Aqua API Endpoint Class

The Aqua class can be found in the aqua module: aqua.aqua.Aqua. This class will be your main interaction with the aqua-py SDK. Most of Aqua’s CSP REST calls are/will be abstracted through this class..

Please see below for auto documentation generated for this class.


class aqua.aqua.Aqua
__init__(id: str = None, password: str = None, host: str = None, port: str = '443', api_version: str = 'v1', using_tls=True, verify_tls: bool = False, cacert_file: str = None, proxy=None, remember: bool = False, token: str = None)

Currently both v1 and v2 calls are abstracted in this client. You currently do not need to specify API version to make v2 calls.

Parameters

  • id – username

  • password – password

  • host – CSP console/API server IP address

  • port – CSP console/API server port

  • api_version – optional. currently at v1

  • using_ssl – optional. used to hit https urls

  • verify_tls – optional. Whether to validate certificate. Set to false for self signed certs.

  • cacert_file – optional CA certificates to trust for certificate verification

  • proxy – optional http/https proxy dictionary

  • remember – whether to create an extended 30 day session; if false session token will be valid for 9 hours

Returns

an Aqua object that represents API endpoint and used for all subsequent calls.

attach_profile(registry_name: str, repository: str, policy_name: str)

Attach an image runtime profile to a repository

Parameters

  • registry_name

  • repository

  • policy_name

Returns

Upon success, this route will return a 204 No Content response.

consoles()

Retrieve the configured consoles information

Returns

Produces a JSON array of all consoles configured in the system

create_enforcer_group(type, id, logicalname, host_os, service_account, namespace, runtime, token, enforcer_image, enforce, gateways, orchestrator, runtime_options)

Create an enforcer group.

Parameters

  • type – which enforcer (agent, micro-enforcer, nano-enforcer, vm-enforcer)

  • id – name of the enforcer group

  • logicalname – prefix for the enforcer names

  • host_os – Linux or Windows

  • service_account – Kubernetes service account

  • namespace – Namespace Aqua deployed too

  • runtime – docker, crio, containerd

  • token – Installation token to identify group

  • enforcer_image – image to pull and deploy

  • enforce – bool - audit = False, enforce = True

  • gateways – string array of gateways

  • orchestrator – type of orchestrator (docker, kubernetes, openshift, pas)

  • runtime_options – map of policy options

Returns

A successful creation of the new enforcer group will result in a json response with the profile

create_image_registry(reg_type: str, name: str, description: str, username: str, password: str, url: str = None, prefixes: str = None, auto_pull: bool = False)

Create a new image registry

Parameters

  • reg_type – the type of the registry. i.e HUB (Docker Hub), AWS, GCR, ENGINE (direct connect to docker engine), V1/V2 (General Docker registries)

  • name – the name of the registry; string, required - this will be treated as the registry’s ID, so choose a simple alphanumerical name without special signs and spaces

  • description

  • username – the username for registry authentication; string, optional

  • password – the password for registry authentication; string, optional

  • url – the URL, address or region of the registry; string, optional

  • prefixes – See https://docs.aquasec.com/reference#section-image-registry-prefixes

  • auto_pull – whether to automatically pull images from the registry on creation and daily; boolean, defaults to false

Returns

If successful, a 204 No Content response will be returned. Note that if auto_pull is enabled, the server will immediately begin pulling images from the registry.

create_profile(profile: str)

Create a new image runtime profile

Parameters

profile – json object i.e. returned from get_suggested_profile

Returns

A successful creation of the new profile will result in a 204 No Content response.

create_secret_keystore(name: str, url: str, token: str, user: str, type: str = 'vault', enabled: bool = True)

This method expects the request structure described at https://docs.aquasec.com/reference#section-secret-key-store-structure

Parameters

  • name – reference name of the secret key store to create; string, required

  • url – for vault type this is the URL of the vault service, for KMS this is the access ID; string; required only for vault type

  • token – the vault token, and for KMS, this is the secret key; string, required only for vault type

  • user – for vault this is the secret back-end, for KMS this is the region; string, required

  • type – the type of the secret key store; string, required [vault, kms]

  • enabled – true when the secret key store is enabled; boolean

Returns

If successful, a {} will be returned

delete_registry(name: str)

Remove an existing image registry

Parameters

name – registry friendly name within Aqua

Returns

Upon successful removal, a 204 No Content response will be returned

delete_secret_keystore(name: str)

Deletes a secret key store

Parameters

name – the reference name of the secret key store.

Returns

If successful, a {} will be returned.

end_profiling_session(registry_name: str, repository: str)

End a profiling session There are two ways to end the profiling session: stopping the containers that were started in the previous stage, or issuing an API call. Using the API call will cause the server to cease monitoring the containers’ activity, but the containers will continue to live, so only use it if you still need them.

