Skip to main content

Protocol documentation

minder/v1/minder.proto

Services

ArtifactService

Method NameRequest TypeResponse TypeDescription
ListArtifactsListArtifactsRequestListArtifactsResponse
GetArtifactByIdGetArtifactByIdRequestGetArtifactByIdResponse
GetArtifactByNameGetArtifactByNameRequestGetArtifactByNameResponse

DataSourceService

Method NameRequest TypeResponse TypeDescription
CreateDataSourceCreateDataSourceRequestCreateDataSourceResponse
GetDataSourceByIdGetDataSourceByIdRequestGetDataSourceByIdResponse
GetDataSourceByNameGetDataSourceByNameRequestGetDataSourceByNameResponse
ListDataSourcesListDataSourcesRequestListDataSourcesResponse
UpdateDataSourceUpdateDataSourceRequestUpdateDataSourceResponse
DeleteDataSourceByIdDeleteDataSourceByIdRequestDeleteDataSourceByIdResponse
DeleteDataSourceByNameDeleteDataSourceByNameRequestDeleteDataSourceByNameResponse

EvalResultsService

Method NameRequest TypeResponse TypeDescription
ListEvaluationResultsListEvaluationResultsRequestListEvaluationResultsResponse
ListEvaluationHistoryListEvaluationHistoryRequestListEvaluationHistoryResponse
GetEvaluationHistoryGetEvaluationHistoryRequestGetEvaluationHistoryResponse

HealthService

Simple Health Check Service replies with OK

Method NameRequest TypeResponse TypeDescription
CheckHealthCheckHealthRequestCheckHealthResponse

InviteService

Method NameRequest TypeResponse TypeDescription
GetInviteDetailsGetInviteDetailsRequestGetInviteDetailsResponse

OAuthService

Method NameRequest TypeResponse TypeDescription
GetAuthorizationURLGetAuthorizationURLRequestGetAuthorizationURLResponse
StoreProviderTokenStoreProviderTokenRequestStoreProviderTokenResponse
VerifyProviderTokenFromVerifyProviderTokenFromRequestVerifyProviderTokenFromResponseVerifyProviderTokenFrom verifies that a token has been created for a provider since given timestamp
VerifyProviderCredentialVerifyProviderCredentialRequestVerifyProviderCredentialResponseVerifyProviderCredential verifies that a credential has been created matching the enrollment nonce

PermissionsService

Method NameRequest TypeResponse TypeDescription
ListRolesListRolesRequestListRolesResponse
ListRoleAssignmentsListRoleAssignmentsRequestListRoleAssignmentsResponse
AssignRoleAssignRoleRequestAssignRoleResponse
UpdateRoleUpdateRoleRequestUpdateRoleResponse
RemoveRoleRemoveRoleRequestRemoveRoleResponse

ProfileService

Method NameRequest TypeResponse TypeDescription
CreateProfileCreateProfileRequestCreateProfileResponse
UpdateProfileUpdateProfileRequestUpdateProfileResponse
PatchProfilePatchProfileRequestPatchProfileResponse
DeleteProfileDeleteProfileRequestDeleteProfileResponse
ListProfilesListProfilesRequestListProfilesResponse
GetProfileByIdGetProfileByIdRequestGetProfileByIdResponse
GetProfileByNameGetProfileByNameRequestGetProfileByNameResponse
GetProfileStatusByNameGetProfileStatusByNameRequestGetProfileStatusByNameResponse
GetProfileStatusByProjectGetProfileStatusByProjectRequestGetProfileStatusByProjectResponse

ProjectsService

Method NameRequest TypeResponse TypeDescription
ListProjectsListProjectsRequestListProjectsResponse
CreateProjectCreateProjectRequestCreateProjectResponse
ListChildProjectsListChildProjectsRequestListChildProjectsResponse
DeleteProjectDeleteProjectRequestDeleteProjectResponse
UpdateProjectUpdateProjectRequestUpdateProjectResponse
PatchProjectPatchProjectRequestPatchProjectResponse
CreateEntityReconciliationTaskCreateEntityReconciliationTaskRequestCreateEntityReconciliationTaskResponse

ProvidersService

Method NameRequest TypeResponse TypeDescription
PatchProviderPatchProviderRequestPatchProviderResponse
GetProviderGetProviderRequestGetProviderResponse
ListProvidersListProvidersRequestListProvidersResponse
CreateProviderCreateProviderRequestCreateProviderResponse
DeleteProviderDeleteProviderRequestDeleteProviderResponse
DeleteProviderByIDDeleteProviderByIDRequestDeleteProviderByIDResponse
ListProviderClassesListProviderClassesRequestListProviderClassesResponse
ReconcileEntityRegistrationReconcileEntityRegistrationRequestReconcileEntityRegistrationResponse

RepositoryService

Method NameRequest TypeResponse TypeDescription
RegisterRepositoryRegisterRepositoryRequestRegisterRepositoryResponse
ListRemoteRepositoriesFromProviderListRemoteRepositoriesFromProviderRequestListRemoteRepositoriesFromProviderResponse
ListRepositoriesListRepositoriesRequestListRepositoriesResponse
GetRepositoryByIdGetRepositoryByIdRequestGetRepositoryByIdResponse
GetRepositoryByNameGetRepositoryByNameRequestGetRepositoryByNameResponse
DeleteRepositoryByIdDeleteRepositoryByIdRequestDeleteRepositoryByIdResponse
DeleteRepositoryByNameDeleteRepositoryByNameRequestDeleteRepositoryByNameResponse

RuleTypeService

Method NameRequest TypeResponse TypeDescription
ListRuleTypesListRuleTypesRequestListRuleTypesResponse
GetRuleTypeByNameGetRuleTypeByNameRequestGetRuleTypeByNameResponse
GetRuleTypeByIdGetRuleTypeByIdRequestGetRuleTypeByIdResponse
CreateRuleTypeCreateRuleTypeRequestCreateRuleTypeResponse
UpdateRuleTypeUpdateRuleTypeRequestUpdateRuleTypeResponse
DeleteRuleTypeDeleteRuleTypeRequestDeleteRuleTypeResponse

UserService

manage Users CRUD

Method NameRequest TypeResponse TypeDescription
CreateUserCreateUserRequestCreateUserResponse
DeleteUserDeleteUserRequestDeleteUserResponse
GetUserGetUserRequestGetUserResponse
ListInvitationsListInvitationsRequestListInvitationsResponseListInvitations returns a list of invitations for the user based on the user's registered email address. Note that a user who receives an invitation code may still accept the invitation even if the code was directed to a different email address. This is because understanding the routing of email messages is beyond the scope of Minder. This API endpoint may be called without the logged-in user previously having called CreateUser.
ResolveInvitationResolveInvitationRequestResolveInvitationResponseResolveInvitation allows a user to accept or decline an invitation to a project given the code for the invitation. A user may call ResolveInvitation to accept or decline an invitation even if they have not called CreateUser. If a user accepts an invitation via this call before calling CreateUser, a Minder user record will be created, but no additional projects will be created (unlike CreateUser, which will also create a default project).

Messages

Artifact

FieldTypeLabelDescription
artifact_pkstring
ownerstringowner is the artifact owner. This is optional.
namestring
typestring
visibilitystring
repositorystringrepository is the repository the artifact originated from. This is optional.
versionsArtifactVersionrepeated
created_atgoogle.protobuf.Timestamp
contextContext

ArtifactType

ArtifactType defines the artifact data evaluation.

ArtifactVersion

ArtifactVersion is a version of an artifact. This is currently not populated in any requests or responses.

FieldTypeLabelDescription
version_idint64
tagsstringrepeated
shastring
created_atgoogle.protobuf.Timestamp

AssignRoleRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignment is evaluated.
role_assignmentRoleAssignmentrole_assignment is the role assignment to be created.

