@datafire/google_websecurityscanner

Client library for Web Security Scanner API

Installation and Usage

npm install --save @datafire/google_websecurityscanner

let google_websecurityscanner = require('@datafire/google_websecurityscanner').create({
  access_token: "",
  refresh_token: "",
  client_id: "",
  client_secret: "",
  redirect_uri: ""
});

.then(data => {
  console.log(data);
});

Description

Scans your Compute and App Engine apps for common web vulnerabilities.

Actions

oauthCallback

Exchange the code passed to your redirect URI for an access_token

google_websecurityscanner.oauthCallback({
  "code": ""
}, context)

Input

• input object
  • code required string

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

oauthRefresh

Exchange a refresh_token for an access_token

google_websecurityscanner.oauthRefresh(null, context)

Input

This action has no parameters

Output

• output object
  • access_token string
  • refresh_token string
  • token_type string
  • scope string
  • expiration string

websecurityscanner.projects.scanConfigs.delete

Deletes an existing ScanConfig and its child resources.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.delete({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the ScanConfig to be deleted. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Empty

websecurityscanner.projects.scanConfigs.scanRuns.findings.get

Gets a Finding.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.findings.get({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the Finding to be returned. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}/findings/{findingId}'.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output Finding

websecurityscanner.projects.scanConfigs.patch

Updates a ScanConfig. This method support partial update of a ScanConfig.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.patch({
  "name": ""
}, context)

Input

• input object
  • name required string: The resource name of the ScanConfig. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'. The ScanConfig IDs are generated by the system.
  • updateMask string: Required. The update mask applies to the resource. For the FieldMask definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask
  • body ScanConfig
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ScanConfig

websecurityscanner.projects.scanConfigs.start

Start a ScanRun according to the given ScanConfig.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.start({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the ScanConfig to be used. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.
  • body StartScanRunRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ScanRun

websecurityscanner.projects.scanConfigs.scanRuns.stop

Stops a ScanRun. The stopped ScanRun is returned.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.stop({
  "name": ""
}, context)

Input

• input object
  • name required string: Required. The resource name of the ScanRun to be stopped. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
  • body StopScanRunRequest
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ScanRun

websecurityscanner.projects.scanConfigs.scanRuns.crawledUrls.list

List CrawledUrls under a given ScanRun.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.crawledUrls.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
  • pageSize integer: The maximum number of CrawledUrls to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.
  • pageToken string: A token identifying a page of results to be returned. This should be a next_page_token value returned from a previous List request. If unspecified, the first page of results is returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListCrawledUrlsResponse

websecurityscanner.projects.scanConfigs.scanRuns.findingTypeStats.list

List all FindingTypeStats under a given ScanRun.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.findingTypeStats.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListFindingTypeStatsResponse

websecurityscanner.projects.scanConfigs.scanRuns.findings.list

List Findings under a given ScanRun.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.findings.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
  • filter string: Required. The filter expression. The expression must be in the format: . Supported field: 'finding_type'. Supported operator: '='.
  • pageSize integer: The maximum number of Findings to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.
  • pageToken string: A token identifying a page of results to be returned. This should be a next_page_token value returned from a previous List request. If unspecified, the first page of results is returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListFindingsResponse

websecurityscanner.projects.scanConfigs.list

Lists ScanConfigs under a given project.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name, which should be a project resource name in the format 'projects/{projectId}'.
  • pageSize integer: The maximum number of ScanConfigs to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.
  • pageToken string: A token identifying a page of results to be returned. This should be a next_page_token value returned from a previous List request. If unspecified, the first page of results is returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListScanConfigsResponse

websecurityscanner.projects.scanConfigs.create

Creates a new ScanConfig.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.create({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name where the scan is created, which should be a project resource name in the format 'projects/{projectId}'.
  • body ScanConfig
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ScanConfig

websecurityscanner.projects.scanConfigs.scanRuns.list

Lists ScanRuns under a given ScanConfig, in descending order of ScanRun stop time.

google_websecurityscanner.websecurityscanner.projects.scanConfigs.scanRuns.list({
  "parent": ""
}, context)

Input

• input object
  • parent required string: Required. The parent resource name, which should be a scan resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}'.
  • pageSize integer: The maximum number of ScanRuns to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.
  • pageToken string: A token identifying a page of results to be returned. This should be a next_page_token value returned from a previous List request. If unspecified, the first page of results is returned.
  • $.xgafv string (values: 1, 2): V1 error format.
  • access_token string: OAuth access token.
  • alt string (values: json, media, proto): Data format for response.
  • callback string: JSONP
  • fields string: Selector specifying which fields to include in a partial response.
  • key string: API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.
  • oauth_token string: OAuth 2.0 token for the current user.
  • prettyPrint boolean: Returns response with indentations and line breaks.
  • quotaUser string: Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.
  • upload_protocol string: Upload protocol for media (e.g. "raw", "multipart").
  • uploadType string: Legacy upload protocol for media (e.g. "media", "multipart").

