabelArgs]] = None,
forbidden_labels_enabled: Optional[bool] = None,
force_microenforcer: Optional[bool] = None,
function_integrity_enabled: Optional[bool] = None,
ignore_base_image_vln: Optional[bool] = None,
ignore_recently_published_vln: Optional[bool] = None,
ignore_recently_published_vln_period: Optional[int] = None,
ignore_risk_resources_enabled: Optional[bool] = None,
ignored_risk_resources: Optional[Sequence[str]] = None,
ignored_sensitive_resources: Optional[Sequence[str]] = None,
images: Optional[Sequence[str]] = None,
kube_cis_enabled: Optional[bool] = None,
kubernetes_controls: Optional[Sequence[FunctionAssurancePolicyKubernetesControlArgs]] = None,
kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
kubernetes_controls_names: Optional[Sequence[str]] = None,
labels: Optional[Sequence[str]] = None,
lastupdate: Optional[str] = None,
linux_cis_enabled: Optional[bool] = None,
malware_action: Optional[str] = None,
maximum_score: Optional[float] = None,
maximum_score_enabled: Optional[bool] = None,
maximum_score_exclude_no_fix: Optional[bool] = None,
monitored_malware_paths: Optional[Sequence[str]] = None,
name: Optional[str] = None,
only_none_root_users: Optional[bool] = None,
openshift_hardening_enabled: Optional[bool] = None,
packages_black_list_enabled: Optional[bool] = None,
packages_black_lists: Optional[Sequence[FunctionAssurancePolicyPackagesBlackListArgs]] = None,
packages_white_list_enabled: Optional[bool] = None,
packages_white_lists: Optional[Sequence[FunctionAssurancePolicyPackagesWhiteListArgs]] = None,
partial_results_image_fail: Optional[bool] = None,
permission: Optional[str] = None,
policy_settings: Optional[FunctionAssurancePolicyPolicySettingsArgs] = None,
read_only: Optional[bool] = None,
registries: Optional[Sequence[str]] = None,
registry: Optional[str] = None,
required_labels: Optional[Sequence[FunctionAssurancePolicyRequiredLabelArgs]] = None,
required_labels_enabled: Optional[bool] = None,
scan_malware_in_archives: Optional[bool] = None,
scan_nfs_mounts: Optional[bool] = None,
scan_process_memory: Optional[bool] = None,
scan_sensitive_data: Optional[bool] = None,
scan_windows_registry: Optional[bool] = None,
scap_enabled: Optional[bool] = None,
scap_files: Optional[Sequence[str]] = None,
scopes: Optional[Sequence[FunctionAssurancePolicyScopeArgs]] = None,
trusted_base_images: Optional[Sequence[FunctionAssurancePolicyTrustedBaseImageArgs]] = None,
trusted_base_images_enabled: Optional[bool] = None,
vulnerability_exploitability: Optional[bool] = None,
vulnerability_score_ranges: Optional[Sequence[int]] = None,
whitelisted_licenses: Optional[Sequence[str]] = None,
whitelisted_licenses_enabled: Optional[bool] = None)func NewFunctionAssurancePolicy(ctx *Context, name string, args FunctionAssurancePolicyArgs, opts ...ResourceOption) (*FunctionAssurancePolicy, error)public FunctionAssurancePolicy(string name, FunctionAssurancePolicyArgs args, CustomResourceOptions? opts = null)
public FunctionAssurancePolicy(String name, FunctionAssurancePolicyArgs args)
public FunctionAssurancePolicy(String name, FunctionAssurancePolicyArgs args, CustomResourceOptions options)
type: aquasec:FunctionAssurancePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FunctionAssurancePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FunctionAssurancePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FunctionAssurancePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FunctionAssurancePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FunctionAssurancePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var functionAssurancePolicyResource = new Aquasec.FunctionAssurancePolicy("functionAssurancePolicyResource", new()
{
ApplicationScopes = new[]
{
"string",
},
AggregatedVulnerability =
{
{ "string", "string" },
},
AllowedImages = new[]
{
"string",
},
AssuranceType = "string",
AuditOnFailure = false,
Author = "string",
AutoScanConfigured = false,
AutoScanEnabled = false,
AutoScanTimes = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyAutoScanTimeArgs
{
Iteration = 0,
IterationType = "string",
Time = "string",
WeekDays = new[]
{
"string",
},
},
},
BlacklistPermissions = new[]
{
"string",
},
BlacklistPermissionsEnabled = false,
BlacklistedLicenses = new[]
{
"string",
},
BlacklistedLicensesEnabled = false,
BlockFailed = false,
ControlExcludeNoFix = false,
CustomChecks = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyCustomCheckArgs
{
Author = "string",
Description = "string",
Engine = "string",
LastModified = 0,
Name = "string",
Path = "string",
ReadOnly = false,
ScriptId = "string",
Severity = "string",
Snippet = "string",
},
},
CustomChecksEnabled = false,
CustomSeverity = "string",
CustomSeverityEnabled = false,
CvesBlackListEnabled = false,
CvesBlackLists = new[]
{
"string",
},
CvesWhiteListEnabled = false,
CvesWhiteLists = new[]
{
"string",
},
CvssSeverity = "string",
CvssSeverityEnabled = false,
CvssSeverityExcludeNoFix = false,
Description = "string",
DisallowExploitTypes = new[]
{
"string",
},
DisallowMalware = false,
DockerCisEnabled = false,
Domain = "string",
DomainName = "string",
DtaEnabled = false,
DtaSeverity = "string",
Enabled = false,
Enforce = false,
EnforceAfterDays = 0,
EnforceExcessivePermissions = false,
ExceptionalMonitoredMalwarePaths = new[]
{
"string",
},
ExcludeApplicationScopes = new[]
{
"string",
},
FailCicd = false,
ForbiddenLabels = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyForbiddenLabelArgs
{
Key = "string",
Value = "string",
},
},
ForbiddenLabelsEnabled = false,
ForceMicroenforcer = false,
FunctionIntegrityEnabled = false,
IgnoreBaseImageVln = false,
IgnoreRecentlyPublishedVln = false,
IgnoreRecentlyPublishedVlnPeriod = 0,
IgnoreRiskResourcesEnabled = false,
IgnoredRiskResources = new[]
{
"string",
},
IgnoredSensitiveResources = new[]
{
"string",
},
Images = new[]
{
"string",
},
KubeCisEnabled = false,
KubernetesControls = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyKubernetesControlArgs
{
AvdId = "string",
Description = "string",
Enabled = false,
Kind = "string",
Name = "string",
Ootb = false,
ScriptId = 0,
Severity = "string",
},
},
KubernetesControlsAvdIds = new[]
{
"string",
},
KubernetesControlsNames = new[]
{
"string",
},
Labels = new[]
{
"string",
},
Lastupdate = "string",
LinuxCisEnabled = false,
MalwareAction = "string",
MaximumScore = 0,
MaximumScoreEnabled = false,
MaximumScoreExcludeNoFix = false,
MonitoredMalwarePaths = new[]
{
"string",
},
Name = "string",
OnlyNoneRootUsers = false,
OpenshiftHardeningEnabled = false,
PackagesBlackListEnabled = false,
PackagesBlackLists = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyPackagesBlackListArgs
{
Arch = "string",
Display = "string",
Epoch = "string",
Format = "string",
License = "string",
Name = "string",
Release = "string",
Version = "string",
VersionRange = "string",
},
},
PackagesWhiteListEnabled = false,
PackagesWhiteLists = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyPackagesWhiteListArgs
{
Arch = "string",
Display = "string",
Epoch = "string",
Format = "string",
License = "string",
Name = "string",
Release = "string",
Version = "string",
VersionRange = "string",
},
},
PartialResultsImageFail = false,
Permission = "string",
PolicySettings = new Aquasec.Inputs.FunctionAssurancePolicyPolicySettingsArgs
{
Enforce = false,
IsAuditChecked = false,
Warn = false,
WarningMessage = "string",
},
ReadOnly = false,
Registries = new[]
{
"string",
},
Registry = "string",
RequiredLabels = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyRequiredLabelArgs
{
Key = "string",
Value = "string",
},
},
RequiredLabelsEnabled = false,
ScanMalwareInArchives = false,
ScanNfsMounts = false,
ScanProcessMemory = false,
