List AppSec policies

get /public_api/appsec/v1/policies

Retrieves a list of all Application Security policies. You can filter the results by finding types, actions, status, triggers, and custom policy flag.

Required license:

Cortex XSIAM Premium. In Cortex XSIAM Enterprise and Cortex NG SIEM, requires the Cortex Cloud Posture Management add-on. Not supported in XSIAM Enterprise Plus.

Request headers

Authorization String required

{api_key}

Example: your_api_key_here

x-xdr-auth-id String required

{api_key_id}

Example: 1

Query parameters

findingTypes array[FindingType]

Type of security finding that the policy targets.

actions array[UnifiedAction]

Filter policies by action types

status PolicyStatus

Filter policies by status

triggers array[Trigger]

Filter policies by trigger types

isCustom Boolean

Filter by custom policies (true) or system-provided policies (false)

Example: true

CLIENT REQUEST

          curl -X 'GET'

        -H
        'Accept: application/json'
      
          -H
          'Authorization: your_api_key_here'
          -H
          'x-xdr-auth-id: 1'
      
      'https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=&actions=&status=&triggers=&isCustom=true'

import http.client

conn = http.client.HTTPSConnection("api-yourfqdn")

headers = {
    'Authorization': "your_api_key_here",
    'x-xdr-auth-id': "1"
    }

conn.request("GET", "/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE", headers=headers)

res = conn.getresponse()
data = res.read()

print(data.decode("utf-8"))

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(url)
request["Authorization"] = 'your_api_key_here'
request["x-xdr-auth-id"] = '1'

response = http.request(request)
puts response.read_body

const data = null;

const xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
  }
});

xhr.open("GET", "https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE");
xhr.setRequestHeader("Authorization", "your_api_key_here");
xhr.setRequestHeader("x-xdr-auth-id", "1");

xhr.send(data);

HttpResponse<String> response = Unirest.get("https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE")
  .header("Authorization", "your_api_key_here")
  .header("x-xdr-auth-id", "1")
  .asString();

import Foundation

let headers = [
  "Authorization": "your_api_key_here",
  "x-xdr-auth-id": "1"
]

let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()

<?php

$curl = curl_init();

curl_setopt_array($curl, [
  CURLOPT_URL => "https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => [
    "Authorization: your_api_key_here",
    "x-xdr-auth-id: 1"
  ],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

CURL *hnd = curl_easy_init();

curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "GET");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE");

struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: your_api_key_here");
headers = curl_slist_append(headers, "x-xdr-auth-id: 1");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);

CURLcode ret = curl_easy_perform(hnd);

var client = new RestClient("https://api-yourfqdn/public_api/appsec/v1/policies?findingTypes=SOME_ARRAY_VALUE&actions=SOME_ARRAY_VALUE&status=SOME_STRING_VALUE&triggers=SOME_ARRAY_VALUE&isCustom=SOME_BOOLEAN_VALUE");
var request = new RestRequest(Method.GET);
request.AddHeader("Authorization", "your_api_key_here");
request.AddHeader("x-xdr-auth-id", "1");
IRestResponse response = client.Execute(request);

Responses

Body

application/json

[

dateCreatedstring

The date and time when the policy was created

suggestionHashstring

Unique identifier for the suggested policy

conditionsobject

Condition or scope filter for the policy.

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

Allowed values:"ARRAY_CONTAINS""ARRAY_NOT_CONTAINS""CONTAINS""CONTAINS_IN_LIST""EQ""GT""GTE""IN""JSON_WILDCARD""JSON_WILDCARD_NOT""LTE""LT""NCONTAINS""NEQ""NIN""NOT_CONTAINS_IN_LIST""RANGE""RELATIVE_TIMESTAMP""WILDCARD""WILDCARD_NOT""withinGracePeriod"

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

[

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

Recursive model

ORarray

Recursive model

]

ORarray

[

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

Recursive model

ORarray

Recursive model

]

descriptionstring

Description of the policy

idstringrequired

Unique identifier for the policy

namestringrequired

Name of the policy

scopeobject

Condition or scope filter for the policy.

