_Ping

Check if Console is alive, responsive, and reachable.

get

Checks if Console is reachable over the network from the host where you call the endpoint. If you get a response code of 200, the request succeeded, and Console is both alive and reachable.

The following curl command pings Console and prints the HTTP response code.

$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>:8083/api/v1/_ping

Minimum role required to access this endpoint: anyone.

Alert profiles

Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA.

Alert profiles define which events should be sent to which channel. Each profile declares:

  • One or more recipients.
  • One or more triggers, that raise alerts by sending messages on the configured channel.
get

Retrieve a list of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles

Minimum role required to access this endpoint: auditor.

post

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Minimum role required to access this endpoint: operator.

get

Retrieve a list of only the names of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles' names:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names

Example Response:

[
  "jira",
  "aqsa vulns"
]

Minimum role required to access this endpoint: auditor.

post

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command Minimum role required to access this endpoint: operator.

delete

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Minimum role required to access this endpoint: operator.

Audits

Retrieve audits from the Twistlock database. Twistlock creates and stores audit event records (audits) for all controls. Endpoints support a wide range of filtering options.

get

Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.

The following example command gives a list of ALL access audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access

To get just the docker audits run it with type=docker parameter.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker

Minimum role required to access this endpoint: devSecOps.

get

Download all docker access audits into a CSV format file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv

Minimum role required to access this endpoint: devSecOps.

get

AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container

Minimum role required to access this endpoint: devSecOps.

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download

Minimum role required to access this endpoint: devSecOps.
get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host

Minimum role required to access this endpoint: devSecOps.

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download

Minimum role required to access this endpoint: devSecOps.

get

ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents

Minimum role required to access this endpoint: devSecOps.

patch

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Minimum role required to access this endpoint: auditor.

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to list all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to download all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download

Minimum role required to access this endpoint: devSecOps.

get

Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.

This call retrieves a list of all management audits that match the query.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt

Minimum role required to access this endpoint: auditor.

get

Downloads a list of all management audits into CSV format.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv

Minimum role required to access this endpoint: auditor.

get

Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.

The following example curl command uses basic auth to retrieve all management audit filters

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters

Minimum role required to access this endpoint: auditor.

delete

DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.

get

AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

delete

Deletes all container runtime audits.

The following example curl command uses basic auth to delete all the audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Minimum role required to access this endpoint: operator.

get

Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Minimum role required to access this endpoint: devSecOps.

get

Downloads the runtime container audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download

Minimum role required to access this endpoint: devSecOps.

delete

Deletes all host audits from the database.

The following example curl command uses basic auth to delete all host audits:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Minimum role required to access this endpoint: operator.

get

Retrieves a list of all host audits that match the query.

The following example curl command uses basic auth to retrieve all host audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Minimum role required to access this endpoint: devSecOps.

get

Downloads the runtime host audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download

Minimum role required to access this endpoint: devSecOps.

delete

This endpoint will delete all serverless runtime audits.

The following example curl command uses basic auth to delete the current audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless

Minimum role required to access this endpoint: operator.

get

Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless 

Minimum role required to access this endpoint: devSecOps.

get

Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download

Minimum role required to access this endpoint: devSecOps.

get

Returns all serverless filters in JSON format. These filters can be used in the base GET request as query parameters.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters

Minimum role required to access this endpoint: devSecOps.

delete

Deletes all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust

Minimum role required to access this endpoint: operator.

get

Gets all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust

Minimum role required to access this endpoint: vulnerabilityManager.

get

Downloads all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download

Minimum role required to access this endpoint: vulnerabilityManager.

Authenticate

Retrieve an access token using your credentials. Valid tokens are required to access the rest of the Twistlock API. The Twistlock API can also be accessed using basic auth.

post

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token for user 'admin' with password 'admin':

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"admin"
}' \
https://<CONSOLE>:8083/api/v1/authenticate

Minimum role required to access this endpoint: anyone.

get

IdentityRedirectURL return the redirect url for Oauth/OpenID connect/Saml providers. Minimum role required to access this endpoint: none.

get

Renews an old (unexpired) access token by returning a new one.

The following example curl command retrieves a new access token:

$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN> \
 https://<CONSOLE>:8083/api/v1/authenticate/renew

Minimum role required to access this endpoint: user.