ScanSensitiveData = false,
ScanWindowsRegistry = false,
ScapEnabled = false,
ScapFiles = new[]
{
"string",
},
Scopes = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyScopeArgs
{
Expression = "string",
Variables = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyScopeVariableArgs
{
Attribute = "string",
Name = "string",
Value = "string",
},
},
},
},
TrustedBaseImages = new[]
{
new Aquasec.Inputs.FunctionAssurancePolicyTrustedBaseImageArgs
{
Imagename = "string",
Registry = "string",
},
},
TrustedBaseImagesEnabled = false,
VulnerabilityExploitability = false,
VulnerabilityScoreRanges = new[]
{
0,
},
WhitelistedLicenses = new[]
{
"string",
},
WhitelistedLicensesEnabled = false,
});
example, err := aquasec.NewFunctionAssurancePolicy(ctx, "functionAssurancePolicyResource", &aquasec.FunctionAssurancePolicyArgs{
ApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
AggregatedVulnerability: pulumi.StringMap{
"string": pulumi.String("string"),
},
AllowedImages: pulumi.StringArray{
pulumi.String("string"),
},
AssuranceType: pulumi.String("string"),
AuditOnFailure: pulumi.Bool(false),
Author: pulumi.String("string"),
AutoScanConfigured: pulumi.Bool(false),
AutoScanEnabled: pulumi.Bool(false),
AutoScanTimes: aquasec.FunctionAssurancePolicyAutoScanTimeArray{
&aquasec.FunctionAssurancePolicyAutoScanTimeArgs{
Iteration: pulumi.Int(0),
IterationType: pulumi.String("string"),
Time: pulumi.String("string"),
WeekDays: pulumi.StringArray{
pulumi.String("string"),
},
},
},
BlacklistPermissions: pulumi.StringArray{
pulumi.String("string"),
},
BlacklistPermissionsEnabled: pulumi.Bool(false),
BlacklistedLicenses: pulumi.StringArray{
pulumi.String("string"),
},
BlacklistedLicensesEnabled: pulumi.Bool(false),
BlockFailed: pulumi.Bool(false),
ControlExcludeNoFix: pulumi.Bool(false),
CustomChecks: aquasec.FunctionAssurancePolicyCustomCheckArray{
&aquasec.FunctionAssurancePolicyCustomCheckArgs{
Author: pulumi.String("string"),
Description: pulumi.String("string"),
Engine: pulumi.String("string"),
LastModified: pulumi.Int(0),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
ReadOnly: pulumi.Bool(false),
ScriptId: pulumi.String("string"),
Severity: pulumi.String("string"),
Snippet: pulumi.String("string"),
},
},
CustomChecksEnabled: pulumi.Bool(false),
CustomSeverity: pulumi.String("string"),
CustomSeverityEnabled: pulumi.Bool(false),
CvesBlackListEnabled: pulumi.Bool(false),
CvesBlackLists: pulumi.StringArray{
pulumi.String("string"),
},
CvesWhiteListEnabled: pulumi.Bool(false),
CvesWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
CvssSeverity: pulumi.String("string"),
CvssSeverityEnabled: pulumi.Bool(false),
CvssSeverityExcludeNoFix: pulumi.Bool(false),
Description: pulumi.String("string"),
DisallowExploitTypes: pulumi.StringArray{
pulumi.String("string"),
},
DisallowMalware: pulumi.Bool(false),
DockerCisEnabled: pulumi.Bool(false),
Domain: pulumi.String("string"),
DomainName: pulumi.String("string"),
DtaEnabled: pulumi.Bool(false),
DtaSeverity: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Enforce: pulumi.Bool(false),
EnforceAfterDays: pulumi.Int(0),
EnforceExcessivePermissions: pulumi.Bool(false),
ExceptionalMonitoredMalwarePaths: pulumi.StringArray{
pulumi.String("string"),
},
ExcludeApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
FailCicd: pulumi.Bool(false),
ForbiddenLabels: aquasec.FunctionAssurancePolicyForbiddenLabelArray{
&aquasec.FunctionAssurancePolicyForbiddenLabelArgs{
Key: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
ForbiddenLabelsEnabled: pulumi.Bool(false),
ForceMicroenforcer: pulumi.Bool(false),
FunctionIntegrityEnabled: pulumi.Bool(false),
IgnoreBaseImageVln: pulumi.Bool(false),
IgnoreRecentlyPublishedVln: pulumi.Bool(false),
IgnoreRecentlyPublishedVlnPeriod: pulumi.Int(0),
IgnoreRiskResourcesEnabled: pulumi.Bool(false),
IgnoredRiskResources: pulumi.StringArray{
pulumi.String("string"),
},
IgnoredSensitiveResources: pulumi.StringArray{
pulumi.String("string"),
},
Images: pulumi.StringArray{
pulumi.String("string"),
},
KubeCisEnabled: pulumi.Bool(false),
KubernetesControls: aquasec.FunctionAssurancePolicyKubernetesControlArray{
&aquasec.FunctionAssurancePolicyKubernetesControlArgs{
AvdId: pulumi.String("string"),
Description: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Kind: pulumi.String("string"),
Name: pulumi.String("string"),
Ootb: pulumi.Bool(false),
ScriptId: pulumi.Int(0),
Severity: pulumi.String("string"),
},
},
KubernetesControlsAvdIds: pulumi.StringArray{
pulumi.String("string"),
},
KubernetesControlsNames: pulumi.StringArray{
pulumi.String("string"),
},
Labels: pulumi.StringArray{
pulumi.String("string"),
},
Lastupdate: pulumi.String("string"),
LinuxCisEnabled: pulumi.Bool(false),
MalwareAction: pulumi.String("string"),
MaximumScore: pulumi.Float64(0),
MaximumScoreEnabled: pulumi.Bool(false),
MaximumScoreExcludeNoFix: pulumi.Bool(false),
MonitoredMalwarePaths: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
OnlyNoneRootUsers: pulumi.Bool(false),
OpenshiftHardeningEnabled: pulumi.Bool(false),
PackagesBlackListEnabled: pulumi.Bool(false),
PackagesBlackLists: aquasec.FunctionAssurancePolicyPackagesBlackListArray{
&aquasec.FunctionAssurancePolicyPackagesBlackListArgs{
Arch: pulumi.String("string"),
Display: pulumi.String("string"),
Epoch: pulumi.String("string"),
Format: pulumi.String("string"),
License: pulumi.String("string"),
Name: pulumi.String("string"),
Release: pulumi.String("string"),
Version: pulumi.String("string"),
VersionRange: pulumi.String("string"),
},
},
PackagesWhiteListEnabled: pulumi.Bool(false),
PackagesWhiteLists: aquasec.FunctionAssurancePolicyPackagesWhiteListArray{
&aquasec.FunctionAssurancePolicyPackagesWhiteListArgs{
Arch: pulumi.String("string"),
Display: pulumi.String("string"),
Epoch: pulumi.String("string"),
Format: pulumi.String("string"),
License: pulumi.String("string"),
Name: pulumi.String("string"),
Release: pulumi.String("string"),
Version: pulumi.String("string"),
VersionRange: pulumi.String("string"),
},
},
PartialResultsImageFail: pulumi.Bool(false),
Permission: pulumi.String("string"),
PolicySettings: &aquasec.FunctionAssurancePolicyPolicySettingsArgs{
Enforce: pulumi.Bool(false),
IsAuditChecked: pulumi.Bool(false),
Warn: pulumi.Bool(false),
WarningMessage: pulumi.String("string"),
},
ReadOnly: pulumi.Bool(false),
Registries: pulumi.StringArray{
pulumi.String("string"),
},
Registry: pulumi.String("string"),
RequiredLabels: aquasec.FunctionAssurancePolicyRequiredLabelArray{
&aquasec.FunctionAssurancePolicyRequiredLabelArgs{
Key: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
RequiredLabelsEnabled: pulumi.Bool(false),
ScanMalwareInArchives: pulumi.Bool(false),
ScanNfsMounts: pulumi.Bool(false),
ScanProcessMemory: pulumi.Bool(false),
ScanSensitiveData: pulumi.Bool(false),
ScanWindowsRegistry: pulumi.Bool(false),
ScapEnabled: pulumi.Bool(false),
ScapFiles: pulumi.StringArray{
pulumi.String("string"),
},
Scopes: aquasec.FunctionAssurancePolicyScopeArray{
&aquasec.FunctionAssurancePolicyScopeArgs{
Expression: pulumi.String("string"),
Variables: aquasec.FunctionAssurancePolicyScopeVariableArray{
&aquasec.FunctionAssurancePolicyScopeVariableArgs{
Attribute: pulumi.String("string"),
Name: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
},
},
TrustedBaseImages: aquasec.FunctionAssurancePolicyTrustedBaseImageArray{
&aquasec.FunctionAssurancePolicyTrustedBaseImageArgs{
Imagename: pulumi.String("string"),
Registry: pulumi.String("string"),
},
},
TrustedBaseImagesEnabled: pulumi.Bool(false),
VulnerabilityExploitability: pulumi.Bool(false),
VulnerabilityScoreRanges: pulumi.IntArray{
pulumi.Int(0),
},
WhitelistedLicenses: pulumi.StringArray{
pulumi.String("string"),