AssignRoleResponse

FieldTypeLabelDescription
role_assignmentRoleAssignmentrole_assignment is the role assignment that was created. This is optional.
invitationInvitationinvitation contains the details of the invitation for the assigned user to join the project if the user is not already a member. This is optional.

AuthorizationParams

FieldTypeLabelDescription
authorization_urlstringauthorization_url is an external URL to use to authorize the provider.

AutoRegistration

AutoRegistration is the configuration for auto-registering entities. When nothing is set, it means that auto-registration is disabled. There is no difference between disabled and undefined so for the "let's not auto-register anything" case we'd just let the repeated string empty

FieldTypeLabelDescription
entitiesAutoRegistration.EntitiesEntryrepeatedenabled is the list of entities that are enabled for auto-registration.

AutoRegistration.EntitiesEntry

FieldTypeLabelDescription
keystring
valueEntityAutoRegistrationConfig

Build

BuiltinType

BuiltinType defines the builtin data evaluation.

FieldTypeLabelDescription
methodstring

CheckHealthRequest

CheckHealthResponse

FieldTypeLabelDescription
statusstring

Context

Context defines the context in which a rule is evaluated. this normally refers to a combination of the provider, organization and project.

Removing the 'optional' keyword from the following two fields below will break buf compatibility checks.

FieldTypeLabelDescription
providerstringoptionalname of the provider
projectstringoptionalID of the project. If empty or unset, will select the user's default project if they only have one project.
retired_organizationstringoptional

ContextV2

ContextV2 defines the context in which a rule is evaluated.

FieldTypeLabelDescription
project_idstringproject is the project ID. If empty or unset, will select the user's default project if they only have one project.
providerstringname of the provider. Set to empty string when not applicable.

CreateDataSourceRequest

DataSource service

FieldTypeLabelDescription
data_sourceDataSource

CreateDataSourceResponse

FieldTypeLabelDescription
data_sourceDataSource

CreateEntityReconciliationTaskRequest

FieldTypeLabelDescription
entityEntityTypedIdentity is the entity to be reconciled.
contextContextcontext is the context in which the entity reconciliation task is created.

CreateEntityReconciliationTaskResponse

CreateProfileRequest

Profile service

FieldTypeLabelDescription
profileProfile

CreateProfileResponse

FieldTypeLabelDescription
profileProfile

CreateProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is created.
namestringname is the name of the project to create.

CreateProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was created.

CreateProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is created.
providerProviderprovider is the provider to be created.

CreateProviderResponse

FieldTypeLabelDescription
providerProviderprovider is the provider that was created.
authorizationAuthorizationParamsauthorization provides additional authorization information needed to complete the initialization of the provider.

CreateRuleTypeRequest

CreateRuleTypeRequest is the request to create a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type to be created.

CreateRuleTypeResponse

CreateRuleTypeResponse is the response to create a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type that was created.

CreateUserRequest

User service

CreateUserResponse

FieldTypeLabelDescription
idint32
organization_idstringDeprecated.
organizatio_namestringDeprecated.
project_idstring
project_namestring
identity_subjectstring
created_atgoogle.protobuf.Timestamp
contextContextDeprecated.

Cursor

Cursor message to be used in request messages. Its purpose is to allow clients to specify the subset of records to retrieve by means of index within a collection, along with the number of items to retrieve.

FieldTypeLabelDescription
cursorstringcursor is the index to start from within the collection being retrieved. It's an opaque payload specified and interpreted on an per-rpc basis. An empty string is used to indicate the first item in the collection.
sizeuint32size is the number of items to retrieve from the collection. 0 uses a server-defined default.

CursorPage

CursorPage message used in response messages. Its purpose is to send to clients links pointing to next and/or previous collection subsets with respect to the one containing this struct.

FieldTypeLabelDescription
total_recordsuint32Total number of records matching the request. This is optional.
nextCursorCursor pointing to retrieve results logically placed after the ones shipped with the message containing this struct. This is optional.
prevCursorCursor pointing to retrieve results logically placed before the ones shipped with the message containing this struct. This is optional.

DataSource

DataSource is a Data source instance. Data sources represent external integrations that enrich the data in Minder, but do not have explicit lifecycle objects (entities). Integrations which create entities are called Providers.

FieldTypeLabelDescription
versionstringversion is the version of the data source API.
typestringtype is the data source type
contextContextV2context is the context in which the data source is evaluated. Note that in this case we only need the project in the context, since data sources are not provider-specific.
namestringname is the name of the data source. Note that this is unique within a project hierarchy. Names must be lowercase and can only contain letters, numbers, hyphens, and underscores.
idstringid is the unique identifier of the data source.
structuredStructDataSourcestructured is the structired data - data source.
restRestDataSourcerest is the REST data source driver.

DataSourceReference

DataSourceReference is a reference to a data source. Note that for a resource to refer to a data source the data source must be available in the same project hierarchy.

FieldTypeLabelDescription
namestringrefer to a data source by name.

DeleteDataSourceByIdRequest

FieldTypeLabelDescription
contextContextV2
idstring

DeleteDataSourceByIdResponse

FieldTypeLabelDescription
idstring

DeleteDataSourceByNameRequest

FieldTypeLabelDescription
contextContextV2
namestring

DeleteDataSourceByNameResponse

FieldTypeLabelDescription
namestring

DeleteProfileRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the profile to delete

DeleteProfileResponse

DeleteProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is deleted.

DeleteProjectResponse

FieldTypeLabelDescription
project_idstringproject_id is the id of the project that was deleted.

DeleteProviderByIDRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is deleted. Only the project is required in this context.
idstringid is the id of the provider to delete

DeleteProviderByIDResponse

FieldTypeLabelDescription
idstringid is the id of the provider that was deleted

DeleteProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is deleted. Both project and provider are required in this context.

DeleteProviderResponse

FieldTypeLabelDescription
namestringname is the name of the provider that was deleted

DeleteRepositoryByIdRequest

FieldTypeLabelDescription
repository_idstring
contextContext

DeleteRepositoryByIdResponse

FieldTypeLabelDescription
repository_idstring

DeleteRepositoryByNameRequest

FieldTypeLabelDescription
providerstringDeprecated.
namestring
contextContext

DeleteRepositoryByNameResponse

FieldTypeLabelDescription
namestring

DeleteRuleTypeRequest

DeleteRuleTypeRequest is the request to delete a rule type.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the rule type to be deleted.

DeleteRuleTypeResponse

DeleteRuleTypeResponse is the response to delete a rule type.

DeleteUserRequest

DeleteUserResponse

DepsType

DepsType defines the "deps" ingester which can extract depndencies in protobom format for rule evaluation.

FieldTypeLabelDescription
repoDepsType.RepoConfigs
prDepsType.PullRequestConfigs

DepsType.PullRequestConfigs

FieldTypeLabelDescription
filterstringfilter is the filter to apply to the PRs. The default value is "NEW_AND_UPDATED".

DepsType.RepoConfigs

branch is the branch of the git repository, when applied to repository entities. Has no meaning or effect on other entity types.

FieldTypeLabelDescription
branchstring

DiffType

DiffType defines the diff data ingester.

FieldTypeLabelDescription
ecosystemsDiffType.Ecosystemrepeatedecosystems is the list of ecosystems to be used for the "dep" diff type.
typestringtype is the type of diff ingestor to use. The default is "dep" which will leverage the ecosystems array.

DiffType.Ecosystem

FieldTypeLabelDescription
namestringname is the name of the ecosystem.
depfilestringdepfile is the file that contains the dependencies for this ecosystem

DockerHubProviderConfig

DockerHubProviderConfig contains the configuration for the DockerHub provider.

Namespace: is the namespace for the DockerHub provider.

FieldTypeLabelDescription
namespacestringoptionalnamespace is the namespace for the DockerHub provider.

