Trigger and Action Constraints by Finding Type

Cortex XSIAM Platform APIs

  1. Code & Image scanners Finding Types (for example, IAC_MISCONFIGURATION, SECRETS, VULNERABILITY, LICENSES, OPERATIONAL_RISK, CODE_WEAKNESS, and MALWARE)

    • For scope filters, only the following parameters are supported:
      • Category
      • Asset Type
      • Provider
      • Business Application Names
      • Application Business Criticality
      • Application Business Owner
      • Tags
      • Image Names
      • Source Branch
      • Repository Name
      • Repository Id
      • Is Public Repository
      • Has Deployed Assets
      • Has Internet-exposed deployed assets
      • Has deployed assets with Access to sensitive data
      • Has deployed assets with privileged capabilities
      • Repository labels
      • Image Architecture
      • Organization URL
    • The category parameter only supports Application, Container Image and Repository values.
    • Setting the overrideIssueSeverity parameter is mandatory when ciImage or imageRegistry actions are enabled.

  2. CI/CD Risks Finding Type (CICD_RISKS)

    • Only the Code Periodic Scan trigger is supported.
    • Only the reportIssue action is available.
    • For conditions, the category parameter supports only the following values:
      • Category
      • Application
      • CI/CD Instance
      • CI/CD Pipeline
      • VCS Collaborator
      • VCS Organization
    • For scope filters, only the following parameters are supported:
      • Asset Type
      • Provider
      • Tags
      • Business Application Names
      • Application Business Criticality
      • CI/CD Instance Name
      • CI/CD Instance Id
      • CI/CD Pipeline Name
      • CI/CD Pipeline Id
      • VCS Collaborator Name
      • VCS Collaborator Email
      • VCS Collaborator MFA Enabled
      • VCS Collaborator Last Observed
      • VCS Organization Name
      • Repository Name
      • Repository Id
      • Is Public Repository

  3. Drift Finding Type (DRIFT)

    • Only the Code Periodic Scan trigger is supported.
    • Only the reportIssue action is available.
    • For conditions, the category parameter only supports Application and Repository values.
    • For scope filters, only the following parameters are supported:
      • Category
      • Provider
      • Business Application Names
      • Application Business Criticality
      • Application Business Owner
      • Cloud Account
      • Cloud Region
      • Repository Name
      • Repository Id
      • Is Public Repository
      • Has Deployed Assets
      • Has Internet-exposed deployed assets
      • Has deployed assets with Access to sensitive data
      • Has deployed assets with privileged capabilities