},
WhitelistedLicensesEnabled: pulumi.Bool(false),
})
var functionAssurancePolicyResource = new FunctionAssurancePolicy("functionAssurancePolicyResource", FunctionAssurancePolicyArgs.builder()
.applicationScopes("string")
.aggregatedVulnerability(Map.of("string", "string"))
.allowedImages("string")
.assuranceType("string")
.auditOnFailure(false)
.author("string")
.autoScanConfigured(false)
.autoScanEnabled(false)
.autoScanTimes(FunctionAssurancePolicyAutoScanTimeArgs.builder()
.iteration(0)
.iterationType("string")
.time("string")
.weekDays("string")
.build())
.blacklistPermissions("string")
.blacklistPermissionsEnabled(false)
.blacklistedLicenses("string")
.blacklistedLicensesEnabled(false)
.blockFailed(false)
.controlExcludeNoFix(false)
.customChecks(FunctionAssurancePolicyCustomCheckArgs.builder()
.author("string")
.description("string")
.engine("string")
.lastModified(0)
.name("string")
.path("string")
.readOnly(false)
.scriptId("string")
.severity("string")
.snippet("string")
.build())
.customChecksEnabled(false)
.customSeverity("string")
.customSeverityEnabled(false)
.cvesBlackListEnabled(false)
.cvesBlackLists("string")
.cvesWhiteListEnabled(false)
.cvesWhiteLists("string")
.cvssSeverity("string")
.cvssSeverityEnabled(false)
.cvssSeverityExcludeNoFix(false)
.description("string")
.disallowExploitTypes("string")
.disallowMalware(false)
.dockerCisEnabled(false)
.domain("string")
.domainName("string")
.dtaEnabled(false)
.dtaSeverity("string")
.enabled(false)
.enforce(false)
.enforceAfterDays(0)
.enforceExcessivePermissions(false)
.exceptionalMonitoredMalwarePaths("string")
.excludeApplicationScopes("string")
.failCicd(false)
.forbiddenLabels(FunctionAssurancePolicyForbiddenLabelArgs.builder()
.key("string")
.value("string")
.build())
.forbiddenLabelsEnabled(false)
.forceMicroenforcer(false)
.functionIntegrityEnabled(false)
.ignoreBaseImageVln(false)
.ignoreRecentlyPublishedVln(false)
.ignoreRecentlyPublishedVlnPeriod(0)
.ignoreRiskResourcesEnabled(false)
.ignoredRiskResources("string")
.ignoredSensitiveResources("string")
.images("string")
.kubeCisEnabled(false)
.kubernetesControls(FunctionAssurancePolicyKubernetesControlArgs.builder()
.avdId("string")
.description("string")
.enabled(false)
.kind("string")
.name("string")
.ootb(false)
.scriptId(0)
.severity("string")
.build())
.kubernetesControlsAvdIds("string")
.kubernetesControlsNames("string")
.labels("string")
.lastupdate("string")
.linuxCisEnabled(false)
.malwareAction("string")
.maximumScore(0)
.maximumScoreEnabled(false)
.maximumScoreExcludeNoFix(false)
.monitoredMalwarePaths("string")
.name("string")
.onlyNoneRootUsers(false)
.openshiftHardeningEnabled(false)
.packagesBlackListEnabled(false)
.packagesBlackLists(FunctionAssurancePolicyPackagesBlackListArgs.builder()
.arch("string")
.display("string")
.epoch("string")
.format("string")
.license("string")
.name("string")
.release("string")
.version("string")
.versionRange("string")
.build())
.packagesWhiteListEnabled(false)
.packagesWhiteLists(FunctionAssurancePolicyPackagesWhiteListArgs.builder()
.arch("string")
.display("string")
.epoch("string")
.format("string")
.license("string")
.name("string")
.release("string")
.version("string")
.versionRange("string")
.build())
.partialResultsImageFail(false)
.permission("string")
.policySettings(FunctionAssurancePolicyPolicySettingsArgs.builder()
.enforce(false)
.isAuditChecked(false)
.warn(false)
.warningMessage("string")
.build())
.readOnly(false)
.registries("string")
.registry("string")
.requiredLabels(FunctionAssurancePolicyRequiredLabelArgs.builder()
.key("string")
.value("string")
.build())
.requiredLabelsEnabled(false)
.scanMalwareInArchives(false)
.scanNfsMounts(false)
.scanProcessMemory(false)
.scanSensitiveData(false)
.scanWindowsRegistry(false)
.scapEnabled(false)
.scapFiles("string")
.scopes(FunctionAssurancePolicyScopeArgs.builder()
.expression("string")
.variables(FunctionAssurancePolicyScopeVariableArgs.builder()
.attribute("string")
.name("string")
.value("string")
.build())
.build())
.trustedBaseImages(FunctionAssurancePolicyTrustedBaseImageArgs.builder()
.imagename("string")
.registry("string")
.build())
.trustedBaseImagesEnabled(false)
.vulnerabilityExploitability(false)
.vulnerabilityScoreRanges(0)
.whitelistedLicenses("string")
.whitelistedLicensesEnabled(false)
.build());
function_assurance_policy_resource = aquasec.FunctionAssurancePolicy("functionAssurancePolicyResource",
application_scopes=["string"],
aggregated_vulnerability={
"string": "string",
},
allowed_images=["string"],
assurance_type="string",
audit_on_failure=False,
author="string",
auto_scan_configured=False,
auto_scan_enabled=False,
auto_scan_times=[{
"iteration": 0,
"iteration_type": "string",
"time": "string",
"week_days": ["string"],
}],
blacklist_permissions=["string"],
blacklist_permissions_enabled=False,
blacklisted_licenses=["string"],
blacklisted_licenses_enabled=False,
block_failed=False,
control_exclude_no_fix=False,
custom_checks=[{
"author": "string",
"description": "string",
"engine": "string",
"last_modified": 0,
"name": "string",
"path": "string",
"read_only": False,
"script_id": "string",
"severity": "string",
"snippet": "string",
}],
custom_checks_enabled=False,
custom_severity="string",
custom_severity_enabled=False,
cves_black_list_enabled=False,
cves_black_lists=["string"],
cves_white_list_enabled=False,
cves_white_lists=["string"],
cvss_severity="string",
cvss_severity_enabled=False,
cvss_severity_exclude_no_fix=False,
description="string",
disallow_exploit_types=["string"],
disallow_malware=False,
docker_cis_enabled=False,
domain="string",
domain_name="string",
dta_enabled=False,
dta_severity="string",
enabled=False,
enforce=False,
enforce_after_days=0,
enforce_excessive_permissions=False,
exceptional_monitored_malware_paths=["string"],
exclude_application_scopes=["string"],
fail_cicd=False,
forbidden_labels=[{
"key": "string",
"value": "string",
}],
forbidden_labels_enabled=False,
force_microenforcer=False,
function_integrity_enabled=False,
ignore_base_image_vln=False,
ignore_recently_published_vln=False,
ignore_recently_published_vln_period=0,
ignore_risk_resources_enabled=False,
ignored_risk_resources=["string"],
ignored_sensitive_resources=["string"],
images=["string"],
kube_cis_enabled=False,
kubernetes_controls=[{
"avd_id": "string",
"description": "string",
"enabled": False,
"kind": "string",
"name": "string",
"ootb": False,
"script_id": 0,
"severity": "string",
}],
kubernetes_controls_avd_ids=["string"],
kubernetes_controls_names=["string"],
labels=["string"],
lastupdate="string",
linux_cis_enabled=False,
malware_action="string",
maximum_score=0,
maximum_score_enabled=False,
maximum_score_exclude_no_fix=False,
monitored_malware_paths=["string"],
name="string",
only_none_root_users=False,
openshift_hardening_enabled=False,
packages_black_list_enabled=False,
packages_black_lists=[{
"arch": "string",
"display": "string",
"epoch": "string",
"format": "string",
"license": "string",
"name": "string",
"release": "string",
"version": "string",
"version_range": "string",
}],
packages_white_list_enabled=False,
packages_white_lists=[{
"arch": "string",
"display": "string",
"epoch": "string",
"format": "string",
"license": "string",
"name": "string",
"release": "string",
"version": "string",
"version_range": "string",
}],
partial_results_image_fail=False,
permission="string",
policy_settings={
"enforce": False,
"is_audit_checked": False,
"warn": False,
"warning_message": "string",
},
read_only=False,
registries=["string"],
registry="string",
required_labels=[{
"key": "string",
"value": "string",
}],
required_labels_enabled=False,
scan_malware_in_archives=False,
scan_nfs_mounts=False,