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

[

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

Recursive model

ORarray

Recursive model

]

ORarray

[

SEARCH_FIELDstringrequired

Field the condition filter matches.

Example:"Finding Type"

SEARCH_TYPEstring (Enum)required

Condition operator for this filter.

SEARCH_VALUEobjectrequired

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

Any of

boolean

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

fromnumberdouble

The lower bound of a range query.

tonumberdouble

The upper bound of a range query.

keystring

The key for key-value pair matching.

valuestring

The value for key-value pair matching.

numberdouble

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

string

The value compared against. The type of this field will differ depending on the SEARCH_FIELD that was specified.

ANDarray

Recursive model

ORarray

Recursive model

]

triggersobject

Defines when the AppSec policy should be evaluated. Configure triggers for periodic code scans, Pull Requests (PRs), CI Code scan, CI image scans, and Registry image scans. At least one trigger must have isEnabled set to true.

cicdobject

Configuration for the CI Code trigger. If true, the policy is evaluated on CI/CD pipeline events.

actionsobject

Actions to take when the policy detects its target risk and the policy is triggered.

blockCicdbooleanrequired

Indicates if triggering the policy should block the CI/CD pipeline.

reportCicdbooleanrequired

Indicates if triggering the policy should soft fail the CI/CD pipeline in the platform.

reportIssuebooleanrequired

Indicates if triggering the policy should create an issue.

isEnabledbooleanrequired

Indicates whether the CI Code Scan trigger is enabled.

Default:true

overrideIssueSeverityobject (Enum)

Optional. Set the severity of the issue (and override the system severity). If not used or set to null, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

ciImageobject

Configuration for the CI image trigger. If true, the policy is evaluated during CI image scans.

actionsobject

Actions to take when the policy detects its target risk and the policy is triggered.

blockCicdbooleanrequired

Indicates if triggering the policy should block the CI image.

reportCicdbooleanrequired

Indicates if triggering the policy should soft fail the CI image in the platform.

reportIssuebooleanrequired

Indicates if triggering the policy should create an issue.

isEnabledbooleanrequired

Indicates whether the CI Image Scan trigger is enabled.

Default:true

overrideIssueSeverityobject (Enum)required

Set the severity of the issue (and override the system severity). If not used or set to null, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

imageRegistryobject

Configuration for the image registry trigger. If true, the policy is evaluated during registry image scans.

actionsobject

Actions to take when the policy detects its target risk and the policy is triggered.

reportIssuebooleanrequired

Indicates if triggering the policy should create an issue.

isEnabledbooleanrequired

Indicates whether the Registry Image Scan trigger is enabled.

overrideIssueSeverityobject (Enum)required

Set the severity of the issue (and override the system severity). If not used or set to null, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

periodicobject

Configuration for the periodic code scan (scheduled) trigger. If true, the policy is evaluated.

actionsobject

Actions to take when the policy detects its target risk and the policy is triggered.

reportIssuebooleanrequired

Indicates if triggering the policy should create an issue.

isEnabledbooleanrequired

Indicates whether the Periodic Scan trigger is enabled.

Default:true

overrideIssueSeverityobject (Enum)

Optional. Set the severity of the issue (and override the system severity). If not used or set to null, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

probject

Configuration for the pull request (PR) trigger. If true, the policy is evaluated on Pull Request (PR) events

actionsobject

Actions to take when the policy detects its target risk and the policy is triggered.

blockPrbooleanrequired

Indicates if triggering the policy should block the pull request.

reportIssuebooleanrequired

Indicates if triggering the policy should create an issue.

reportPrCommentbooleanrequired

Indicates if triggering the policy should create comments on the pull request.

isEnabledbooleanrequired

Indicates whether the PR Scan trigger is enabled.