Output

• output ListScanRunsResponse

Definitions

Authentication

• Authentication object: Scan authentication configuration.
  • customAccount CustomAccount
  • googleAccount GoogleAccount
  • iapCredential IapCredential

CrawledUrl

• CrawledUrl object: A CrawledUrl resource represents a URL that was crawled during a ScanRun. Web Security Scanner Service crawls the web applications, following all links within the scope of sites, to find the URLs to test against.
  • body string: The body of the request that was used to visit the URL.
  • httpMethod string: The http method of the request that was used to visit the URL, in uppercase.
  • url string: The URL that was crawled.

CustomAccount

• CustomAccount object: Describes authentication configuration that uses a custom account.
  • loginUrl string: Required. The login form URL of the website.
  • password string: Required. Input only. The password of the custom account. The credential is stored encrypted and not returned in any response nor included in audit logs.
  • username string: Required. The user name of the custom account.

Empty

• Empty object: A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } The JSON representation for Empty is empty JSON object {}.

Finding

• Finding object: A Finding resource represents a vulnerability instance identified during a ScanRun.
  • body string: The body of the request that triggered the vulnerability.
  • description string: The description of the vulnerability.
  • finalUrl string: The URL where the browser lands when the vulnerability is detected.
  • findingType string: The type of the Finding. Detailed and up-to-date information on findings can be found here: https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner
  • form Form
  • frameUrl string: If the vulnerability was originated from nested IFrame, the immediate parent IFrame is reported.
  • fuzzedUrl string: The URL produced by the server-side fuzzer and used in the request that triggered the vulnerability.
  • httpMethod string: The http method of the request that triggered the vulnerability, in uppercase.
  • name string: The resource name of the Finding. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanruns/{scanRunId}/findings/{findingId}'. The finding IDs are generated by the system.
  • outdatedLibrary OutdatedLibrary
  • reproductionUrl string: The URL containing human-readable payload that user can leverage to reproduce the vulnerability.
  • severity string (values: SEVERITY_UNSPECIFIED, CRITICAL, HIGH, MEDIUM, LOW): The severity level of the reported vulnerability.
  • trackingId string: The tracking ID uniquely identifies a vulnerability instance across multiple ScanRuns.
  • violatingResource ViolatingResource
  • vulnerableHeaders VulnerableHeaders
  • vulnerableParameters VulnerableParameters
  • xss Xss

FindingTypeStats

• FindingTypeStats object: A FindingTypeStats resource represents stats regarding a specific FindingType of Findings under a given ScanRun.
  • findingCount integer: The count of findings belonging to this finding type.
  • findingType string: The finding type associated with the stats.

Form

• Form object: ! Information about a vulnerability with an HTML.
  • actionUri string: ! The URI where to send the form when it's submitted.
  • fields array: ! The names of form fields related to the vulnerability.
    • items string

GoogleAccount

• GoogleAccount object: Describes authentication configuration that uses a Google account.
  • password string: Required. Input only. The password of the Google account. The credential is stored encrypted and not returned in any response nor included in audit logs.
  • username string: Required. The user name of the Google account.

Header

• Header object: Describes a HTTP Header.
  • name string: Header name.
  • value string: Header value.

IapCredential

• IapCredential object: Describes authentication configuration for Identity-Aware-Proxy (IAP).
  • iapTestServiceAccountInfo IapTestServiceAccountInfo

IapTestServiceAccountInfo

• IapTestServiceAccountInfo object: Describes authentication configuration when Web-Security-Scanner service account is added in Identity-Aware-Proxy (IAP) access policies.
  • targetAudienceClientId string: Required. Describes OAuth2 Client ID of resources protected by Identity-Aware-Proxy(IAP).

ListCrawledUrlsResponse

• ListCrawledUrlsResponse object: Response for the ListCrawledUrls method.
  • crawledUrls array: The list of CrawledUrls returned.
    • items CrawledUrl
  • nextPageToken string: Token to retrieve the next page of results, or empty if there are no more results in the list.

ListFindingTypeStatsResponse

• ListFindingTypeStatsResponse object: Response for the ListFindingTypeStats method.
  • findingTypeStats array: The list of FindingTypeStats returned.
    • items FindingTypeStats

ListFindingsResponse

• ListFindingsResponse object: Response for the ListFindings method.
  • findings array: The list of Findings returned.
    • items Finding
  • nextPageToken string: Token to retrieve the next page of results, or empty if there are no more results in the list.