scan_process_memory=False,
scan_sensitive_data=False,
scan_windows_registry=False,
scap_enabled=False,
scap_files=["string"],
scopes=[{
"expression": "string",
"variables": [{
"attribute": "string",
"name": "string",
"value": "string",
}],
}],
trusted_base_images=[{
"imagename": "string",
"registry": "string",
}],
trusted_base_images_enabled=False,
vulnerability_exploitability=False,
vulnerability_score_ranges=[0],
whitelisted_licenses=["string"],
whitelisted_licenses_enabled=False)
const functionAssurancePolicyResource = new aquasec.FunctionAssurancePolicy("functionAssurancePolicyResource", {
applicationScopes: ["string"],
aggregatedVulnerability: {
string: "string",
},
allowedImages: ["string"],
assuranceType: "string",
auditOnFailure: false,
author: "string",
autoScanConfigured: false,
autoScanEnabled: false,
autoScanTimes: [{
iteration: 0,
iterationType: "string",
time: "string",
weekDays: ["string"],
}],
blacklistPermissions: ["string"],
blacklistPermissionsEnabled: false,
blacklistedLicenses: ["string"],
blacklistedLicensesEnabled: false,
blockFailed: false,
controlExcludeNoFix: false,
customChecks: [{
author: "string",
description: "string",
engine: "string",
lastModified: 0,
name: "string",
path: "string",
readOnly: false,
scriptId: "string",
severity: "string",
snippet: "string",
}],
customChecksEnabled: false,
customSeverity: "string",
customSeverityEnabled: false,
cvesBlackListEnabled: false,
cvesBlackLists: ["string"],
cvesWhiteListEnabled: false,
cvesWhiteLists: ["string"],
cvssSeverity: "string",
cvssSeverityEnabled: false,
cvssSeverityExcludeNoFix: false,
description: "string",
disallowExploitTypes: ["string"],
disallowMalware: false,
dockerCisEnabled: false,
domain: "string",
domainName: "string",
dtaEnabled: false,
dtaSeverity: "string",
enabled: false,
enforce: false,
enforceAfterDays: 0,
enforceExcessivePermissions: false,
exceptionalMonitoredMalwarePaths: ["string"],
excludeApplicationScopes: ["string"],
failCicd: false,
forbiddenLabels: [{
key: "string",
value: "string",
}],
forbiddenLabelsEnabled: false,
forceMicroenforcer: false,
functionIntegrityEnabled: false,
ignoreBaseImageVln: false,
ignoreRecentlyPublishedVln: false,
ignoreRecentlyPublishedVlnPeriod: 0,
ignoreRiskResourcesEnabled: false,
ignoredRiskResources: ["string"],
ignoredSensitiveResources: ["string"],
images: ["string"],
kubeCisEnabled: false,
kubernetesControls: [{
avdId: "string",
description: "string",
enabled: false,
kind: "string",
name: "string",
ootb: false,
scriptId: 0,
severity: "string",
}],
kubernetesControlsAvdIds: ["string"],
kubernetesControlsNames: ["string"],
labels: ["string"],
lastupdate: "string",
linuxCisEnabled: false,
malwareAction: "string",
maximumScore: 0,
maximumScoreEnabled: false,
maximumScoreExcludeNoFix: false,
monitoredMalwarePaths: ["string"],
name: "string",
onlyNoneRootUsers: false,
openshiftHardeningEnabled: false,
packagesBlackListEnabled: false,
packagesBlackLists: [{
arch: "string",
display: "string",
epoch: "string",
format: "string",
license: "string",
name: "string",
release: "string",
version: "string",
versionRange: "string",
}],
packagesWhiteListEnabled: false,
packagesWhiteLists: [{
arch: "string",
display: "string",
epoch: "string",
format: "string",
license: "string",
name: "string",
release: "string",
version: "string",
versionRange: "string",
}],
partialResultsImageFail: false,
permission: "string",
policySettings: {
enforce: false,
isAuditChecked: false,
warn: false,
warningMessage: "string",
},
readOnly: false,
registries: ["string"],
registry: "string",
requiredLabels: [{
key: "string",
value: "string",
}],
requiredLabelsEnabled: false,
scanMalwareInArchives: false,
scanNfsMounts: false,
scanProcessMemory: false,
scanSensitiveData: false,
scanWindowsRegistry: false,
scapEnabled: false,
scapFiles: ["string"],
scopes: [{
expression: "string",
variables: [{
attribute: "string",
name: "string",
value: "string",
}],
}],
trustedBaseImages: [{
imagename: "string",
registry: "string",
}],
trustedBaseImagesEnabled: false,
vulnerabilityExploitability: false,
vulnerabilityScoreRanges: [0],
whitelistedLicenses: ["string"],
whitelistedLicensesEnabled: false,
});
type: aquasec:FunctionAssurancePolicy
properties:
aggregatedVulnerability:
string: string
allowedImages:
- string
applicationScopes:
- string
assuranceType: string
auditOnFailure: false
author: string
autoScanConfigured: false
autoScanEnabled: false
autoScanTimes:
- iteration: 0
iterationType: string
time: string
weekDays:
- string
blacklistPermissions:
- string
blacklistPermissionsEnabled: false
blacklistedLicenses:
- string
blacklistedLicensesEnabled: false
blockFailed: false
controlExcludeNoFix: false
customChecks:
- author: string
description: string
engine: string
lastModified: 0
name: string
path: string
readOnly: false
scriptId: string
severity: string
snippet: string
customChecksEnabled: false
customSeverity: string
customSeverityEnabled: false
cvesBlackListEnabled: false
cvesBlackLists:
- string
cvesWhiteListEnabled: false
cvesWhiteLists:
- string
cvssSeverity: string
cvssSeverityEnabled: false
cvssSeverityExcludeNoFix: false
description: string
disallowExploitTypes:
- string
disallowMalware: false
dockerCisEnabled: false
domain: string
domainName: string
dtaEnabled: false
dtaSeverity: string
enabled: false
enforce: false
enforceAfterDays: 0
enforceExcessivePermissions: false
exceptionalMonitoredMalwarePaths:
- string
excludeApplicationScopes:
- string
failCicd: false
forbiddenLabels:
- key: string
value: string
forbiddenLabelsEnabled: false
forceMicroenforcer: false
functionIntegrityEnabled: false
ignoreBaseImageVln: false
ignoreRecentlyPublishedVln: false
ignoreRecentlyPublishedVlnPeriod: 0
ignoreRiskResourcesEnabled: false
ignoredRiskResources:
- string
ignoredSensitiveResources:
- string
images:
- string
kubeCisEnabled: false
kubernetesControls:
- avdId: string
description: string
enabled: false
kind: string
name: string
ootb: false
scriptId: 0
severity: string
kubernetesControlsAvdIds:
- string
kubernetesControlsNames:
- string
labels:
- string
lastupdate: string
linuxCisEnabled: false
malwareAction: string
maximumScore: 0
maximumScoreEnabled: false
maximumScoreExcludeNoFix: false
monitoredMalwarePaths:
- string
name: string
onlyNoneRootUsers: false
openshiftHardeningEnabled: false
packagesBlackListEnabled: false
packagesBlackLists:
- arch: string
display: string
epoch: string
format: string
license: string
name: string
release: string
version: string
versionRange: string
packagesWhiteListEnabled: false
packagesWhiteLists:
- arch: string
display: string
epoch: string
format: string
license: string
name: string
release: string
version: string
versionRange: string
partialResultsImageFail: false
permission: string
policySettings:
enforce: false
isAuditChecked: false
warn: false
warningMessage: string
readOnly: false
registries:
- string
registry: string
requiredLabels:
- key: string
value: string
requiredLabelsEnabled: false
scanMalwareInArchives: false
scanNfsMounts: false
scanProcessMemory: false
scanSensitiveData: false
scanWindowsRegistry: false
scapEnabled: false
scapFiles:
- string
scopes:
- expression: string
variables:
- attribute: string
name: string
value: string
trustedBaseImages:
- imagename: string
registry: string
trustedBaseImagesEnabled: false
vulnerabilityExploitability: false
vulnerabilityScoreRanges:
- 0
whitelistedLicenses:
- string
whitelistedLicensesEnabled: false
FunctionAssurancePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The FunctionAssurancePolicy resource accepts the following input properties:
- Application
Scopes List<string> - Aggregated
Vulnerability Dictionary<string, string> - Aggregated vulnerability information.
