mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-19 02:21:52 +00:00
288 lines
9.7 KiB
Plaintext
288 lines
9.7 KiB
Plaintext
---
|
|
title: "List Findings"
|
|
api: "GET /api/v1/findings"
|
|
description: "Retrieve a list of all findings with options for filtering by various criteria."
|
|
---
|
|
|
|
Retrieve security findings (vulnerabilities, misconfigurations, compliance violations) across your cloud infrastructure. This is one of the most frequently used endpoints for analyzing your security posture.
|
|
|
|
## Use Cases
|
|
|
|
- **Security Dashboard**: Display current security findings and trends
|
|
- **Compliance Reporting**: Filter findings by compliance framework
|
|
- **Vulnerability Management**: Track and remediate security issues
|
|
- **Alerting & Notifications**: Query new or critical findings for alerts
|
|
- **Risk Assessment**: Analyze findings by severity and service
|
|
- **Audit Trails**: Export findings for compliance audits
|
|
|
|
## Query Parameters
|
|
|
|
### Required Filters
|
|
|
|
- `filter[inserted_at]` - At least one variation of this filter is required
|
|
- `filter[inserted_at__gte]` - Filter by creation date (greater than or equal). Maximum date range is 7 days
|
|
- `filter[inserted_at__lte]` - Filter by creation date (less than or equal). Maximum date range is 7 days
|
|
|
|
### Filtering Options
|
|
|
|
**By Check:**
|
|
- `filter[check_id]`, `filter[check_id__icontains]`, `filter[check_id__in]` - Filter by check ID
|
|
|
|
**By Status:**
|
|
- `filter[status]` - Filter by status: `FAIL`, `PASS`, `MANUAL`
|
|
- `filter[severity]` - Filter by severity: `critical`, `high`, `medium`, `low`, `informational`
|
|
- `filter[delta]` - Filter by change status: `new`, `changed`
|
|
- `filter[muted]` - Filter by mute status (boolean)
|
|
|
|
**By Provider:**
|
|
- `filter[provider]`, `filter[provider__in]` - Filter by provider UUID
|
|
- `filter[provider_type]`, `filter[provider_type__in]` - Filter by provider type: `aws`, `azure`, `gcp`, `kubernetes`, `m365`, `github`, `oci`
|
|
- `filter[provider_alias]`, `filter[provider_alias__icontains]` - Filter by provider alias
|
|
- `filter[provider_uid]`, `filter[provider_uid__icontains]` - Filter by provider UID
|
|
|
|
**By Resource:**
|
|
- `filter[resource_name]`, `filter[resource_name__icontains]` - Filter by resource name
|
|
- `filter[resource_type]`, `filter[resource_type__icontains]` - Filter by resource type
|
|
- `filter[resource_uid]`, `filter[resource_uid__icontains]` - Filter by resource UID
|
|
- `filter[region]`, `filter[region__icontains]`, `filter[region__in]` - Filter by region
|
|
- `filter[service]`, `filter[service__icontains]` - Filter by cloud service
|
|
|
|
**By Scan:**
|
|
- `filter[scan]`, `filter[scan__in]` - Filter by scan UUID
|
|
|
|
### Pagination
|
|
|
|
- `page[number]` - Page number to retrieve
|
|
- `page[size]` - Number of results per page
|
|
|
|
### Sorting
|
|
|
|
- `sort` - Field to sort by: `status`, `-status`, `severity`, `-severity`, `check_id`, `-check_id`, `inserted_at`, `-inserted_at`, `updated_at`, `-updated_at`
|
|
|
|
### Field Selection
|
|
|
|
- `fields[findings]` - Specify which fields to return
|
|
|
|
### Include Related Resources
|
|
|
|
- `include` - Include related resources: `scan`, `resources`
|
|
|
|
## Example Request
|
|
|
|
```bash
|
|
curl -X GET "https://api.prowler.com/api/v1/findings?filter[inserted_at__gte]=2024-01-01&filter[status]=FAIL&filter[severity]=high&page[size]=20" \
|
|
-H "Authorization: Bearer YOUR_API_KEY" \
|
|
-H "Content-Type: application/vnd.api+json"
|
|
```
|
|
|
|
## Response
|
|
|
|
### Success Response (200 OK)
|
|
|
|
Returns a paginated list of findings with full details:
|
|
|
|
```json
|
|
{
|
|
"data": [
|
|
{
|
|
"type": "findings",
|
|
"id": "finding-uuid",
|
|
"attributes": {
|
|
"uid": "prowler-aws-s3-bucket-unencrypted-123456",
|
|
"check_id": "s3_bucket_default_encryption",
|
|
"status": "FAIL",