ListScanConfigsResponse

• ListScanConfigsResponse object: Response for the ListScanConfigs method.
  • nextPageToken string: Token to retrieve the next page of results, or empty if there are no more results in the list.
  • scanConfigs array: The list of ScanConfigs returned.
    • items ScanConfig

ListScanRunsResponse

• ListScanRunsResponse object: Response for the ListScanRuns method.
  • nextPageToken string: Token to retrieve the next page of results, or empty if there are no more results in the list.
  • scanRuns array: The list of ScanRuns returned.
    • items ScanRun

OutdatedLibrary

• OutdatedLibrary object: Information reported for an outdated library.
  • learnMoreUrls array: URLs to learn more information about the vulnerabilities in the library.
    • items string
  • libraryName string: The name of the outdated library.
  • version string: The version number.

ScanConfig

• ScanConfig object: A ScanConfig resource contains the configurations to launch a scan.
  • authentication Authentication
  • blacklistPatterns array: The excluded URL patterns as described in https://cloud.google.com/security-command-center/docs/how-to-use-web-security-scanner#excluding_urls
    • items string
  • displayName string: Required. The user provided display name of the ScanConfig.
  • exportToSecurityCommandCenter string (values: EXPORT_TO_SECURITY_COMMAND_CENTER_UNSPECIFIED, ENABLED, DISABLED): Controls export of scan configurations and results to Security Command Center.
  • latestRun ScanRun
  • managedScan boolean: Whether the scan config is managed by Web Security Scanner, output only.
  • maxQps integer: The maximum QPS during scanning. A valid value ranges from 5 to 20 inclusively. If the field is unspecified or its value is set 0, server will default to 15. Other values outside of [5, 20] range will be rejected with INVALID_ARGUMENT error.
  • name string: The resource name of the ScanConfig. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'. The ScanConfig IDs are generated by the system.
  • riskLevel string (values: RISK_LEVEL_UNSPECIFIED, NORMAL, LOW): The risk level selected for the scan
  • schedule Schedule
  • startingUrls array: Required. The starting URLs from which the scanner finds site pages.
    • items string
  • staticIpScan boolean: Whether the scan configuration has enabled static IP address scan feature. If enabled, the scanner will access applications from static IP addresses.
  • targetPlatforms array: Set of Google Cloud platforms targeted by the scan. If empty, APP_ENGINE will be used as a default.
    • items string (values: TARGET_PLATFORM_UNSPECIFIED, APP_ENGINE, COMPUTE)
  • userAgent string (values: USER_AGENT_UNSPECIFIED, CHROME_LINUX, CHROME_ANDROID, SAFARI_IPHONE): The user agent used during scanning.

ScanConfigError

• ScanConfigError object: Defines a custom error message used by CreateScanConfig and UpdateScanConfig APIs when scan configuration validation fails. It is also reported as part of a ScanRunErrorTrace message if scan validation fails due to a scan configuration error.
  • code string (values: CODE_UNSPECIFIED, OK, INTERNAL_ERROR, APPENGINE_API_BACKEND_ERROR, APPENGINE_API_NOT_ACCESSIBLE, APPENGINE_DEFAULT_HOST_MISSING, CANNOT_USE_GOOGLE_COM_ACCOUNT, CANNOT_USE_OWNER_ACCOUNT, COMPUTE_API_BACKEND_ERROR, COMPUTE_API_NOT_ACCESSIBLE, CUSTOM_LOGIN_URL_DOES_NOT_BELONG_TO_CURRENT_PROJECT, CUSTOM_LOGIN_URL_MALFORMED, CUSTOM_LOGIN_URL_MAPPED_TO_NON_ROUTABLE_ADDRESS, CUSTOM_LOGIN_URL_MAPPED_TO_UNRESERVED_ADDRESS, CUSTOM_LOGIN_URL_HAS_NON_ROUTABLE_IP_ADDRESS, CUSTOM_LOGIN_URL_HAS_UNRESERVED_IP_ADDRESS, DUPLICATE_SCAN_NAME, INVALID_FIELD_VALUE, FAILED_TO_AUTHENTICATE_TO_TARGET, FINDING_TYPE_UNSPECIFIED, FORBIDDEN_TO_SCAN_COMPUTE, FORBIDDEN_UPDATE_TO_MANAGED_SCAN, MALFORMED_FILTER, MALFORMED_RESOURCE_NAME, PROJECT_INACTIVE, REQUIRED_FIELD, RESOURCE_NAME_INCONSISTENT, SCAN_ALREADY_RUNNING, SCAN_NOT_RUNNING, SEED_URL_DOES_NOT_BELONG_TO_CURRENT_PROJECT, SEED_URL_MALFORMED, SEED_URL_MAPPED_TO_NON_ROUTABLE_ADDRESS, SEED_URL_MAPPED_TO_UNRESERVED_ADDRESS, SEED_URL_HAS_NON_ROUTABLE_IP_ADDRESS, SEED_URL_HAS_UNRESERVED_IP_ADDRESS, SERVICE_ACCOUNT_NOT_CONFIGURED, TOO_MANY_SCANS, UNABLE_TO_RESOLVE_PROJECT_INFO, UNSUPPORTED_BLACKLIST_PATTERN_FORMAT, UNSUPPORTED_FILTER, UNSUPPORTED_FINDING_TYPE, UNSUPPORTED_URL_SCHEME): Indicates the reason code for a configuration failure.
  • fieldName string: Indicates the full name of the ScanConfig field that triggers this error, for example "scan_config.max_qps". This field is provided for troubleshooting purposes only and its actual value can change in the future.