- Allowed
Images List<string> - List of explicitly allowed images.
- Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan List<Pulumiverse.Times Aquasec. Inputs. Function Assurance Policy Auto Scan Time> - Blacklist
Permissions List<string> - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses List<string> - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Custom Check> - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black List<string>Lists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White List<string>Lists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit List<string>Types - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored List<string>Malware Paths - Exclude
Application List<string>Scopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Forbidden Label> - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk List<string>Resources - List of ignored risk resources.
- Ignored
Sensitive List<string>Resources - Images List<string>
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Kubernetes Control> - List of Kubernetes controls.
- Kubernetes
Controls List<string>Avd Ids - Kubernetes
Controls List<string>Names - Labels List<string>
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score double - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Monitored
Malware List<string>Paths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black List<Pulumiverse.Lists Aquasec. Inputs. Function Assurance Policy Packages Black List> - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White List<Pulumiverse.Lists Aquasec. Inputs. Function Assurance Policy Packages White List> - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings Pulumiverse.Aquasec. Inputs. Function Assurance Policy Policy Settings - Read
Only bool - Registries List<string>
- List of registries.
- Registry string
- Required
Labels List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Required Label> - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files List<string> - List of SCAP user scripts for checks.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Function Assurance Policy Scope> - Trusted
Base List<Pulumiverse.Images Aquasec. Inputs. Function Assurance Policy Trusted Base Image> - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score List<int>Ranges - Whitelisted
Licenses List<string> - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Application
Scopes []string - Aggregated
Vulnerability map[string]string - Aggregated vulnerability information.
- Allowed
Images []string - List of explicitly allowed images.
- Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan []FunctionTimes Assurance Policy Auto Scan Time Args - Blacklist
Permissions []string - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses []string - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks []FunctionAssurance Policy Custom Check Args - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black []stringLists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White []stringLists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit []stringTypes - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored []stringMalware Paths - Exclude
Application []stringScopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels []FunctionAssurance Policy Forbidden Label Args - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk []stringResources - List of ignored risk resources.
- Ignored
Sensitive []stringResources - Images []string
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls []FunctionAssurance Policy Kubernetes Control Args - List of Kubernetes controls.
- Kubernetes
Controls []stringAvd Ids - Kubernetes
Controls []stringNames - Labels []string
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score float64 - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Monitored
Malware []stringPaths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black []FunctionLists Assurance Policy Packages Black List Args - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White []FunctionLists Assurance Policy Packages White List Args - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings FunctionAssurance Policy Policy Settings Args - Read
Only bool - Registries []string
- List of registries.
- Registry string
- Required
Labels []FunctionAssurance Policy Required Label Args - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files []string - List of SCAP user scripts for checks.
- Scopes
[]Function
Assurance Policy Scope Args - Trusted
Base []FunctionImages Assurance Policy Trusted Base Image Args - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score []intRanges - Whitelisted
Licenses []string - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- application
Scopes List<String> - aggregated
Vulnerability Map<String,String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<FunctionTimes Assurance Policy Auto Scan Time> - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<FunctionAssurance Policy Custom Check> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After IntegerDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<FunctionAssurance Policy Forbidden Label> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently IntegerPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<FunctionAssurance Policy Kubernetes Control> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Double - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<FunctionLists Assurance Policy Packages Black List> - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<FunctionLists Assurance Policy Packages White List> - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings FunctionAssurance Policy Policy Settings - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<FunctionAssurance Policy Required Label> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes
List<Function
Assurance Policy Scope> - trusted
Base List<FunctionImages Assurance Policy Trusted Base Image> - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Integer>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- application
Scopes string[] - aggregated
Vulnerability {[key: string]: string} - Aggregated vulnerability information.
- allowed
Images string[] - List of explicitly allowed images.
- assurance
Type string - What type of assurance policy is described.
- audit
On booleanFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- auto
Scan booleanConfigured - auto
Scan booleanEnabled - auto
Scan FunctionTimes Assurance Policy Auto Scan Time[] - blacklist
Permissions string[] - List of function's forbidden permissions.
- blacklist
Permissions booleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses string[] - List of blacklisted licenses.
- blacklisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- block
Failed boolean - Indicates if failed images are blocked.
- control
Exclude booleanNo Fix - custom
Checks FunctionAssurance Policy Custom Check[] - List of Custom user scripts for checks.
- custom
Checks booleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity string - custom
Severity booleanEnabled - cves
Black booleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black string[]Lists - List of CVEs blacklisted items.
- cves
White booleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White string[]Lists - List of cves whitelisted licenses
- cvss
Severity string - Identifier of the cvss severity.
- cvss
Severity booleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity booleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description string
- disallow
Exploit string[]Types - disallow
Malware boolean - Indicates if malware should block the image.
- docker
Cis booleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain string
- Name of the container image.
- domain
Name string - dta
Enabled boolean - dta
Severity string - enabled boolean
- enforce boolean
- enforce
After numberDays - enforce
Excessive booleanPermissions - exceptional
Monitored string[]Malware Paths - exclude
Application string[]Scopes - fail
Cicd boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels FunctionAssurance Policy Forbidden Label[] - forbidden
Labels booleanEnabled - force
Microenforcer boolean - function
Integrity booleanEnabled - ignore
Base booleanImage Vln - ignore
Recently booleanPublished Vln - ignore
Recently numberPublished Vln Period - ignore
Risk booleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk string[]Resources - List of ignored risk resources.
- ignored
Sensitive string[]Resources - images string[]
- List of images.
- kube
Cis booleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls FunctionAssurance Policy Kubernetes Control[] - List of Kubernetes controls.
- kubernetes
Controls string[]Avd Ids - kubernetes
Controls string[]Names - labels string[]
- List of labels.
- lastupdate string
- linux
Cis booleanEnabled - malware
Action string - maximum
Score number - Value of allowed maximum score.
- maximum
Score booleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score booleanExclude No Fix - monitored
Malware string[]Paths - name string
- only
None booleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening booleanEnabled - packages
Black booleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black FunctionLists Assurance Policy Packages Black List[] - List of blacklisted images.
- packages
White booleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White FunctionLists Assurance Policy Packages White List[] - List of whitelisted images.
- partial
Results booleanImage Fail - permission string
- policy
Settings FunctionAssurance Policy Policy Settings - read
Only boolean - registries string[]
- List of registries.
- registry string
- required
Labels FunctionAssurance Policy Required Label[] - required
Labels booleanEnabled - scan
Malware booleanIn Archives - scan
Nfs booleanMounts - scan
Process booleanMemory - scan
Sensitive booleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows booleanRegistry - scap
Enabled boolean - Indicates if scanning should include scap.
- scap
Files string[] - List of SCAP user scripts for checks.
- scopes
Function
Assurance Policy Scope[] - trusted
Base FunctionImages Assurance Policy Trusted Base Image[] - List of trusted images.
- trusted
Base booleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability boolean - vulnerability
Score number[]Ranges - whitelisted
Licenses string[] - List of whitelisted licenses.
- whitelisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- application_
scopes Sequence[str] - aggregated_
vulnerability Mapping[str, str] - Aggregated vulnerability information.
- allowed_
images Sequence[str] - List of explicitly allowed images.
- assurance_
type str - What type of assurance policy is described.
- audit_
on_ boolfailure - Indicates if auditing for failures.
- str
- Name of user account that created the policy.
- auto_
scan_ boolconfigured - auto_
scan_ boolenabled - auto_
scan_ Sequence[Functiontimes Assurance Policy Auto Scan Time Args] - blacklist_
permissions Sequence[str] - List of function's forbidden permissions.
- blacklist_
permissions_ boolenabled - Indicates if blacklist permissions is relevant.
- blacklisted_
licenses Sequence[str] - List of blacklisted licenses.
- blacklisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- block_
failed bool - Indicates if failed images are blocked.
- control_
exclude_ boolno_ fix - custom_
checks Sequence[FunctionAssurance Policy Custom Check Args] - List of Custom user scripts for checks.
- custom_
checks_ boolenabled - Indicates if scanning should include custom checks.
- custom_
severity str - custom_
severity_ boolenabled - cves_
black_ boollist_ enabled - Indicates if CVEs blacklist is relevant.
- cves_
black_ Sequence[str]lists - List of CVEs blacklisted items.