EntityAutoRegistrationConfig

FieldTypeLabelDescription
enabledbooloptional

EntityInstance

used for parsing resources in ruletypes

FieldTypeLabelDescription
idstringid is the unique identifier of the entity.
contextContextV2context is the context in which the entity is evaluated.
namestringname is the name of the entity.
typeEntitytype is the type of the entity. DISCUSSION: If we're aiming for a BYO entity type, we should probably have this be a string, and have the user provide the type.
propertiesgoogle.protobuf.Structproperties is a map of properties of the entity.

EntityTypedId

EntiryTypeId is a message that carries an ID together with a type to uniquely identify an entity such as (repo, 1), (artifact, 2), ...

FieldTypeLabelDescription
typeEntityentity is the entity to get status for. Incompatible with all
idstringid is the ID of the entity to get status for. Incompatible with all

EvalResultAlert

EvalResultAlert holds the alert details for a given rule evaluation

FieldTypeLabelDescription
statusstringstatus is the status of the alert
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the alert was performed or attempted
detailsstringdetails is the description of the alert attempt if any
urlstringurl is the URL to the alert

EvaluationHistory

EvaluationHistory represents the history of an entity evaluation. This is only used in responses.

FieldTypeLabelDescription
entityEvaluationHistoryEntityentity contains details of the entity which was evaluated.
ruleEvaluationHistoryRulerule contains details of the rule which the entity was evaluated against.
statusEvaluationHistoryStatusstatus contains the evaluation status.
alertEvaluationHistoryAlertalert contains details of the alerts for this evaluation. This is optional.
remediationEvaluationHistoryRemediationremediation contains details of the remediation for this evaluation. This is optional.
evaluated_atgoogle.protobuf.Timestampcreated_at is the timestamp of creation of this evaluation
idstringid is the unique identifier of the evaluation.

EvaluationHistoryAlert

FieldTypeLabelDescription
statusstringstatus is one of (on, off, error, skipped, not available) not using enums to mirror the behaviour of the existing API contracts.
detailsstringdetails contains optional details about the alert. the structure and contents are alert specific, and are subject to change.

EvaluationHistoryEntity

FieldTypeLabelDescription
idstringid is the unique identifier of the entity.
typeEntitytype is the entity type.
namestringname is the entity name.

EvaluationHistoryRemediation

FieldTypeLabelDescription
statusstringstatus is one of (success, error, failure, skipped, not available) not using enums to mirror the behaviour of the existing API contracts.
detailsstringdetails contains optional details about the remediation. the structure and contents are remediation specific, and are subject to change.

EvaluationHistoryRule

FieldTypeLabelDescription
namestringname is the name of the rule instance.
rule_typestringtype is the name of the rule type.
profilestringprofile is the name of the profile which contains the rule.
severitySeverityseverity is the severity of the rule type.

EvaluationHistoryStatus

FieldTypeLabelDescription
statusstringstatus is one of (success, error, failure, skipped) not using enums to mirror the behaviour of the existing API contracts.
detailsstringdetails contains optional details about the evaluation. the structure and contents are rule type specific, and are subject to change.

GHCRProviderConfig

GHCRProviderConfig contains the configuration for the GHCR provider.

Namespace: is the namespace for the GHCR provider.

FieldTypeLabelDescription
namespacestringoptionalnamespace is the namespace for the GHCR provider.

GetArtifactByIdRequest

FieldTypeLabelDescription
idstring
contextContext

GetArtifactByIdResponse

FieldTypeLabelDescription
artifactArtifact
versionsArtifactVersionrepeatedThis is optional and currently always nil.

GetArtifactByNameRequest

FieldTypeLabelDescription
namestring
contextContext

GetArtifactByNameResponse

FieldTypeLabelDescription
artifactArtifact
versionsArtifactVersionrepeatedThis is optional and currently always nil.

GetAuthorizationURLRequest

FieldTypeLabelDescription
cliboolcli is true if the request is being made from a CLI.
ownerstringoptionalowner is the owner (e.g GitHub org) that the provider is associated with. This is optional.
contextContext
redirect_urlstringoptionalredirect_url is the URL to redirect to after the authorization is complete.
configgoogle.protobuf.Structconfig is a JSON object that can be used to pass additional configuration
provider_classstring

GetAuthorizationURLResponse

FieldTypeLabelDescription
urlstring
statestring

GetDataSourceByIdRequest

FieldTypeLabelDescription
contextContextV2
idstring

GetDataSourceByIdResponse

FieldTypeLabelDescription
data_sourceDataSource

GetDataSourceByNameRequest

GetDataSourceByNameRequest is the request message for the GetDataSourceByName RPC.

FieldTypeLabelDescription
contextContextV2
namestring

GetDataSourceByNameResponse

FieldTypeLabelDescription
data_sourceDataSource

GetEvaluationHistoryRequest

GetEvaluationHistoryRequest represents a request for the GetEvaluationHistory endpoint

FieldTypeLabelDescription
idstring
contextContext

GetEvaluationHistoryResponse

GetEvaluationHistoryResponse represents a response message for the GetEvaluationHistory RPC.

FieldTypeLabelDescription
evaluationEvaluationHistoryThe requested record

GetInviteDetailsRequest

FieldTypeLabelDescription
codestringInvite nonce/code to retrieve details for

GetInviteDetailsResponse

FieldTypeLabelDescription
project_displaystringProject associated with the invite
sponsor_displaystringSponsor of the invite
expires_atgoogle.protobuf.Timestampexpires_at is the time at which the invitation expires.
expiredboolexpired is true if the invitation has expired

GetProfileByIdRequest

get profile by id

FieldTypeLabelDescription
contextContextcontext is the context which contains the profiles
idstringid is the id of the profile to get

GetProfileByIdResponse

FieldTypeLabelDescription
profileProfile

GetProfileByNameRequest

get profile by name

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
namestringname is the name of the profile to get

GetProfileByNameResponse

FieldTypeLabelDescription
profileProfile

GetProfileStatusByNameRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
namestringname is the name of the profile to get
entityEntityTypedIdentity is the entity to get status for. Incompatible with all. This is optional.
allboolall is true if the status of all entities should be returned. Incompatible with entity. This is optional.
rulestringDeprecated. rule is the type of the rule. Deprecated in favor of rule_type
rule_typestringrule_type is the type of the rule to filter on. This is optional.
rule_namestringrule_name is the name of the rule to filter on. This is optional.

GetProfileStatusByNameResponse

FieldTypeLabelDescription
profile_statusProfileStatusprofile_status is the status of the profile
rule_evaluation_statusRuleEvaluationStatusrepeatedrule_evaluation_status is the status of the rules

GetProfileStatusByProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.

GetProfileStatusByProjectResponse

FieldTypeLabelDescription
profile_statusProfileStatusrepeatedprofile_status is the status of the profile

GetProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is evaluated.
namestringname is the name of the provider to get.

GetProviderResponse

FieldTypeLabelDescription
providerProviderprovider is the provider that was retrieved.

GetRepositoryByIdRequest

FieldTypeLabelDescription
repository_idstring
contextContext

GetRepositoryByIdResponse

FieldTypeLabelDescription
repositoryRepository

GetRepositoryByNameRequest

FieldTypeLabelDescription
providerstringDeprecated.
namestring
contextContext

GetRepositoryByNameResponse

FieldTypeLabelDescription
repositoryRepository

GetRuleTypeByIdRequest

GetRuleTypeByIdRequest is the request to get a rule type by id.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the rule type.

GetRuleTypeByIdResponse

GetRuleTypeByIdResponse is the response to get a rule type by id.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type.

GetRuleTypeByNameRequest

GetRuleTypeByNameRequest is the request to get a rule type by name.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
namestringname is the name of the rule type.

GetRuleTypeByNameResponse

GetRuleTypeByNameResponse is the response to get a rule type by name.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type.