|
|
"status_extended": "S3 Bucket 'my-bucket' does not have default encryption enabled",
|
|
"severity": "high",
|
|
"muted": false,
|
|
"muted_reason": null,
|
|
"delta": "new",
|
|
"inserted_at": "2024-01-15T10:30:00Z",
|
|
"updated_at": "2024-01-15T10:30:00Z",
|
|
"first_seen_at": "2024-01-15T10:30:00Z",
|
|
"check_metadata": {
|
|
"Provider": "aws",
|
|
"CheckID": "s3_bucket_default_encryption",
|
|
"CheckTitle": "Check if S3 buckets have default encryption enabled",
|
|
"CheckType": "Software and Configuration Checks",
|
|
"ServiceName": "s3",
|
|
"SubServiceName": "",
|
|
"ResourceIdTemplate": "arn:partition:s3:::bucket_name",
|
|
"Severity": "high",
|
|
"ResourceType": "AwsS3Bucket",
|
|
"Description": "S3 buckets should have encryption at rest enabled...",
|
|
"Risk": "Unencrypted S3 buckets can expose sensitive data...",
|
|
"RelatedUrl": "https://docs.aws.amazon.com/...",
|
|
"Remediation": {
|
|
"Code": {
|
|
"CLI": "aws s3api put-bucket-encryption...",
|
|
"NativeIaC": "...",
|
|
"Other": "...",
|
|
"Terraform": "..."
|
|
},
|
|
"Recommendation": {
|
|
"Text": "Enable default encryption on S3 bucket",
|
|
"Url": "https://docs.aws.amazon.com/..."
|
|
}
|
|
},
|
|
"Categories": ["encryption"],
|
|
"DependsOn": [],
|
|
"RelatedTo": [],
|
|
"Notes": ""
|
|
},
|
|
"raw_result": {
|
|
"finding_unique_id": "...",
|
|
"finding_uid": "...",
|
|
"status": "FAIL",
|
|
"status_extended": "...",
|
|
"raw": {...}
|
|
}
|
|
},
|
|
"relationships": {
|
|
"scan": {
|
|
"data": {
|
|
"type": "scans",
|
|
"id": "scan-uuid"
|
|
}
|
|
},
|
|
"resources": {
|
|
"data": [
|
|
{
|
|
"type": "resources",
|
|
"id": "resource-uuid"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
],
|
|
"meta": {
|
|
"page": {
|
|
"number": 1,
|
|
"size": 20,
|
|
"total": 156,
|
|
"total_pages": 8
|
|
}
|
|
},
|
|
"links": {
|
|
"self": "https://api.prowler.com/api/v1/findings?page[number]=1&page[size]=20",
|
|
"first": "https://api.prowler.com/api/v1/findings?page[number]=1&page[size]=20",
|
|
"next": "https://api.prowler.com/api/v1/findings?page[number]=2&page[size]=20",
|
|
"last": "https://api.prowler.com/api/v1/findings?page[number]=8&page[size]=20"
|
|
}
|
|
}
|
|
```
|
|
|
|
### Response Fields
|
|
|
|
**Core Finding Information:**
|
|
- `uid` (string, required) - Unique identifier for the finding (max 300 characters)
|
|
- `check_id` (string, required) - ID of the security check that generated this finding (max 100 characters)
|
|
- `status` (enum, required) - Finding status: `FAIL`, `PASS`, or `MANUAL`
|
|
- `status_extended` (string, nullable) - Detailed human-readable status message
|
|
- `severity` (enum, required) - Severity level: `critical`, `high`, `medium`, `low`, `informational`
|
|
- `delta` (enum, nullable) - Change status: `new`, `changed`, or `null`
|
|
|
|
**Mute Management:**
|
|
- `muted` (boolean) - Whether finding is muted (suppressed)
|
|
- `muted_reason` (string, nullable) - Reason for muting (3-500 characters)
|
|
|
|
**Timestamps:**
|
|
- `inserted_at` (datetime, read-only) - When finding was first created
|
|
- `updated_at` (datetime, read-only) - Last time finding was modified
|
|
- `first_seen_at` (datetime, nullable, read-only) - First time this finding was detected
|
|
|
|
**Check Details:**
|
|
- `check_metadata` (object) - Complete metadata about the security check including:
|
|
- Title, description, risk assessment
|
|
- Remediation steps and code examples
|
|
- Related documentation URLs
|
|
- Compliance frameworks and categories
|
|
- `raw_result` (object) - Complete raw output from the security check
|
|
|
|
**Relationships:**
|
|
- `scan` - Reference to the scan that generated this finding
|
|
- `resources` - References to affected cloud resources (read-only)
|
|
|
|
<Note>
|
|
Resource information (service, region, resource name, etc.) is available through the `resources` relationship. Use `include=resources` to fetch resource details along with findings.