- cves_
white_ boollist_ enabled - Indicates if CVEs whitelist is relevant.
- cves_
white_ Sequence[str]lists - List of cves whitelisted licenses
- cvss_
severity str - Identifier of the cvss severity.
- cvss_
severity_ boolenabled - Indicates if the cvss severity is scanned.
- cvss_
severity_ boolexclude_ no_ fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description str
- disallow_
exploit_ Sequence[str]types - disallow_
malware bool - Indicates if malware should block the image.
- docker_
cis_ boolenabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain str
- Name of the container image.
- domain_
name str - dta_
enabled bool - dta_
severity str - enabled bool
- enforce bool
- enforce_
after_ intdays - enforce_
excessive_ boolpermissions - exceptional_
monitored_ Sequence[str]malware_ paths - exclude_
application_ Sequence[str]scopes - fail_
cicd bool - Indicates if cicd failures will fail the image.
- forbidden_
labels Sequence[FunctionAssurance Policy Forbidden Label Args] - forbidden_
labels_ boolenabled - force_
microenforcer bool - function_
integrity_ boolenabled - ignore_
base_ boolimage_ vln - ignore_
recently_ boolpublished_ vln - ignore_
recently_ intpublished_ vln_ period - ignore_
risk_ boolresources_ enabled - Indicates if risk resources are ignored.
- ignored_
risk_ Sequence[str]resources - List of ignored risk resources.
- ignored_
sensitive_ Sequence[str]resources - images Sequence[str]
- List of images.
- kube_
cis_ boolenabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes_
controls Sequence[FunctionAssurance Policy Kubernetes Control Args] - List of Kubernetes controls.
- kubernetes_
controls_ Sequence[str]avd_ ids - kubernetes_
controls_ Sequence[str]names - labels Sequence[str]
- List of labels.
- lastupdate str
- linux_
cis_ boolenabled - malware_
action str - maximum_
score float - Value of allowed maximum score.
- maximum_
score_ boolenabled - Indicates if exceeding the maximum score is scanned.
- maximum_
score_ boolexclude_ no_ fix - monitored_
malware_ Sequence[str]paths - name str
- only_
none_ boolroot_ users - Indicates if raise a warning for images that should only be run as root.
- openshift_
hardening_ boolenabled - packages_
black_ boollist_ enabled - Indicates if packages blacklist is relevant.
- packages_
black_ Sequence[Functionlists Assurance Policy Packages Black List Args] - List of blacklisted images.
- packages_
white_ boollist_ enabled - Indicates if packages whitelist is relevant.
- packages_
white_ Sequence[Functionlists Assurance Policy Packages White List Args] - List of whitelisted images.
- partial_
results_ boolimage_ fail - permission str
- policy_
settings FunctionAssurance Policy Policy Settings Args - read_
only bool - registries Sequence[str]
- List of registries.
- registry str
- required_
labels Sequence[FunctionAssurance Policy Required Label Args] - required_
labels_ boolenabled - scan_
malware_ boolin_ archives - scan_
nfs_ boolmounts - scan_
process_ boolmemory - scan_
sensitive_ booldata - Indicates if scan should include sensitive data in the image.
- scan_
windows_ boolregistry - scap_
enabled bool - Indicates if scanning should include scap.
- scap_
files Sequence[str] - List of SCAP user scripts for checks.
- scopes
Sequence[Function
Assurance Policy Scope Args] - trusted_
base_ Sequence[Functionimages Assurance Policy Trusted Base Image Args] - List of trusted images.
- trusted_
base_ boolimages_ enabled - Indicates if list of trusted base images is relevant.
- vulnerability_
exploitability bool - vulnerability_
score_ Sequence[int]ranges - whitelisted_
licenses Sequence[str] - List of whitelisted licenses.
- whitelisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- application
Scopes List<String> - aggregated
Vulnerability Map<String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<Property Map>Times - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<Property Map> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After NumberDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<Property Map> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently NumberPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<Property Map> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Number - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<Property Map>Lists - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<Property Map>Lists - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings Property Map - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<Property Map> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes List<Property Map>
- trusted
Base List<Property Map>Images - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Number>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
Outputs
All input properties are implicitly available as output properties. Additionally, the FunctionAssurancePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing FunctionAssurancePolicy Resource
Get an existing FunctionAssurancePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FunctionAssurancePolicyState, opts?: CustomResourceOptions): FunctionAssurancePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
aggregated_vulnerability: Optional[Mapping[str, str]] = None,
allowed_images: Optional[Sequence[str]] = None,
application_scopes: Optional[Sequence[str]] = None,
assurance_type: Optional[str] = None,
audit_on_failure: Optional[bool] = None,
author: Optional[str] = None,
auto_scan_configured: Optional[bool] = None,
auto_scan_enabled: Optional[bool] = None,
auto_scan_times: Optional[Sequence[FunctionAssurancePolicyAutoScanTimeArgs]] = None,
blacklist_permissions: Optional[Sequence[str]] = None,
blacklist_permissions_enabled: Optional[bool] = None,
blacklisted_licenses: Optional[Sequence[str]] = None,
blacklisted_licenses_enabled: Optional[bool] = None,
block_failed: Optional[bool] = None,
control_exclude_no_fix: Optional[bool] = None,
custom_checks: Optional[Sequence[FunctionAssurancePolicyCustomCheckArgs]] = None,
custom_checks_enabled: Optional[bool] = None,
custom_severity: Optional[str] = None,
custom_severity_enabled: Optional[bool] = None,
cves_black_list_enabled: Optional[bool] = None,
cves_black_lists: Optional[Sequence[str]] = None,
cves_white_list_enabled: Optional[bool] = None,
cves_white_lists: Optional[Sequence[str]] = None,
cvss_severity: Optional[str] = None,
cvss_severity_enabled: Optional[bool] = None,
cvss_severity_exclude_no_fix: Optional[bool] = None,
description: Optional[str] = None,
disallow_exploit_types: Optional[Sequence[str]] = None,
disallow_malware: Optional[bool] = None,
docker_cis_enabled: Optional[bool] = None,
domain: Optional[str] = None,
domain_name: Optional[str] = None,
dta_enabled: Optional[bool] = None,
dta_severity: Optional[str] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_excessive_permissions: Optional[bool] = None,
exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
fail_cicd: Optional[bool] = None,
forbidden_labels: Optional[Sequence[FunctionAssurancePolicyForbiddenLabelArgs]] = None,
forbidden_labels_enabled: Optional[bool] = None,
force_microenforcer: Optional[bool] = None,
function_integrity_enabled: Optional[bool] = None,
ignore_base_image_vln: Optional[bool] = None,
ignore_recently_published_vln: Optional[bool] = None,
ignore_recently_published_vln_period: Optional[int] = None,
ignore_risk_resources_enabled: Optional[bool] = None,
ignored_risk_resources: Optional[Sequence[str]] = None,
ignored_sensitive_resources: Optional[Sequence[str]] = None,
images: Optional[Sequence[str]] = None,
kube_cis_enabled: Optional[bool] = None,
kubernetes_controls: Optional[Sequence[FunctionAssurancePolicyKubernetesControlArgs]] = None,
kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
kubernetes_controls_names: Optional[Sequence[str]] = None,
labels: Optional[Sequence[str]] = None,
lastupdate: Optional[str] = None,
linux_cis_enabled: Optional[bool] = None,
malware_action: Optional[str] = None,
maximum_score: Optional[float] = None,
maximum_score_enabled: Optional[bool] = None,
maximum_score_exclude_no_fix: Optional[bool] = None,
monitored_malware_paths: Optional[Sequence[str]] = None,
name: Optional[str] = None,
only_none_root_users: Optional[bool] = None,
openshift_hardening_enabled: Optional[bool] = None,
packages_black_list_enabled: Optional[bool] = None,
packages_black_lists: Optional[Sequence[FunctionAssurancePolicyPackagesBlackListArgs]] = None,
packages_white_list_enabled: Optional[bool] = None,
packages_white_lists: Optional[Sequence[FunctionAssurancePolicyPackagesWhiteListArgs]] = None,
partial_results_image_fail: Optional[bool] = None,
permission: Optional[str] = None,
policy_settings: Optional[FunctionAssurancePolicyPolicySettingsArgs] = None,
read_only: Optional[bool] = None,
registries: Optional[Sequence[str]] = None,
registry: Optional[str] = None,
required_labels: Optional[Sequence[FunctionAssurancePolicyRequiredLabelArgs]] = None,
required_labels_enabled: Optional[bool] = None,
scan_malware_in_archives: Optional[bool] = None,
scan_nfs_mounts: Optional[bool] = None,
scan_process_memory: Optional[bool] = None,
scan_sensitive_data: Optional[bool] = None,
scan_windows_registry: Optional[bool] = None,
scap_enabled: Optional[bool] = None,
scap_files: Optional[Sequence[str]] = None,
scopes: Optional[Sequence[FunctionAssurancePolicyScopeArgs]] = None,
trusted_base_images: Optional[Sequence[FunctionAssurancePolicyTrustedBaseImageArgs]] = None,
trusted_base_images_enabled: Optional[bool] = None,
vulnerability_exploitability: Optional[bool] = None,
vulnerability_score_ranges: Optional[Sequence[int]] = None,
whitelisted_licenses: Optional[Sequence[str]] = None,
whitelisted_licenses_enabled: Optional[bool] = None) -> FunctionAssurancePolicyfunc GetFunctionAssurancePolicy(ctx *Context, name string, id IDInput, state *FunctionAssurancePolicyState, opts ...ResourceOption) (*FunctionAssurancePolicy, error)public static FunctionAssurancePolicy Get(string name, Input<string> id, FunctionAssurancePolicyState? state, CustomResourceOptions? opts = null)public static FunctionAssurancePolicy get(String name, Output<String> id, FunctionAssurancePolicyState state, CustomResourceOptions options)resources: _: type: aquasec:FunctionAssurancePolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Aggregated
Vulnerability Dictionary<string, string> - Aggregated vulnerability information.