Authenticate client

Retrieve an access token using a client certificate. Valid tokens are required to access the rest of the Twistlock API. Use this endpoint if your organization has rolled out multi-factor authentication built on x.509 certificates.

The Twistlock API can also be accessed using basic auth.

post

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together. Minimum role required to access this endpoint: none.

Backups

Manage backup files.

get

List returns the available backups. Minimum role required to access this endpoint: operator.

post

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

delete

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

get

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

patch

Renames the specified backup file. Minimum role required to access this endpoint: admin.

post

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

post

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Certificates

Manage client certificates. Users need client certificates to authenticate commands sent from the Docker client through Twistlock.

get

Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.

The following example curl command uses basic auth to download and run the install script for your client certs:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh

Minimum role required to access this endpoint: user.

put

RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.

get

Returns the server certificate bundle from the console.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh

Minimum role required to access this endpoint: operator.

Cloud

Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Twistlock continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.

get

Returns a list of all cloud compliance scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance

Minimum role required to access this endpoint: vulnerabilityManager.

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Minimum role required to access this endpoint: operator.

post

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Minimum role required to access this endpoint: operator.

get

Returns a list of all cloud discovery scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery

Minimum role required to access this endpoint: vulnerabilityManager.

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Minimum role required to access this endpoint: operator.

post

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Minimum role required to access this endpoint: operator.

get

DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.

Code repo scan reports

Scan reports for your GitHub repositories.

get

CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.

get

DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.

post

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

post

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

post

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

Collections

Group related resources (containers, images, hosts) together. Collections are predefined filters that let you segment your views in the Console UI and the Twistlock API.

get

Retrieves the list of collections.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"

Minimum role required to access this endpoint: auditor.

post

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Minimum role required to access this endpoint: operator.

delete

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Minimum role required to access this endpoint: operator.

put

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Minimum role required to access this endpoint: operator.

Kubernetes auditing

get

GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.

get

GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.

Container scan reports

Container scan reports.

get

Retrieves all container scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

Example curl command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns an integer representing the number of containers in your environment.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count

Minimum role required to access this endpoint: devOps.

get

Downloads all container scan reports in CSV format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns an array of strings containing all container names.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names

Minimum role required to access this endpoint: devOps.

post

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Minimum role required to access this endpoint: operator.

Credentials

Management of Centrally Managed Credentials

get

This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials

Minimum role required to access this endpoint: auditor.

post

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Minimum role required to access this endpoint: operator.

delete

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: operator.

get

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: auditor.

Custom compliance checks

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Twistlock supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Twistlock lets you implement your own custom image checks with simple scripts.

A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

get

This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance

An example returned json could be something similar to:

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

Minimum role required to access this endpoint: ci.

put

This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom

Create custom_check.json file (example)

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance

Minimum role required to access this endpoint: operator.

delete

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Minimum role required to access this endpoint: operator.

CVEs

Browse Twistlock's vulnerability database.

get

Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.

The following example curl command queries the Twistlock database for CVE-2018-1102.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102

Minimum role required to access this endpoint: devOps.

get

Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.

The following example curl command uses basic auth to retrieve this data:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution

Minimum role required to access this endpoint: auditor.

Defenders

Manage Defender. Defender is Twistlock's security agent. In general, one Defender is deployed per node.

get

Lists all deployed Defenders.

The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders

Minimum role required to access this endpoint: vulnerabilityManager.

post

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

post

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

get

Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download

Minimum role required to access this endpoint: auditor.

post

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json Minimum role required to access this endpoint: operator.

post

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

get

Returns the full Docker image name for Defender.

Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name

Minimum role required to access this endpoint: operator.

get

Returns the certsBundle that Defender needs to securely connect to Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>

Minimum role required to access this endpoint: defenderManager.

get

Retrieves a list of Defender hostnames that can be used as the {id} query parameter in other /api/v1/defenders endpoints.

Retrieve a list of all Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names

Retrieve a list of connected Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected

Retrieve a list of Defenders by type:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>

Minimum role required to access this endpoint: vulnerabilityManager.

get

DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.

get

List the number of Defenders in each defender category.

The following command uses basic authorization to retrieve a summary of Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary

Minimum role required to access this endpoint: defenderManager.

post

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Minimum role required to access this endpoint: operator.

delete

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Minimum role required to access this endpoint: operator.

post

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Minimum role required to access this endpoint: operator.

post

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Minimum role required to access this endpoint: operator.

post

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Minimum role required to access this endpoint: operator.