GetUserRequest

get user

GetUserResponse

FieldTypeLabelDescription
userUserRecordoptional
projectsProjectrepeatedDeprecated. This will be deprecated in favor of the project_roles field
project_rolesProjectRolerepeated

GitHubAppParams

GitHubAppParams is the parameters for a GitHub App provider.

FieldTypeLabelDescription
installation_idint64The GitHub installation ID for the app. On create, this is the only parameter used; the organization parameters are ignored.
organizationstringThe GitHub organization slug where the app is installed. This is an output-only parameter, and is validated on input if set (i.e. the value must be either empty or match the org of the installation_id).
organization_idint64The GitHub organization ID where the app is installed. This is an output-only parameter, and is validated on input if set (i.e. the value must be either empty or match the org of the installation_id).

GitHubAppProviderConfig

GitHubAppProviderConfig contains the configuration for the GitHub App provider

FieldTypeLabelDescription
endpointstringoptionalEndpoint is the GitHub API endpoint. If using the public GitHub API, Endpoint can be left blank.

GitHubProviderConfig

GitHubProviderConfig contains the configuration for the GitHub client

Endpoint: is the GitHub API endpoint

If using the public GitHub API, Endpoint can be left blank disable revive linting for this struct as there is nothing wrong with the naming convention

FieldTypeLabelDescription
endpointstringoptionalEndpoint is the GitHub API endpoint. If using the public GitHub API, Endpoint can be left blank.

GitLabProviderConfig

GitLabProviderConfig contains the configuration for the GitLab provider.

Endpoint: is the GitLab API endpoint

If using the public GitLab API, Endpoint can be left blank

FieldTypeLabelDescription
endpointstringEndpoint is the GitLab API endpoint. If using the public GitLab API, Endpoint can be left blank.
groupstringgroup is the GitLab group to use for the provider

GitType

GitType defines the git data ingester.

FieldTypeLabelDescription
clone_urlstringclone_url is the url of the git repository.
branchstringbranch is the branch of the git repository.

Invitation

Invitation is an invitation to join a project. This is only used in responses.

FieldTypeLabelDescription
rolestringrole is the role that would be assigned if the user accepts the invitation.
emailstringemail is the email address of the invited user. This is presented as a convenience for display purposes, and does not affect who can accept the invitation using the code.
projectstringproject is the project to which the user is invited.
codestringcode is a unique identifier for the invitation, which can be used by the recipient to accept or reject the invitation. The code is only transmitted in response to AssignRole or ListInvitations RPCs, and not transmitted in ListRoleAssignments or other calls.
created_atgoogle.protobuf.Timestampcreated_at is the time at which the invitation was created.
expires_atgoogle.protobuf.Timestampexpires_at is the time at which the invitation expires.
expiredboolexpired is true if the invitation has expired.
sponsorstringsponsor is the account (ID) of the user who created the invitation.
sponsor_displaystringsponsor_display is the display name of the user who created the invitation.
project_displaystringproject_display is the display name of the project to which the user is invited.
invite_urlstringinviteURL is the URL that can be used to accept the invitation.
email_skippedboolemailSkipped is true if the email was not sent to the invitee.

ListArtifactsRequest

FieldTypeLabelDescription
providerstringDeprecated.
contextContext
fromstringfrom is the filter to apply to the list of artifacts. An example is "repository=org1/repo1,org2/repo2" to filter by repository names. This is optional.

ListArtifactsResponse

FieldTypeLabelDescription
resultsArtifactrepeated

ListChildProjectsRequest

FieldTypeLabelDescription
contextContextV2context is the context in which the child projects are listed.
recursiveboolrecursive is true if child projects should be listed recursively.

ListChildProjectsResponse

FieldTypeLabelDescription
projectsProjectrepeated

ListDataSourcesRequest

FieldTypeLabelDescription
contextContextV2

ListDataSourcesResponse

FieldTypeLabelDescription
data_sourcesDataSourcerepeated

ListEvaluationHistoryRequest

ListEvaluationHistoryRequest represents a request message for the ListEvaluationHistory RPC.

Most of its fields are used for filtering, except for cursor which is used for pagination.

FieldTypeLabelDescription
contextContext
entity_typestringrepeatedList of entity types to retrieve.
entity_namestringrepeatedList of entity names to retrieve.
profile_namestringrepeatedList of profile names to retrieve.
statusstringrepeatedList of evaluation statuses to retrieve.
remediationstringrepeatedList of remediation statuses to retrieve.
alertstringrepeatedList of alert statuses to retrieve.
fromgoogle.protobuf.TimestampTimestamp representing the start time of the selection window.
togoogle.protobuf.TimestampTimestamp representing the end time of the selection window.
label_filterstringrepeatedFilter evaluation history to only those matching the specified labels.

The default is to return all user-created profiles; the string "*" can be used to select all profiles, including system profiles. This syntax may be expanded in the future. | | cursor | Cursor | | Cursor object to select the "page" of data to retrieve. This is optional. |

ListEvaluationHistoryResponse

ListEvaluationHistoryResponse represents a response message for the ListEvaluationHistory RPC.

It ships a collection of records retrieved and pointers to get to the next and/or previous pages of data.

FieldTypeLabelDescription
dataEvaluationHistoryrepeatedList of records retrieved.
pageCursorPageMetadata of the current page and pointers to next and/or previous pages.

ListEvaluationResultsRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the evaluation results are evaluated.
profilestringID can contain either a profile name or an ID
label_filterstringFilter profiles to only those matching the specified labels.

The default is to return all user-created profiles; the string "*" can be used to select all profiles, including system profiles. This syntax may be expanded in the future. | | entity | EntityTypedId | repeated | If set, only return evaluation results for the named entities. If empty, return evaluation results for all entities | | rule_name | string | repeated | If set, only return evaluation results for the named rules. If empty, return evaluation results for all rules |

ListEvaluationResultsResponse

FieldTypeLabelDescription
entitiesListEvaluationResultsResponse.EntityEvaluationResultsrepeatedEach entity selected by the list request will have single entry in entities which contains results of all evaluations for each profile.

ListEvaluationResultsResponse.EntityEvaluationResults

FieldTypeLabelDescription
entityEntityTypedId
profilesListEvaluationResultsResponse.EntityProfileEvaluationResultsrepeated

ListEvaluationResultsResponse.EntityProfileEvaluationResults

FieldTypeLabelDescription
profile_statusProfileStatusprofile_status is the status of the profile - id, name, status, last_updated
resultsRuleEvaluationStatusrepeatedNote that some fields like profile_id and entity might be empty Eventually we might replace this type with another one that fits the API better

ListInvitationsRequest

ListInvitationsResponse

FieldTypeLabelDescription
invitationsInvitationrepeated

ListProfilesRequest

list profiles

FieldTypeLabelDescription
contextContextcontext is the context which contains the profiles
label_filterstringFilter profiles to only those matching the specified labels.

The default is to return all user-created profiles; the string "*" can be used to select all profiles, including system profiles. This syntax may be expanded in the future. |

ListProfilesResponse

FieldTypeLabelDescription
profilesProfilerepeated

ListProjectsRequest

ListProjectsResponse

FieldTypeLabelDescription
projectsProjectrepeated

ListProviderClassesRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider classes are evaluated.

ListProviderClassesResponse

FieldTypeLabelDescription
provider_classesstringrepeatedprovider_classes is the list of provider classes.

ListProvidersRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the providers are evaluated.
limitint32limit is the maximum number of providers to return. 0 uses a server-defined default.
cursorstringcursor is the cursor to use for the page of results, empty if at the beginning

ListProvidersResponse

FieldTypeLabelDescription
providersProviderrepeated
cursorstringcursor is the cursor to use for the next page of results, empty if at the end

ListRemoteRepositoriesFromProviderRequest

FieldTypeLabelDescription
providerstringDeprecated.
contextContext

ListRemoteRepositoriesFromProviderResponse

FieldTypeLabelDescription
resultsUpstreamRepositoryRefrepeated
entitiesRegistrableUpstreamEntityRefrepeatedentities is the same list as the repositories, but it uses the new UpstreamEntityRef message. This is what we'll migrate to eventually.