- Allowed
Images List<string> - List of explicitly allowed images.
- Application
Scopes List<string> - Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan List<Pulumiverse.Times Aquasec. Inputs. Function Assurance Policy Auto Scan Time> - Blacklist
Permissions List<string> - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses List<string> - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Custom Check> - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black List<string>Lists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White List<string>Lists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit List<string>Types - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored List<string>Malware Paths - Exclude
Application List<string>Scopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Forbidden Label> - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk List<string>Resources - List of ignored risk resources.
- Ignored
Sensitive List<string>Resources - Images List<string>
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Kubernetes Control> - List of Kubernetes controls.
- Kubernetes
Controls List<string>Avd Ids - Kubernetes
Controls List<string>Names - Labels List<string>
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score double - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Monitored
Malware List<string>Paths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black List<Pulumiverse.Lists Aquasec. Inputs. Function Assurance Policy Packages Black List> - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White List<Pulumiverse.Lists Aquasec. Inputs. Function Assurance Policy Packages White List> - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings Pulumiverse.Aquasec. Inputs. Function Assurance Policy Policy Settings - Read
Only bool - Registries List<string>
- List of registries.
- Registry string
- Required
Labels List<Pulumiverse.Aquasec. Inputs. Function Assurance Policy Required Label> - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files List<string> - List of SCAP user scripts for checks.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Function Assurance Policy Scope> - Trusted
Base List<Pulumiverse.Images Aquasec. Inputs. Function Assurance Policy Trusted Base Image> - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score List<int>Ranges - Whitelisted
Licenses List<string> - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Aggregated
Vulnerability map[string]string - Aggregated vulnerability information.
- Allowed
Images []string - List of explicitly allowed images.
- Application
Scopes []string - Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan []FunctionTimes Assurance Policy Auto Scan Time Args - Blacklist
Permissions []string - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses []string - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks []FunctionAssurance Policy Custom Check Args - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black []stringLists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White []stringLists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit []stringTypes - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored []stringMalware Paths - Exclude
Application []stringScopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels []FunctionAssurance Policy Forbidden Label Args - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk []stringResources - List of ignored risk resources.
- Ignored
Sensitive []stringResources - Images []string
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls []FunctionAssurance Policy Kubernetes Control Args - List of Kubernetes controls.
- Kubernetes
Controls []stringAvd Ids - Kubernetes
Controls []stringNames - Labels []string
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score float64 - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Monitored
Malware []stringPaths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black []FunctionLists Assurance Policy Packages Black List Args - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White []FunctionLists Assurance Policy Packages White List Args - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings FunctionAssurance Policy Policy Settings Args - Read
Only bool - Registries []string
- List of registries.
- Registry string
- Required
Labels []FunctionAssurance Policy Required Label Args - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files []string - List of SCAP user scripts for checks.
- Scopes
[]Function
Assurance Policy Scope Args - Trusted
Base []FunctionImages Assurance Policy Trusted Base Image Args - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score []intRanges - Whitelisted
Licenses []string - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability Map<String,String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- application
Scopes List<String> - assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<FunctionTimes Assurance Policy Auto Scan Time> - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<FunctionAssurance Policy Custom Check> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After IntegerDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<FunctionAssurance Policy Forbidden Label> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently IntegerPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<FunctionAssurance Policy Kubernetes Control> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Double - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<FunctionLists Assurance Policy Packages Black List> - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<FunctionLists Assurance Policy Packages White List> - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings FunctionAssurance Policy Policy Settings - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<FunctionAssurance Policy Required Label> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes
List<Function
Assurance Policy Scope> - trusted
Base List<FunctionImages Assurance Policy Trusted Base Image> - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Integer>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability {[key: string]: string} - Aggregated vulnerability information.
- allowed
Images string[] - List of explicitly allowed images.
- application
Scopes string[] - assurance
Type string - What type of assurance policy is described.
- audit
On booleanFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- auto
Scan booleanConfigured - auto
Scan booleanEnabled - auto
Scan FunctionTimes Assurance Policy Auto Scan Time[] - blacklist
Permissions string[] - List of function's forbidden permissions.
- blacklist
Permissions booleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses string[] - List of blacklisted licenses.
- blacklisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- block
Failed boolean - Indicates if failed images are blocked.
- control
Exclude booleanNo Fix - custom
Checks FunctionAssurance Policy Custom Check[] - List of Custom user scripts for checks.
- custom
Checks booleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity string - custom
Severity booleanEnabled - cves
Black booleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black string[]Lists - List of CVEs blacklisted items.
- cves
White booleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White string[]Lists - List of cves whitelisted licenses
- cvss
Severity string - Identifier of the cvss severity.
- cvss
Severity booleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity booleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description string
- disallow
Exploit string[]Types - disallow
Malware boolean - Indicates if malware should block the image.
- docker
Cis booleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain string
- Name of the container image.
- domain
Name string - dta
Enabled boolean - dta
Severity string - enabled boolean
- enforce boolean
- enforce
After numberDays - enforce
Excessive booleanPermissions - exceptional
Monitored string[]Malware Paths - exclude
Application string[]Scopes - fail
Cicd boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels FunctionAssurance Policy Forbidden Label[] - forbidden
Labels booleanEnabled - force
Microenforcer boolean - function
Integrity booleanEnabled - ignore
Base booleanImage Vln - ignore
Recently booleanPublished Vln - ignore
Recently numberPublished Vln Period - ignore
Risk booleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk string[]Resources - List of ignored risk resources.
- ignored
Sensitive string[]Resources - images string[]
- List of images.
- kube
Cis booleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls FunctionAssurance Policy Kubernetes Control[] - List of Kubernetes controls.
- kubernetes
Controls string[]Avd Ids - kubernetes
Controls string[]Names - labels string[]
- List of labels.
- lastupdate string
- linux
Cis booleanEnabled - malware
Action string - maximum
Score number - Value of allowed maximum score.
- maximum
Score booleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score booleanExclude No Fix - monitored
Malware string[]Paths - name string
- only
None booleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening booleanEnabled - packages
Black booleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black FunctionLists Assurance Policy Packages Black List[] - List of blacklisted images.
- packages
White booleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White FunctionLists Assurance Policy Packages White List[] - List of whitelisted images.
- partial
Results booleanImage Fail - permission string
- policy
Settings FunctionAssurance Policy Policy Settings - read
Only boolean - registries string[]
- List of registries.
- registry string
- required
Labels FunctionAssurance Policy Required Label[] - required
Labels booleanEnabled - scan
Malware booleanIn Archives - scan
Nfs booleanMounts - scan
Process booleanMemory - scan
Sensitive booleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows booleanRegistry - scap
Enabled boolean - Indicates if scanning should include scap.
- scap
Files string[] - List of SCAP user scripts for checks.
- scopes
Function
Assurance Policy Scope[] - trusted
Base FunctionImages Assurance Policy Trusted Base Image[] - List of trusted images.
- trusted
Base booleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability boolean - vulnerability
Score number[]Ranges - whitelisted
Licenses string[] - List of whitelisted licenses.
- whitelisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- aggregated_
vulnerability Mapping[str, str] - Aggregated vulnerability information.
- allowed_
images Sequence[str] - List of explicitly allowed images.
- application_
scopes Sequence[str] - assurance_
type str - What type of assurance policy is described.
- audit_
on_ boolfailure - Indicates if auditing for failures.
- str
- Name of user account that created the policy.
- auto_
scan_ boolconfigured - auto_
scan_ boolenabled - auto_
scan_ Sequence[Functiontimes Assurance Policy Auto Scan Time Args] - blacklist_
permissions Sequence[str] - List of function's forbidden permissions.
- blacklist_
permissions_ boolenabled - Indicates if blacklist permissions is relevant.
- blacklisted_
licenses Sequence[str] - List of blacklisted licenses.
- blacklisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- block_
failed bool - Indicates if failed images are blocked.
- control_
exclude_ boolno_ fix - custom_
checks Sequence[FunctionAssurance Policy Custom Check Args] - List of Custom user scripts for checks.
- custom_
checks_ boolenabled - Indicates if scanning should include custom checks.
- custom_
severity str - custom_
severity_ boolenabled - cves_
black_ boollist_ enabled - Indicates if CVEs blacklist is relevant.
- cves_
black_ Sequence[str]lists - List of CVEs blacklisted items.
- cves_
white_ boollist_ enabled - Indicates if CVEs whitelist is relevant.
- cves_
white_ Sequence[str]lists - List of cves whitelisted licenses
- cvss_
severity str - Identifier of the cvss severity.
- cvss_
severity_ boolenabled - Indicates if the cvss severity is scanned.
- cvss_
severity_ boolexclude_ no_ fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description str
- disallow_
exploit_ Sequence[str]types - disallow_
malware bool - Indicates if malware should block the image.
- docker_
cis_ boolenabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain str
- Name of the container image.
- domain_
name str - dta_
enabled bool - dta_
severity str - enabled bool
- enforce bool
- enforce_
after_ intdays - enforce_
excessive_ boolpermissions - exceptional_
monitored_ Sequence[str]malware_ paths - exclude_
application_ Sequence[str]scopes - fail_
cicd bool - Indicates if cicd failures will fail the image.
- forbidden_
labels Sequence[FunctionAssurance Policy Forbidden Label Args] - forbidden_
labels_ boolenabled - force_
microenforcer bool - function_
integrity_ boolenabled - ignore_
base_ boolimage_ vln - ignore_
recently_ boolpublished_ vln - ignore_
recently_ intpublished_ vln_ period - ignore_
risk_ boolresources_ enabled - Indicates if risk resources are ignored.
- ignored_
risk_ Sequence[str]resources - List of ignored risk resources.
- ignored_
sensitive_ Sequence[str]resources - images Sequence[str]
- List of images.
- kube_
cis_ boolenabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes_
controls Sequence[FunctionAssurance Policy Kubernetes Control Args] - List of Kubernetes controls.
- kubernetes_
controls_ Sequence[str]avd_ ids - kubernetes_
controls_ Sequence[str]names - labels Sequence[str]
- List of labels.
- lastupdate str
- linux_
cis_ boolenabled - malware_
action str - maximum_
score float - Value of allowed maximum score.
- maximum_
score_ boolenabled - Indicates if exceeding the maximum score is scanned.
- maximum_
score_ boolexclude_ no_ fix - monitored_
malware_ Sequence[str]paths - name str
- only_
none_ boolroot_ users - Indicates if raise a warning for images that should only be run as root.
- openshift_
hardening_ boolenabled - packages_
black_ boollist_ enabled - Indicates if packages blacklist is relevant.
- packages_
black_ Sequence[Functionlists Assurance Policy Packages Black List Args] - List of blacklisted images.
- packages_
white_ boollist_ enabled - Indicates if packages whitelist is relevant.
- packages_
white_ Sequence[Functionlists Assurance Policy Packages White List Args] - List of whitelisted images.
- partial_
results_ boolimage_ fail - permission str
- policy_
settings FunctionAssurance Policy Policy Settings Args - read_
only bool - registries Sequence[str]
- List of registries.
- registry str
- required_
labels Sequence[FunctionAssurance Policy Required Label Args] - required_
labels_ boolenabled - scan_
malware_ boolin_ archives - scan_
nfs_ boolmounts - scan_
process_ boolmemory - scan_
sensitive_ booldata - Indicates if scan should include sensitive data in the image.
- scan_
windows_ boolregistry - scap_
enabled bool - Indicates if scanning should include scap.
- scap_
files Sequence[str] - List of SCAP user scripts for checks.
- scopes
Sequence[Function
Assurance Policy Scope Args] - trusted_
base_ Sequence[Functionimages Assurance Policy Trusted Base Image Args] - List of trusted images.
- trusted_
base_ boolimages_ enabled - Indicates if list of trusted base images is relevant.
- vulnerability_
exploitability bool - vulnerability_
score_ Sequence[int]ranges - whitelisted_
licenses Sequence[str] - List of whitelisted licenses.
- whitelisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability Map<String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- application
Scopes List<String> - assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<Property Map>Times - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<Property Map> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After NumberDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<Property Map> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently NumberPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<Property Map> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Number - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<Property Map>Lists - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<Property Map>Lists - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings Property Map - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<Property Map> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes List<Property Map>
- trusted
Base List<Property Map>Images - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Number>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
Supporting Types
FunctionAssurancePolicyAutoScanTime, FunctionAssurancePolicyAutoScanTimeArgs
- Iteration int
- Iteration
Type string - Time string
- Week
Days List<string>
- Iteration int
- Iteration
Type string - Time string
- Week
Days []string
- iteration Integer
- iteration
Type String - time String
- week
Days List<String>
- iteration number
- iteration
Type string - time string
- week
Days string[]
- iteration int
- iteration_
type str - time str
- week_
days Sequence[str]
- iteration Number
- iteration
Type String - time String
- week
Days List<String>
FunctionAssurancePolicyCustomCheck, FunctionAssurancePolicyCustomCheckArgs
- string
- Name of user account that created the policy.
- Description string
- Engine string
- Last
Modified int - Name string
- Path string
- Read
Only bool - Script
Id string - Severity string
- Snippet string
- string
- Name of user account that created the policy.
- Description string
- Engine string
- Last
Modified int - Name string
- Path string
- Read
Only bool - Script
Id string - Severity string
- Snippet string
- String
- Name of user account that created the policy.
- description String
- engine String
- last
Modified Integer - name String
- path String
- read
Only Boolean - script
Id String - severity String
- snippet String
- string
- Name of user account that created the policy.
- description string
- engine string
- last
Modified number - name string
- path string
- read
Only boolean - script
Id string - severity string
- snippet string
- str
- Name of user account that created the policy.
- description str
- engine str
- last_
modified int - name str
- path str
- read_
only bool - script_
id str - severity str
- snippet str
- String
- Name of user account that created the policy.
- description String
- engine String
- last
Modified Number - name String
- path String
- read
Only Boolean - script
Id String - severity String
- snippet String
FunctionAssurancePolicyForbiddenLabel, FunctionAssurancePolicyForbiddenLabelArgs
FunctionAssurancePolicyKubernetesControl, FunctionAssurancePolicyKubernetesControlArgs
FunctionAssurancePolicyPackagesBlackList, FunctionAssurancePolicyPackagesBlackListArgs
FunctionAssurancePolicyPackagesWhiteList, FunctionAssurancePolicyPackagesWhiteListArgs
FunctionAssurancePolicyPolicySettings, FunctionAssurancePolicyPolicySettingsArgs
- Enforce bool
- Is
Audit boolChecked - Warn bool
- Warning
Message string
- Enforce bool
- Is
Audit boolChecked - Warn bool
- Warning
Message string
- enforce Boolean
- is
Audit BooleanChecked - warn Boolean
- warning
Message String
- enforce boolean
- is
Audit booleanChecked - warn boolean
- warning
Message string
- enforce bool
- is_
audit_ boolchecked - warn bool
- warning_
message str
- enforce Boolean
- is
Audit BooleanChecked - warn Boolean
- warning
Message String
FunctionAssurancePolicyRequiredLabel, FunctionAssurancePolicyRequiredLabelArgs
FunctionAssurancePolicyScope, FunctionAssurancePolicyScopeArgs
FunctionAssurancePolicyScopeVariable, FunctionAssurancePolicyScopeVariableArgs
FunctionAssurancePolicyTrustedBaseImage, FunctionAssurancePolicyTrustedBaseImageArgs
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aquasecTerraform Provider.