Parameters

  • registry_name

  • repository

Returns

If the session is successfully terminated, an empty successful response is returned.

enforcer_details(id: str)

Get Enforcer details

Parameters

id – host/enforcer id

Returns

The return structure is described in Enforcer Structure. https://docs.aquasec.com/reference#section-enforcer-structure

export_settings(settings: List = None, key: str = None)

export settings and policies

Parameters

  • settings – list of string representing settings to export. default is all settings

  • key – 32-character key if default key not to be used

Returns

settings dict

get_asset_details_by_id(id: str = 1)

Retrieve details of identified host or cluster in system by id.

Parameters

id – host or cluster id

Returns

details of asset

get_image_assurance(policy_name: str, policy_type: str)

Return the structure of an image runtime profile

Parameters

  • profile_name – name of profile to retrieve

  • policy_type – the type of assurance policy (image | host | function | cf_application)

Returns

the structure of an image runtime profile

NOTE:

get_profile(profile_name: str)

Return the structure of an image runtime profile

Parameters

profile_name – name of profile to retrieve

Returns

the structure of an image runtime profile

get_runtime_policies(policy_name: str)

Return the structure of a runtime policy

Parameters

profile_name – name of policy to retrieve

Returns

the structure of a runtime policy

get_suggested_profile(registry_name: str, repository: str)

Get suggested profile generated in a profiling session

Parameters

  • registry_name

  • repository

Returns

the suggested image runtime profile in the standard image runtime profile structure.

hosts()

Get list of all Enforcers (hosts) on the Aqua Server

Returns

The response format will be a JSON array of enforcer structures. See enforcer structure for description. https://docs.aquasec.com/reference#section-enforcer-structure

import_settings(settings: Dict, key: str = None)

import settings and policies

Parameters

  • settings – dict representing aqua settings

  • key – 32-character key if default key not to be used

Returns

{} if successful

list_assets(page: str = 1, page_size: str = 50, type: str = None, search: str = None)

Retrieve details of hosts and clusters configured in system.

Parameters

  • page – list from provided page of results

  • page_size – list at most the provided number

  • type – node or cluster

Returns

list of nodes and clusters

list_batch_install_tokens()

List batch install tokens :return:Successful response will include a JSON array of objects. https://docs.aquasec.com/reference#section–list-batch-install-tokens-

list_image_assurance()

Lists of all image assurance policies in the system

Returns

a list of all assurance policies in a json

list_profiles()

Lists of all image runtime profiles in the system

Returns

a list of all image runtime profiles in the system

list_runtime_policies()

Lists of all runtime policies in the system

Returns

a list of all runtime policies in a json

list_secret_keystores()

List all existing secret key stores

Returns

If successful, a 200 OK response status returned. A JSON list of all existing secret key stores will be returned

list_services()

Returns a list of all Aqua services in the system

Returns

Return structure is a JSON array of service objects

modify_image_assurance(policy_name: str, policy_file: str, policy_type: str)

Update an existing image assurance policy

Parameters

  • policy_name – name of policy to update

  • policy_file – json object i.e. returned from list_image_assurance or get_image_assurance

  • policy_type – the type of assurance policy (image | host | function | cf_application)

Returns

A successful creation of the new profile will result in a 204 No Content response.

modify_profile(profile_name: str, profile: str)

Update an existing image runtime profile

Parameters

  • profile_name – name of profile to update

  • profile – json object i.e. returned from get_suggested_profile

Returns

A successful creation of the new profile will result in a 204 No Content response.

modify_runtime_policies(policy_name: str, policy_file: str)

Update an existing image assurance policy

Parameters

  • policy_name – name of policy to update

  • policy_file – json object i.e. returned from list_runtime_policies or get_runtime_policies

Returns

A successful creation of the new policy will result in a 204 No Content response.

notifications()

Get information of the last notification sent by the environment

Returns

notifications as dict

scan_history(registry: str, repo: str, tag: str = 'latest', order_by: str = '-date')

Retrieve scan history for a container image

Parameters

  • registry – name of the registry

  • repo – name of the repo

  • tag – image tag

  • order_by – date (ASC) or -date (DESC)

Returns

scan history object

scan_status(registry_name: str, image_name: str, image_tag: str = 'latest') → Dict

Get status of an image vulnerability scan.

Parameters

  • registry_name – name of the registry

  • image_name – name of container image

  • image_tag – optional. image tag. defaults to latest

Returns

scan status results as Dict

start_image_scan(registry_name: str, image_name: str, image_tag: str = 'latest') → Dict

Get status of an image vulnerability scan.

Parameters

  • registry_name – name of the registry

  • image_name – name of container image

  • image_tag – optional. image tag. defaults to latest

Returns

scan status as Dict