ListRepositoriesRequest

FieldTypeLabelDescription
providerstringDeprecated.
limitint64limit is the maximum number of results to return. This is optional.
contextContext
cursorstringcursor is the cursor to use for the next page of results. This is optional.

ListRepositoriesResponse

FieldTypeLabelDescription
resultsRepositoryrepeated
cursorstringcursor is the cursor to use for the next page of results, empty if at the end

ListRoleAssignmentsRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignments are evaluated.

ListRoleAssignmentsResponse

FieldTypeLabelDescription
role_assignmentsRoleAssignmentrepeatedrole_assignments contains permission grants which have been accepted by a user.
invitationsInvitationrepeatedinvitations contains outstanding role invitations which have not yet been accepted by a user.

ListRolesRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the roles are evaluated.

ListRolesResponse

FieldTypeLabelDescription
rolesRolerepeated

ListRuleTypesRequest

ListRuleTypesRequest is the request to list rule types.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule types are evaluated.

ListRuleTypesResponse

ListRuleTypesResponse is the response to list rule types.

FieldTypeLabelDescription
rule_typesRuleTyperepeatedrule_types is the list of rule types.

PatchProfileRequest

FieldTypeLabelDescription
contextContextThe context in which the patch is applied. Provided explicitly so that the patch itself can be minimal and contain only the attribute to set, e.g. remediate=true
idstringThe id of the profile to patch. Same explanation about explicitness as for the context
patchProfileThe patch to apply to the profile
update_maskgoogle.protobuf.FieldMaskneeded to enable PATCH, see https://grpc-ecosystem.github.io/grpc-gateway/docs/mapping/patch_feature/ is not exposed to the API user

PatchProfileResponse

FieldTypeLabelDescription
profileProfile

PatchProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is updated.
patchProjectPatchpatch is the patch to apply to the project
update_maskgoogle.protobuf.FieldMaskneeded to enable PATCH, see https://grpc-ecosystem.github.io/grpc-gateway/docs/mapping/patch_feature/ is not exposed to the API user

PatchProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was updated.

PatchProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is updated. The provider name is required in this context.
patchProvider
update_maskgoogle.protobuf.FieldMask

PatchProviderResponse

FieldTypeLabelDescription
providerProvider

PipelineRun

Profile

Profile defines a profile that is user defined. All fields are optional because we want to allow partial updates.

FieldTypeLabelDescription
contextContextcontext is the context in which the profile is evaluated.
idstringoptionalid is the id of the profile. This is optional and is set by the system.
namestringname is the name of the profile instance.
labelsstringrepeatedlabels are a set of system-provided attributes which can be used to filter profiles and status results. Labels cannot be set by the user, but are returned in ListProfiles.

Labels use DNS label constraints, with a possible namespace prefix separated by a colon (:). They are intended to allow filtering, but not to store arbitrary metadata. DNS labels are 1-63 character alphanumeric strings with internal hyphens. An RE2-style validation regex would be:

DNS_STR = "a-zA-Z0-9?" ($DNS_STR:)?$DNS_STR | | repository | Profile.Rule | repeated | These are the entities that one could set in the profile. | | build_environment | Profile.Rule | repeated | | | artifact | Profile.Rule | repeated | | | pull_request | Profile.Rule | repeated | | | release | Profile.Rule | repeated | | | pipeline_run | Profile.Rule | repeated | | | task_run | Profile.Rule | repeated | | | build | Profile.Rule | repeated | | | selection | Profile.Selector | repeated | | | remediate | string | optional | whether and how to remediate (on,off,dry_run) this is optional and defaults to "off" | | alert | string | optional | whether and how to alert (on,off,dry_run) this is optional and defaults to "on" | | type | string | | type is a placeholder for the object type. It should always be set to "profile". | | version | string | | version is the version of the profile type. In this case, it is "v1" | | display_name | string | | display_name is the display name of the profile. |

Profile.Rule

Rule defines the individual call of a certain rule type.

FieldTypeLabelDescription
typestringtype is the type of the rule to be instantiated.
paramsgoogle.protobuf.Structparams are the parameters that are passed to the rule. This is optional and depends on the rule type.
defgoogle.protobuf.Structdef is the definition of the rule. This depends on the rule type.
namestringname is the descriptive name of the rule, not to be confused with type

Profile.Selector

FieldTypeLabelDescription
idstringid is optional and use for updates to match upserts as well as read operations. It is ignored for creates.
entitystringentity is the entity to select.
selectorstringexpr is the expression to select the entity.
descriptionstringdescription is the human-readable description of the selector.

ProfileStatus

get the overall profile status as output

FieldTypeLabelDescription
profile_idstringprofile_id is the id of the profile. One of profile_id or profile_name must be set.
profile_namestringprofile_name is the name of the profile. One of profile_id or profile_name must be set.
profile_statusstringprofile_status is the status of the profile
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the profile was updated
profile_display_namestringprofile_display_name is the display name of the profile

Project

Project API Objects. This is only used in responses.

FieldTypeLabelDescription
project_idstring
namestring
descriptionstringdescription is a human-readable description of the project. This is optional.
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp
display_namestringdisplay_name allows for a human-readable name to be used. display_names are short non-unique strings to provide a user-friendly name for presentation in lists, etc. This is optional.

ProjectPatch

FieldTypeLabelDescription
display_namestringoptionaldisplay_name is the display name of the project to update.
descriptionstringoptionaldescription is the description of the project to update.

ProjectRole

ProjectRole has the project along with the role the user has in the project

FieldTypeLabelDescription
roleRole
projectProject

Provider

Provider represents a provider that is used to interact with external systems. All fields are optional because we want to allow partial updates.

FieldTypeLabelDescription
namestringname is the name of the provider.
classstringclass is the name of the provider implementation, eg. 'github' or 'gh-app'.
projectstringproject is the project where the provider is. This is ignored on input in favor of the context field in CreateProviderRequest.
versionstringversion is the version of the provider. if unset, "v1" is assumed.
implementsProviderTyperepeatedimplements is the list of interfaces that the provider implements.
configgoogle.protobuf.Structconfig is the configuration of the provider.
auth_flowsAuthorizationFlowrepeatedauth_flows is the list of authorization flows that the provider supports.
parametersProviderParameterparameters is the list of parameters that the provider requires.
credentials_statestringcredentials_state is the state of the credentials for the provider. This is an output-only field. It may be: "set", "unset", "not_applicable".
idstringid is the unique identifier of the provider.

ProviderConfig

ProviderConfig contains the generic configuration for a provider.

FieldTypeLabelDescription
auto_registrationAutoRegistrationoptionalauto_registration is the configuration for auto-registering entities.

ProviderParameter

FieldTypeLabelDescription
github_appGitHubAppParams

RESTProviderConfig

RESTProviderConfig contains the configuration for the REST provider.

FieldTypeLabelDescription
base_urlstringoptionalbase_url is the base URL for the REST provider.

ReconcileEntityRegistrationRequest

FieldTypeLabelDescription
contextContext
entitystringentity is the entity type

ReconcileEntityRegistrationResponse

RegisterRepoResult

FieldTypeLabelDescription
repositoryRepository
statusRegisterRepoResult.Status

RegisterRepoResult.Status

FieldTypeLabelDescription
successbool
errorstringoptional

RegisterRepositoryRequest

FieldTypeLabelDescription
providerstringDeprecated.
repositoryUpstreamRepositoryRefrepository is the repository to register. This is optional if entity is set.
contextContext
entityUpstreamEntityRefentity is the entity to register. This is the same as the repository field, but uses the new UpstreamEntityRef message. This is what we'll migrate to eventually. This is optional if repository is set.