Cortex XSOAR alerts

get

DemistoAlerts returns all alerts saved in DBREMARK: All alerts are removed from DB after calling this method. Minimum role required to access this endpoint: auditor.

Deployments

Manage Defender DaemonSet deployments.

get

Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID, of type kubeconfig, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>

Minimum role required to access this endpoint: auditor.

post

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Minimum role required to access this endpoint: operator.

get

HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.

post

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

post

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

get

ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.

post

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

post

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Custom feeds

Augment the Twistlock Intelligence Stream with your own custom threat data.

get

Retrieves the list of vulnerabilities for internally developed packages.

These entries are used by the Twistlock scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.

NOTE: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created in the Console UI or with the /api/v1/policies/cve endpoint. Create a vulnerability rule and set ID 412 (Image contains vulnerable custom components) to ignore, alert, or block.

The following example curl command retrieves the list of custom-defined vulnerabilities:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities

Minimum role required to access this endpoint: auditor.

put

Updates all custom vulnerability rules in a single shot.

The following example curl command defines a vulnerability for a library named internal-lib, where it's known that versions 1.1 to 1.8 are vulnerable.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "_id": "",
    "package": "internal-lib",
    "type": "package",
    "minVersionInclusive": "1.1",
    "name": "internal-lib",
    "maxVersionInclusive": "1.8",
    "md5": ""
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities

The procedure to maintain your custom vulnerabilities is:

  1. Get all custom vulnerability rules from the GET endpoint and save the results to a file.

    $ curl -k \
    -u <USER> \
    https://<CONSOLE>:8083/api/v1/feeds//custom/custom-vulnerabilities \
    | jq '.' > custom_vulnerability_rules.json
  2. Add, modify, and/or delete rules by directly editing the JSON output.

  3. Update your rules by pushing the new JSON payload. Do not forget to specify the @ symbol.

    $ curl -k \
    -u <USER> \
    -X PUT \
    -H "Content-Type:application/json" \
    https://<CONSOLE>:8083/api/v1/custom/custom-vulnerabilities \
    --data-binary "@custom_vulnerability_rules.json"

Any previously installed rules are overwritten with your new rules. Minimum role required to access this endpoint: operator.

get

Returns the unique digests for all custom vulnerability feeds configured in the console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities/digest

Minimum role required to access this endpoint: auditor.

get

Retrieves the list of globally whitelisted CVEs.

The following example curl command retrieves a list of globally whitelisted CVEs:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list

Minimum role required to access this endpoint: auditor.

put

Specifies a list of CVEs to globally whitelist. Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a list of globally whitelisted CVEs.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list

Minimum role required to access this endpoint: operator.

get

Returns the digest hash of the CVE allow lists you have configured in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list/digest

Minimum role required to access this endpoint: auditor.

get

Retrieves the custom list of blacklisted IP addresses.

The following example curl command retrieves the custom list of blacklisted IP addresses:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips

Minimum role required to access this endpoint: auditor.

put

Specifies a custom list of banned IP addresses.

Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a custom list of banned IP addresses:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips

Minimum role required to access this endpoint: operator.

get

Retrieves the digest from the list of suspicious or high risk IP endpoints configured in the console.

The following example curl command retrieves the list of digests:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips/digest

Minimum role required to access this endpoint: auditor.

get

Retrieves the custom list of malware signatures.

The following example curl command retrieves the custom list of malware signatures:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware

Minimum role required to access this endpoint: auditor.

put

Specifies a custom list of malware signatures.

Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a custom list of malware signatures.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
  {
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
  },
  {
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware

Minimum role required to access this endpoint: operator.

get

Retrieves the list of digest for all MD5 signatures of malicious executables under custom feeds.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware/digest

Minimum role required to access this endpoint: auditor.

post

Triggers Console to refresh its data from the Intelligence Stream

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/feeds/offline/refresh

Minimum role required to access this endpoint: admin.

Forensics

The forensic endpoint will return data for host activities.

get

Retrieves all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities

Minimum role required to access this endpoint: devSecOps.

get

Downloads all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download

Minimum role required to access this endpoint: devSecOps.