ScanRun

• ScanRun object: A ScanRun is a output-only resource representing an actual run of the scan. Next id: 12
  • endTime string: The time at which the ScanRun reached termination state - that the ScanRun is either finished or stopped by user.
  • errorTrace ScanRunErrorTrace
  • executionState string (values: EXECUTION_STATE_UNSPECIFIED, QUEUED, SCANNING, FINISHED): The execution state of the ScanRun.
  • hasVulnerabilities boolean: Whether the scan run has found any vulnerabilities.
  • name string: The resource name of the ScanRun. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'. The ScanRun IDs are generated by the system.
  • progressPercent integer: The percentage of total completion ranging from 0 to 100. If the scan is in queue, the value is 0. If the scan is running, the value ranges from 0 to 100. If the scan is finished, the value is 100.
  • resultState string (values: RESULT_STATE_UNSPECIFIED, SUCCESS, ERROR, KILLED): The result state of the ScanRun. This field is only available after the execution state reaches "FINISHED".
  • startTime string: The time at which the ScanRun started.
  • urlsCrawledCount string: The number of URLs crawled during this ScanRun. If the scan is in progress, the value represents the number of URLs crawled up to now.
  • urlsTestedCount string: The number of URLs tested during this ScanRun. If the scan is in progress, the value represents the number of URLs tested up to now. The number of URLs tested is usually larger than the number URLS crawled because typically a crawled URL is tested with multiple test payloads.
  • warningTraces array: A list of warnings, if such are encountered during this scan run.
    • items ScanRunWarningTrace

ScanRunErrorTrace

• ScanRunErrorTrace object: Output only. Defines an error trace message for a ScanRun.
  • code string (values: CODE_UNSPECIFIED, INTERNAL_ERROR, SCAN_CONFIG_ISSUE, AUTHENTICATION_CONFIG_ISSUE, TIMED_OUT_WHILE_SCANNING, TOO_MANY_REDIRECTS, TOO_MANY_HTTP_ERRORS): Indicates the error reason code.
  • mostCommonHttpErrorCode integer: If the scan encounters TOO_MANY_HTTP_ERRORS, this field indicates the most common HTTP error code, if such is available. For example, if this code is 404, the scan has encountered too many NOT_FOUND responses.
  • scanConfigError ScanConfigError

ScanRunWarningTrace

• ScanRunWarningTrace object: Output only. Defines a warning trace message for ScanRun. Warning traces provide customers with useful information that helps make the scanning process more effective.
  • code string (values: CODE_UNSPECIFIED, INSUFFICIENT_CRAWL_RESULTS, TOO_MANY_CRAWL_RESULTS, TOO_MANY_FUZZ_TASKS, BLOCKED_BY_IAP, NO_STARTING_URL_FOUND_FOR_MANAGED_SCAN): Indicates the warning code.

Schedule

• Schedule object: Scan schedule configuration.
  • intervalDurationDays integer: Required. The duration of time between executions in days.
  • scheduleTime string: A timestamp indicates when the next run will be scheduled. The value is refreshed by the server after each run. If unspecified, it will default to current server time, which means the scan will be scheduled to start immediately.

StartScanRunRequest

• StartScanRunRequest object: Request for the StartScanRun method.

StopScanRunRequest

• StopScanRunRequest object: Request for the StopScanRun method.

ViolatingResource

• ViolatingResource object: Information regarding any resource causing the vulnerability such as JavaScript sources, image, audio files, etc.
  • contentType string: The MIME type of this resource.
  • resourceUrl string: URL of this violating resource.

VulnerableHeaders

• VulnerableHeaders object: Information about vulnerable or missing HTTP Headers.
  • headers array: List of vulnerable headers.
    • items Header
  • missingHeaders array: List of missing headers.
    • items Header

VulnerableParameters

• VulnerableParameters object: Information about vulnerable request parameters.
  • parameterNames array: The vulnerable parameter names.
    • items string

Xss

• Xss object: Information reported for an XSS.
  • errorMessage string: An error message generated by a javascript breakage.
  • stackTraces array: Stack traces leading to the point where the XSS occurred.
    • items string