|
|
</Note>
|
|
|
|
### Common Query Patterns
|
|
|
|
**Get all critical findings:**
|
|
```bash
|
|
curl "https://api.prowler.com/api/v1/findings?filter[severity]=critical&filter[status]=FAIL&filter[inserted_at__gte]=2024-01-01"
|
|
```
|
|
|
|
**Get new findings from last scan:**
|
|
```bash
|
|
curl "https://api.prowler.com/api/v1/findings/latest?filter[delta]=new&filter[status]=FAIL"
|
|
```
|
|
|
|
**Get findings for specific service:**
|
|
```bash
|
|
curl "https://api.prowler.com/api/v1/findings?filter[service]=s3&filter[inserted_at__gte]=2024-01-01"
|
|
```
|
|
|
|
**Get findings for specific region:**
|
|
```bash
|
|
curl "https://api.prowler.com/api/v1/findings?filter[region]=us-east-1&filter[inserted_at__gte]=2024-01-01"
|
|
```
|
|
|
|
**Get unmuted high/critical findings:**
|
|
```bash
|
|
curl "https://api.prowler.com/api/v1/findings?filter[severity__in]=critical,high&filter[muted]=false&filter[inserted_at__gte]=2024-01-01"
|
|
```
|
|
|
|
### Pagination
|
|
|
|
Use pagination parameters to navigate large result sets:
|
|
|
|
```bash
|
|
# First page, 50 results
|
|
curl "https://api.prowler.com/api/v1/findings?page[size]=50&page[number]=1&filter[inserted_at__gte]=2024-01-01"
|
|
|
|
# Next page
|
|
curl "https://api.prowler.com/api/v1/findings?page[size]=50&page[number]=2&filter[inserted_at__gte]=2024-01-01"
|
|
```
|
|
|
|
### Error Responses
|
|
|
|
**400 Bad Request** - Invalid filter or parameter
|
|
```json
|
|
{
|
|
"errors": [
|
|
{
|
|
"status": "400",
|
|
"title": "Invalid Filter",
|
|
"detail": "Date range cannot exceed 7 days for inserted_at filters"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
**422 Unprocessable Entity** - Missing required filter
|
|
```json
|
|
{
|
|
"errors": [
|
|
{
|
|
"status": "422",
|
|
"title": "Validation Error",
|
|
"detail": "At least one variation of filter[inserted_at] is required"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
<Note>
|
|
**Performance Tip:** Maximum date range for `inserted_at` filters is 7 days. For historical analysis, use multiple requests or export data to external storage.
|
|
</Note>
|
|
|
|
<Warning>
|
|
**Rate Limiting:** This endpoint is rate-limited to 100 requests per minute. For real-time monitoring, consider using webhooks or the `/findings/latest` endpoint.
|
|
</Warning>
|
|
|
|
<Tip>
|
|
Use `filter[delta]=new` to only retrieve findings discovered in the most recent scan, perfect for alerting on new security issues.
|
|
</Tip>
|