Groups

Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Twistlock local groups to manage privileges for groups of users.

get

Retrieves a list of all groups.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \

Minimum role required to access this endpoint: auditor.

post

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

get

Returns the names of all groups as strings in an array.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \

Sample output:

[
  "admins",
  "secops",
  "devops",
  ""
]

Minimum role required to access this endpoint: auditor.

delete

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

put

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Host scan reports

Host scan reports.

Twistlock scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender.

get

Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \

Minimum role required to access this endpoint: vulnerabilityManager.

get

Downloads all host scan reports in CSV format.

A curl command to access this endpoint may resemble the following code snippet:

curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts/download \
> hosts_scan.csv

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns information about all deployed hosts.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts/info \

Minimum role required to access this endpoint: vulnerabilityManager.

post

Re-scan all hosts immediately.

The following example command uses curl and basic auth to force Twistlock to re-scan all hosts

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/hosts/scan

Minimum role required to access this endpoint: operator.

Image scan reports

Image scan reports.

Note that the compliance issues in an image might be different (fewer) than those in a running instance of the image (i.e. a container).

get

Retrieves all image scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

The following example curl command uses basic auth to retrieve the compact scan report for all images:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images"

The following example curl command uses basic auth to retrieve the compact scan report for the ubuntu image. The name query is synonymous with the "Search Images" field in the Console UI.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images?name=https://<REPO-URL>/uqbuntu:latest&compact=true"

The following example curl command uses basic auth to retrieve the scan report for image with the matching sha256 hash:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images?id=sha256:d461f1845c43105d7d686a9cfca9d73b0272b1dcd0381bf105276c978cb02832"

Minimum role required to access this endpoint: vulnerabilityManager.

get

Downloads all image scan reports in CSV format.

The following command is particularly useful for developers. It takes an image ID as the input parameter, and generates a CSV file that lists all vulnerable packages in a given image, organized by layer, with both the affected and fixed versions.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images/download?id=<IMAGE_ID>&layers=true" \
> images.csv

Where an example <IMAGE_ID> would be sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689. Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns an array of strings containing image names.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/images/names

Minimum role required to access this endpoint: devOps.

get

Returns the status of image scanning at Monitor > Vulnerabilities > Images

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/images/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

Re-scan all images immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all images:

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/images/scan

Minimum role required to access this endpoint: operator.

get

Download the Container Defender image for Linux platforms.

$ curl -k \
-u <USER> \
-H "Content-Type: application/octet-stream" \
-o twistlock_defender.tar.gz \
https://<CONSOLE>:8083/api/v1/images/twistlock_defender.tar.gz

Minimum role required to access this endpoint: defender manager.

get

DownloadAppEmbeddedDefender generates the embedded defender bundle and serves it to the user. Minimum role required to access this endpoint: operator.

get

Returns the the Twistlock Defender in as a layer that can be used in an AWS Lambda implementation.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H "Content-Type: application/octet-stream" \
-o twistlock_defender_layer.zip \
https://<CONSOLE>:8083/api/v1/images/twistlock_defender_layer.zip

Minimum role required to access this endpoint: operator.

Kubernetes

Kubernetes

post

This endpoint will trigger a Kubernetes scan.

The following example curl command uses basic auth to initiate this scan:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/kubernetes/scan

Minimum role required to access this endpoint: admin.

Logs

Retrieve log messages from Console and Defender.

get

Retrieves the latest Console log messages.

The following example curl command retrieves the 10 latest Console log messages:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/logs/console?lines=10

Minimum role required to access this endpoint: auditor.

get

Retrieves the latest log messages for a given Defender. The Defender is specified by the host where it runs. You can retrieve the hostname for each Defender from the GET /api/v1/defenders endpoint.

The following example curl command retrieves the 10 log messages for the Defender that runs on worker.sandbox.internal. Note that you must quote the URL when running the following command. Otherwise the shell misinterprets the ampersand (&) as the end of the command, and puts the curl command in the background.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/logs/defender?lines=10&hostname=worker.sandbox.internal"

Minimum role required to access this endpoint: operator.

get

This endpoint will return the defender logs with tar.gz file extension given the hostname of the defender.

The hostname can be returned from the endpoint /defenders/names

The following example curl command uses basic auth to download the logs:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o defender_logs.tar.gz
https://<CONSOLE>:8083/api/v1/logs/defender/download?hostname={hostname}

Minimum role required to access this endpoint: operator.

get

This endpoint will return the system debug