RegisterRepositoryResponse

FieldTypeLabelDescription
resultRegisterRepoResult

RegistrableUpstreamEntityRef

FieldTypeLabelDescription
entityUpstreamEntityRef
registeredboolTrue if the entity is already registered in Minder.

Release

Stubs for the SDLC entities

RemoveRoleRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignment is evaluated.
role_assignmentRoleAssignmentrole_assignment is the role assignment to be removed.

RemoveRoleResponse

FieldTypeLabelDescription
role_assignmentRoleAssignmentrole_assignment is the role assignment that was removed.
invitationInvitationinvitation contains the details of the invitation that was removed.

Repository

Repository API objects. This is only used in responses.

FieldTypeLabelDescription
idstringoptionalid is the unique identifier of the repository within Minder. It is always populated, but the optional keyword is used for backwards compatibility.
contextContextoptional
ownerstring
namestring
repo_idint64
hook_idint64
hook_urlstring
deploy_urlstring
clone_urlstring
hook_namestring
hook_typestring
hook_uuidstring
is_privatebool
is_forkbool
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp
default_branchstring
licensestring
propertiesgoogle.protobuf.Structproperties is a map of properties of the entity.

ResolveInvitationRequest

FieldTypeLabelDescription
codestringcode is the code of the invitation to resolve.
acceptboolaccept is true if the invitation is accepted, false if it is rejected.

ResolveInvitationResponse

FieldTypeLabelDescription
rolestringrole is the role that would be assigned if the user accepts the invitation.
emailstringemail is the email address of the invited user.
projectstringproject is the project to which the user is invited.
is_acceptedboolis_accepted is the status of the invitation.
project_displaystringproject_display is the display name of the project to which the user is invited.

RestDataSource

RestDataSource is the REST data source driver.

FieldTypeLabelDescription
defRestDataSource.DefEntryrepeateddefs is the list of definitions for the REST API.

RestDataSource.Def

FieldTypeLabelDescription
endpointstringendpoint is the URL of the REST API. Note that endpoints are templates that can be parameterized with variables. Parametrization is done using RFC 6570.
methodstringmethod is the HTTP method to use for the request. If left unset, it will default to "GET".
headersRestDataSource.Def.HeadersEntryrepeatedheaders is a map of headers to send with the request.
bodyobjgoogle.protobuf.Structbody is the body of the request.
bodystrstringbodystr is the body of the request as a string.
body_from_fieldstringbody_from_field is the field in the input to use as the body. If the value is an string, it will be used as the body, as is. If the value is an object, it will be serialized as JSON. If the value is not found in the input, the request will fail.
parsestringparse is the parse configuration for the response. This allows us to serialize the response into a structured format, or not. If left unset, the response will be treated as a string. If set to "json", the response will be parsed as JSON.
fallbackRestDataSource.Def.Fallbackrepeatedfallback is the fallback configuration for the response in case of an unexpected status code.
expected_statusint32repeatedexpected_status is the expected status code for the response. This may be repeated to allow for multiple expected status codes. If left unset, it will default to 200.
input_schemagoogle.protobuf.Structinput_schema is the schema for the input to the REST API.

RestDataSource.Def.Fallback

FieldTypeLabelDescription
http_statusint32
bodystring

RestDataSource.Def.HeadersEntry

FieldTypeLabelDescription
keystring
valuestring

RestDataSource.DefEntry

FieldTypeLabelDescription
keystring
valueRestDataSource.Def

RestType

RestType defines the rest data evaluation. This is used to fetch data from a REST endpoint.

FieldTypeLabelDescription
endpointstringendpoint is the endpoint to fetch data from. This can be a URL or path on the API. This is a required field and must be set. This is also evaluated via a template which allows us dynamically fill in the values.
methodstringmethod is the method to use to fetch data.
headersstringrepeatedheaders are the headers to be sent to the endpoint.
bodystringoptionalbody is the body to be sent to the endpoint. This is expected to be a valid JSON string.
parsestringparse is the parsing mechanism to be used to parse the data.
fallbackRestType.Fallbackrepeatedfallback provides a body that the ingester would return in case the REST call returns a non-200 status code.

RestType.Fallback

FieldTypeLabelDescription
http_codeint32
bodystringThis is expected to be a valid JSON string.

Role

FieldTypeLabelDescription
namestringname is the name of the role.
display_namestringdisplay name of the role
descriptionstringdescription is the description of the role.

RoleAssignment

FieldTypeLabelDescription
rolestringrole is the role that is assigned.
subjectstringsubject is the subject to which the role is assigned.
display_namestringdisplay_name is the display name of the subject.
projectstringoptionalproject is the project in which the role is assigned.
emailstringemail is the email address of the subject used for invitations.
first_namestringfirst_name is the first name of the subject.
last_namestringlast_name is the last name of the subject.

RpcOptions

FieldTypeLabelDescription
no_logbool
target_resourceTargetResource
relationRelation

RuleEvaluationStatus

get the status of the rules for a given profile

FieldTypeLabelDescription
profile_idstringprofile_id is the id of the profile
rule_idstringrule_id is the id of the rule
rule_namestringDeprecated. rule_name is the type of the rule. Deprecated in favor of rule_type_name
entitystringentity is the entity that was evaluated
statusstringstatus is the status of the evaluation
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the profile was updated
entity_infoRuleEvaluationStatus.EntityInfoEntryrepeatedentity_info is the information about the entity
detailsstringdetails is the description of the evaluation if any
guidancestringguidance is the guidance for the evaluation if any
remediation_statusstringremediation_status is the status of the remediation
remediation_last_updatedgoogle.protobuf.Timestampoptionalremediation_last_updated is the last time the remediation was performed or attempted
remediation_detailsstringremediation_details is the description of the remediation attempt if any
rule_type_namestringrule_type_name is the name of the rule
rule_description_namestringrule_description_name is the name to describe the rule
alertEvalResultAlertalert holds the alert details if the rule generated an alert in an external system
severitySeverityseverity is the severity of the rule. This may be empty.
rule_evaluation_idstringrule_evaluation_id is the id of the rule evaluation
remediation_urlstringremediation_url is a url to get more data about a remediation, for PRs is the link to the PR
rule_display_namestringrule_display_name captures the display name of the rule
release_phaseRuleTypeReleasePhaserelease_phase is the phase of the release

RuleEvaluationStatus.EntityInfoEntry

FieldTypeLabelDescription
keystring
valuestring

RuleType

RuleType defines rules that may or may not be user defined. The version is assumed from the folder's version.

FieldTypeLabelDescription
versionstringversion is the version of the rule type API.
typestringtype is the type of the rule.
idstringoptionalid is the id of the rule type. This is mostly optional and is set by the server.
namestringname is the name of the rule type.
display_namestringdisplay_name is the display name of the rule type.
short_failure_messagestringshort_failure_message is the message to display when the evaluation fails.
contextContextcontext is the context in which the rule is evaluated.
defRuleType.Definitiondef is the definition of the rule type.
descriptionstringdescription is the description of the rule type. This is expected to be a valid markdown formatted string.
guidancestringguidance are instructions we give the user in case a rule fails. This is expected to be a valid markdown formatted string.
severitySeverityseverity is the severity of the rule type.
release_phaseRuleTypeReleasePhaserelease_phase is the release phase of the rule type, i.e. alpha, beta, ga, deprecated.

RuleType.Definition

Definition defines the rule type. It encompases the schema and the data evaluation.