Default:true

overrideIssueSeverityobject (Enum)

Optional. Set the severity of the issue (and override the system severity). If not used or set to null, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

dateDeletedstring

The date and time when the policy was deleted

deletedBystring

The user or system that deleted the policy

relatedDetectionRulesarray[string]required

List of related detection rules

assetGroupIdsarray[number]

List of asset groups to which the policy applies. If the array is empty, the policy applies to all asset groups.

suggestionIdstring

Unique identifier for the suggested policy

createdBystringrequired

The user or system that created the policy

dateModifiedstring

The date and time when the policy was last modified

isClonableboolean

Indicates if the policy is cloneable

isCustombooleanrequired

Indicates if the policy is a custom policy or a system-provided policy

isEditableboolean

Indicates if the policy is editable

lastTriggeredstring

The date and time when the policy was last triggered

modifiedBystring

The user or system that last modified the policy

overrideIssueSeverityobject (Enum)

Set the severity of the issue and override the system severity. If not used, system severity is kept.

Allowed values:"Critical""High""Medium""Low"

policyTypestring

Indicates the policy type. Auto-assigned by the API based on the Finding Type in conditions. Possible values:

code_image_scanners: for VULNERABILITY, IAC_MISCONFIGURATION, SECRETS, CODE_WEAKNESS, LICENSES, OPERATIONAL_RISK, MALWARE
cicd_configuration_scanners: for CICD_RISKS
drift_detection_scanners: for DRIFT

scopeFieldsobject

Defines all valid scope fields grouped by category for code, CI/CD, drift, and common contexts.

applicationsScopeFieldsarrayrequired

Fields that apply applications scopes.

[

]

cicdOnlyScopeFieldsarrayrequired

Fields that only apply to CI/CD related scope keys.

[

]

codeOnlyScopeFieldsarrayrequired

Fields that only apply to code repository scope keys.

[

]

commonScopeFieldsarrayrequired

Fields that apply to both code and CI/CD scopes.

[

]

defaultScopeFieldsarrayrequired

Fields that comes as default in the finding.

[

]

driftOnlyScopeFieldsarrayrequired

Fields that only apply to IAC drift scope keys.

[

]

statusstring (Enum)required

Indicates whether the policy is currently enabled or disabled.

Default:"enabled"

Allowed values:"disabled""enabled"

versionnumberrequireddouble

The version of the policy - goes up by one every policy update

]

RESPONSEExample 1
[
  {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "name": "Block Build and Pull Request on Valid secrets",
    "description": "Block Build and Pull Request on Valid secrets in public repository",
    "status": "disabled",
    "isCustom": false,
    "triggers": {
      "periodic": {
        "isEnabled": false,
        "actions": {
          "reportIssue": false
        }
      },
      "pr": {
        "isEnabled": true,
        "actions": {
          "reportIssue": false,
          "reportPrComment": false,
          "blockPr": true
        }
      },
      "cicd": {
        "isEnabled": true,
        "actions": {
          "reportIssue": false,
          "reportCicd": false,
          "blockCicd": true
        }
      },
      "ciImage": {
        "isEnabled": false,
        "actions": {
          "reportIssue": false,
          "reportCicd": false,
          "blockCicd": false
        }
      },
      "imageRegistry": {
        "isEnabled": false,
        "actions": {
          "reportIssue": false
        }
      }
    },
    "isClonable": true,
    "isEditable": false,
    "policyType": "code_image_scanners",
    "conditions": {
      "AND": [
        {
          "SEARCH_FIELD": "Finding Type",
          "SEARCH_TYPE": "EQ",
          "SEARCH_VALUE": "SECRETS"
        },
        {
          "SEARCH_FIELD": "Secret Validity",
          "SEARCH_TYPE": "EQ",
          "SEARCH_VALUE": "VALID"
        }
      ]
    },
    "relatedDetectionRules": [],
    "scope": {
      "AND": [
        {
          "SEARCH_FIELD": "is_public_repository",
          "SEARCH_TYPE": "EQ",
          "SEARCH_VALUE": true
        }
      ]
    },
    "createdBy": "system",
    "modifiedBy": null,
    "deletedBy": null,
    "version": 1,
    "assetGroupIds": []
  }
]