FieldTypeLabelDescription
in_entitystringin_entity is the entity in which the rule is evaluated. This can be repository, build_environment or artifact.
rule_schemagoogle.protobuf.Structrule_schema is the schema of the rule. This is expressed in JSON Schema.
param_schemagoogle.protobuf.Structoptionalparam_schema is the schema of the parameters that are passed to the rule. This is expressed in JSON Schema.
ingestRuleType.Definition.Ingest
evalRuleType.Definition.Eval
remediateRuleType.Definition.Remediate
alertRuleType.Definition.Alert

RuleType.Definition.Alert

FieldTypeLabelDescription
typestring
security_advisoryRuleType.Definition.Alert.AlertTypeSAoptional
pull_request_commentRuleType.Definition.Alert.AlertTypePRCommentoptional

RuleType.Definition.Alert.AlertTypePRComment

FieldTypeLabelDescription
review_messagestring

RuleType.Definition.Alert.AlertTypeSA

FieldTypeLabelDescription
severitystring

RuleType.Definition.Eval

Eval defines the data evaluation definition. This pertains to the way we traverse data from the upstream endpoint and how we compare it to the rule.

FieldTypeLabelDescription
typestringtype is the type of the data evaluation.
jqRuleType.Definition.Eval.JQComparisonrepeatedjq is only used if the jq type is selected. It defines the comparisons that are made between the ingested data and the profile rule.
regoRuleType.Definition.Eval.Regooptionalrego is only used if the rego type is selected.
vulncheckRuleType.Definition.Eval.Vulncheckoptionalvulncheck is only used if the vulncheck type is selected.
trustyRuleType.Definition.Eval.TrustyoptionalThe trusty type is no longer used, but is still here for backwards compatibility with existing stored rules
homoglyphsRuleType.Definition.Eval.Homoglyphsoptionalhomoglyphs is only used if the homoglyphs type is selected.
data_sourcesDataSourceReferencerepeatedData sources that the rule refers to. These are used to instantiate the relevant data sources for the rule and keep track of them as dependencies.

Note that the data source must exist in the project hierarchy in order to be used in the rule. |

RuleType.Definition.Eval.Homoglyphs

FieldTypeLabelDescription
typestring

RuleType.Definition.Eval.JQComparison

FieldTypeLabelDescription
ingestedRuleType.Definition.Eval.JQComparison.OperatorIngested points to the data retrieved in the ingest section
profileRuleType.Definition.Eval.JQComparison.OperatorProfile points to the profile itself. This is mutually exclusive with the constant field.
constantgoogle.protobuf.ValueConstant points to a constant value. This is mutually exclusive with the profile field.

RuleType.Definition.Eval.JQComparison.Operator

FieldTypeLabelDescription
defstring

RuleType.Definition.Eval.Rego

FieldTypeLabelDescription
typestringtype is the type of evaluation engine to use for rego. We currently have two modes of operation: - deny-by-default: this is the default mode of operation where we deny access by default and allow access only if the profile explicitly allows it. It expects the profile to set an allow variable to true or false. - constraints: this is the mode of operation where we allow access by default and deny access only if a violation is found. It expects the profile to set a violations variable with a "msg" field.
defstringdef is the definition of the rego profile.
violation_formatstringoptionalhow are violations reported. This is only used if the constraints type is selected. The default is text which returns human-readable text. The other option is json which returns a JSON array containing the violations.

RuleType.Definition.Eval.Trusty

FieldTypeLabelDescription
endpointstringThis is no longer used, but is still here for backwards compatibility with existing stored rules

RuleType.Definition.Eval.Vulncheck

no configuration for now

RuleType.Definition.Ingest

Ingest defines how the data is ingested.

FieldTypeLabelDescription
typestringtype is the type of the data ingestion. we currently support rest, artifact and builtin.
restRestTypeoptionalrest is the rest data ingestion. this is only used if the type is rest.
builtinBuiltinTypeoptionalbuiltin is the builtin data ingestion.
artifactArtifactTypeoptionalartifact is the artifact data ingestion. artifact currently only applies to artifacts.
gitGitTypeoptionalgit is the git data ingestion. git currently only applies to repositories.
diffDiffTypeoptionaldiff is the diff data ingestion. diff currently only applies to pull_requests.
depsDepsTypeoptionaldeps is the deps data ingestion. deps currently only applies to repositories.

RuleType.Definition.Remediate

FieldTypeLabelDescription
typestring
restRestTypeoptional
gh_branch_protectionRuleType.Definition.Remediate.GhBranchProtectionTypeoptional
pull_requestRuleType.Definition.Remediate.PullRequestRemediationoptional

RuleType.Definition.Remediate.GhBranchProtectionType

FieldTypeLabelDescription
patchstring

RuleType.Definition.Remediate.PullRequestRemediation

the name stutters a bit but we already use a PullRequest message for handling PR entities

FieldTypeLabelDescription
titlestringthe title of the PR This is not validated here as it will be validated by the repository provider, i.e. GitHub upon creation of the PR.
bodystringthe body of the PR This is not validated here as it will be validated by the repository provider, i.e. GitHub upon creation of the PR.
contentsRuleType.Definition.Remediate.PullRequestRemediation.Contentrepeated
methodstringthe method to use to create the PR. For now, these are supported: -- minder.content - ensures that the content of the file is exactly as specified refer to the Content message for more details -- minder.actions.replace_tags_with_sha - finds any github actions within a workflow file and replaces the tag with the SHA -- minder.yq.evaluate - evaluates a yq expression on a file
paramsgoogle.protobuf.Structparams are unstructured parameters passed to the method. These are optional and evaluated by the method.
actions_replace_tags_with_shaRuleType.Definition.Remediate.PullRequestRemediation.ActionsReplaceTagsWithShaoptionalIf the method is minder.actions.replace_tags_with_sha, this is the configuration for that method

RuleType.Definition.Remediate.PullRequestRemediation.ActionsReplaceTagsWithSha

FieldTypeLabelDescription
excludestringrepeatedList of actions to exclude from the replacement

RuleType.Definition.Remediate.PullRequestRemediation.Content

FieldTypeLabelDescription
pathstringthe file to patch
actionstringhow to patch the file. For now, only replace is supported
contentstringthe content of the file
modestringoptionalthe GIT mode of the file. Not UNIX mode! String because the GH API also uses strings the usual modes are: 100644 for regular files, 100755 for executable files and 040000 for submodules (which we don't use but now you know the meaning of the 1 in 100644) see e.g. https://github.com/go-git/go-git/blob/32e0172851c35ae2fac495069c923330040903d2/plumbing/filemode/filemode.go#L16

Severity

Severity defines the severity of the rule.

FieldTypeLabelDescription
valueSeverity.Valuevalue is the severity value.

StoreProviderTokenRequest

FieldTypeLabelDescription
providerstringDeprecated.
access_tokenstringaccess_token is the token to store.
ownerstringoptionalowner is the owner (e.g GitHub org) that the provider is associated with. This is optional.
contextContext

StoreProviderTokenResponse

StructDataSource

StructDataSource is the structured data source driver.

FieldTypeLabelDescription
defStructDataSource.DefEntryrepeateddefs is the list of definitions for the structured data API.

StructDataSource.Def

FieldTypeLabelDescription
pathStructDataSource.Def.PathPath is the path specification for the structured data source.

StructDataSource.Def.Path

FieldTypeLabelDescription
file_namestring
alternativesstringrepeated

StructDataSource.DefEntry

FieldTypeLabelDescription
keystring
valueStructDataSource.Def

TaskRun

UpdateDataSourceRequest

FieldTypeLabelDescription
data_sourceDataSource

UpdateDataSourceResponse

FieldTypeLabelDescription
data_sourceDataSource

UpdateProfileRequest

FieldTypeLabelDescription
profileProfile

UpdateProfileResponse

FieldTypeLabelDescription
profileProfile

UpdateProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is updated.
display_namestringdisplay_name is the display name of the project to update. This is optional.
descriptionstringdescription is the description of the project to update. This is optional.

UpdateProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was updated.

UpdateRoleRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignment is evaluated.
subjectstringsubject is the account to change permissions for. The account must already have permissions on the project
rolesstringrepeatedAll subject roles are replaced with the following role assignments. Must be non-empty, use RemoveRole to remove permissions entirely from the project.
emailstringemail is the email address of the subject used for updating invitations

UpdateRoleResponse

FieldTypeLabelDescription
role_assignmentsRoleAssignmentrepeatedrole_assignments are the role assignments that were updated.
invitationsInvitationrepeatedinvitations contains the details of the invitations that were updated.

UpdateRuleTypeRequest

UpdateRuleTypeRequest is the request to update a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type to be updated.

UpdateRuleTypeResponse

UpdateRuleTypeResponse is the response to update a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type that was updated.

UpstreamEntityRef

UpstreamEntityRef providers enough information for the provider to identify the entity in the upstream system.

FieldTypeLabelDescription
contextContextV2context is the context in which the entity is evaluated. Note that the context is included here since users of this message may return upstream references from multiple providers
typeEntitytype is the type of the entity.
propertiesgoogle.protobuf.Structproperties is a map of properties of the entity. This will be used to identify the entity in the upstream system and will be a subset of the properties of the entity that will be stored in Minder.

UpstreamRepositoryRef

FieldTypeLabelDescription
ownerstringowner is the owner (e.g GitHub org) that the provider is associated with. This is optional.
namestring
repo_idint64The upstream identity of the repository, as an integer. This is only set on output, and is ignored on input.
contextContext
registeredboolTrue if the repository is already registered in Minder. This is only set on output, and is ignored on input.

UserRecord

user record to be returned

FieldTypeLabelDescription
idint32
identity_subjectstring
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp

VerifyProviderCredentialRequest

VerifyProviderCredentialRequest contains the enrollment nonce (aka state) that was used when enrolling the provider

FieldTypeLabelDescription
contextContext
enrollment_noncestringenrollment_nonce is the state parameter returned when enrolling the provider

VerifyProviderCredentialResponse

VerifyProviderCredentialRequest responds with a boolean indicating if the provider has been created and the provider name, if it has been created

FieldTypeLabelDescription
createdboolcreated is true if the provider was created.
provider_namestringprovider_name is the name of the provider that was created. This is populated if creation was successful.

VerifyProviderTokenFromRequest

FieldTypeLabelDescription
providerstringDeprecated.
timestampgoogle.protobuf.Timestamp
contextContext

VerifyProviderTokenFromResponse

FieldTypeLabelDescription
statusstring
ExtensionTypeBaseNumberDescription
namestring.google.protobuf.EnumValueOptions42445
rpc_optionsRpcOptions.google.protobuf.MethodOptions51077

AuthorizationFlow

NameNumberDescription
AUTHORIZATION_FLOW_UNSPECIFIED0
AUTHORIZATION_FLOW_NONE1
AUTHORIZATION_FLOW_USER_INPUT2
AUTHORIZATION_FLOW_OAUTH2_AUTHORIZATION_CODE_FLOW3
AUTHORIZATION_FLOW_GITHUB_APP_FLOW4

CredentialsState

NameNumberDescription
CREDENTIALS_STATE_UNSPECIFIED0
CREDENTIALS_STATE_SET1
CREDENTIALS_STATE_UNSET2
CREDENTIALS_STATE_NOT_APPLICABLE3

Entity

Entity defines the entity that is supported by the provider.

NameNumberDescription
ENTITY_UNSPECIFIED0
ENTITY_REPOSITORIES1
ENTITY_BUILD_ENVIRONMENTS2
ENTITY_ARTIFACTS3
ENTITY_PULL_REQUESTS4
ENTITY_RELEASE5
ENTITY_PIPELINE_RUN6
ENTITY_TASK_RUN7
ENTITY_BUILD8

ObjectOwner

NameNumberDescription
OBJECT_OWNER_UNSPECIFIED0
OBJECT_OWNER_PROJECT2
OBJECT_OWNER_USER3

ProviderClass

NameNumberDescription
PROVIDER_CLASS_UNSPECIFIED0
PROVIDER_CLASS_GITHUB1
PROVIDER_CLASS_GITHUB_APP2
PROVIDER_CLASS_GHCR3
PROVIDER_CLASS_DOCKERHUB4

ProviderType

ProviderTrait is the type of the provider.

NameNumberDescription
PROVIDER_TYPE_UNSPECIFIED0
PROVIDER_TYPE_GITHUB1
PROVIDER_TYPE_REST2
PROVIDER_TYPE_GIT3
PROVIDER_TYPE_OCI4
PROVIDER_TYPE_REPO_LISTER5
PROVIDER_TYPE_IMAGE_LISTER6

Relation

NameNumberDescription
RELATION_UNSPECIFIED0
RELATION_CREATE1
RELATION_GET2
RELATION_UPDATE3
RELATION_DELETE4
RELATION_ROLE_LIST5
RELATION_ROLE_ASSIGNMENT_LIST6
RELATION_ROLE_ASSIGNMENT_CREATE7
RELATION_ROLE_ASSIGNMENT_REMOVE8
RELATION_REPO_GET9
RELATION_REPO_CREATE10
RELATION_REPO_UPDATE11
RELATION_REPO_DELETE12
RELATION_ARTIFACT_GET13
RELATION_ARTIFACT_CREATE14
RELATION_ARTIFACT_UPDATE15
RELATION_ARTIFACT_DELETE16
RELATION_PR_GET17
RELATION_PR_CREATE18
RELATION_PR_UPDATE19
RELATION_PR_DELETE20
RELATION_PROVIDER_GET21
RELATION_PROVIDER_CREATE22
RELATION_PROVIDER_UPDATE23
RELATION_PROVIDER_DELETE24
RELATION_RULE_TYPE_GET25
RELATION_RULE_TYPE_CREATE26
RELATION_RULE_TYPE_UPDATE27
RELATION_RULE_TYPE_DELETE28
RELATION_PROFILE_GET29
RELATION_PROFILE_CREATE30
RELATION_PROFILE_UPDATE31
RELATION_PROFILE_DELETE32
RELATION_PROFILE_STATUS_GET33
RELATION_REMOTE_REPO_GET34
RELATION_ENTITY_RECONCILIATION_TASK_CREATE35
RELATION_ENTITY_RECONCILE36
RELATION_ROLE_ASSIGNMENT_UPDATE37
RELATION_DATA_SOURCE_GET38
RELATION_DATA_SOURCE_CREATE39
RELATION_DATA_SOURCE_UPDATE40
RELATION_DATA_SOURCE_DELETE41

RuleTypeReleasePhase

RuleTypeReleasePhase defines the release phase of the rule type.

NameNumberDescription
RULE_TYPE_RELEASE_PHASE_UNSPECIFIED0
RULE_TYPE_RELEASE_PHASE_ALPHA1
RULE_TYPE_RELEASE_PHASE_BETA2
RULE_TYPE_RELEASE_PHASE_GA3
RULE_TYPE_RELEASE_PHASE_DEPRECATED4

Severity.Value

Value enumerates the severity values.

NameNumberDescription
VALUE_UNSPECIFIED0
VALUE_UNKNOWN1unknown severity means that the severity is unknown or hasn't been set.
VALUE_INFO2info severity means that the severity is informational and does not incur risk.
VALUE_LOW3low severity means that the severity is low and does not incur significant risk.
VALUE_MEDIUM4medium severity means that the severity is medium and may incur some risk.
VALUE_HIGH5high severity means that the severity is high and may incur significant risk.
VALUE_CRITICAL6critical severity means that the severity is critical and requires immediate attention.

TargetResource

NameNumberDescription
TARGET_RESOURCE_UNSPECIFIED0
TARGET_RESOURCE_NONE1
TARGET_RESOURCE_USER2
TARGET_RESOURCE_PROJECT3

File-level Extensions

ExtensionTypeBaseNumberDescription
namestring.google.protobuf.EnumValueOptions42445
rpc_optionsRpcOptions.google.protobuf.MethodOptions51077

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)