Skip to main content

Protocol Documentation

Top

minder/v1/minder.proto

Services

ArtifactService

Method NameRequest TypeResponse TypeDescription
ListArtifactsListArtifactsRequestListArtifactsResponse
GetArtifactByIdGetArtifactByIdRequestGetArtifactByIdResponse
GetArtifactByNameGetArtifactByNameRequestGetArtifactByNameResponse

EvalResultsService

Method NameRequest TypeResponse TypeDescription
ListEvaluationResultsListEvaluationResultsRequestListEvaluationResultsResponse

HealthService

Simple Health Check Service replies with OK

Method NameRequest TypeResponse TypeDescription
CheckHealthCheckHealthRequestCheckHealthResponse

OAuthService

Method NameRequest TypeResponse TypeDescription
GetAuthorizationURLGetAuthorizationURLRequestGetAuthorizationURLResponse
StoreProviderTokenStoreProviderTokenRequestStoreProviderTokenResponse
VerifyProviderTokenFromVerifyProviderTokenFromRequestVerifyProviderTokenFromResponseVerifyProviderTokenFrom verifies that a token has been created for a provider since given timestamp
VerifyProviderCredentialVerifyProviderCredentialRequestVerifyProviderCredentialResponseVerifyProviderCredential verifies that a credential has been created matching the enrollment nonce

PermissionsService

Method NameRequest TypeResponse TypeDescription
ListRolesListRolesRequestListRolesResponse
ListRoleAssignmentsListRoleAssignmentsRequestListRoleAssignmentsResponse
AssignRoleAssignRoleRequestAssignRoleResponse
RemoveRoleRemoveRoleRequestRemoveRoleResponse

ProfileService

Method NameRequest TypeResponse TypeDescription
CreateProfileCreateProfileRequestCreateProfileResponse
UpdateProfileUpdateProfileRequestUpdateProfileResponse
PatchProfilePatchProfileRequestPatchProfileResponse
DeleteProfileDeleteProfileRequestDeleteProfileResponse
ListProfilesListProfilesRequestListProfilesResponse
GetProfileByIdGetProfileByIdRequestGetProfileByIdResponse
GetProfileStatusByNameGetProfileStatusByNameRequestGetProfileStatusByNameResponse
GetProfileStatusByProjectGetProfileStatusByProjectRequestGetProfileStatusByProjectResponse
ListRuleTypesListRuleTypesRequestListRuleTypesResponse
GetRuleTypeByNameGetRuleTypeByNameRequestGetRuleTypeByNameResponse
GetRuleTypeByIdGetRuleTypeByIdRequestGetRuleTypeByIdResponse
CreateRuleTypeCreateRuleTypeRequestCreateRuleTypeResponse
UpdateRuleTypeUpdateRuleTypeRequestUpdateRuleTypeResponse
DeleteRuleTypeDeleteRuleTypeRequestDeleteRuleTypeResponse

ProjectsService

Method NameRequest TypeResponse TypeDescription
ListProjectsListProjectsRequestListProjectsResponse
CreateProjectCreateProjectRequestCreateProjectResponse
DeleteProjectDeleteProjectRequestDeleteProjectResponse
UpdateProjectUpdateProjectRequestUpdateProjectResponse
PatchProjectPatchProjectRequestPatchProjectResponse
CreateEntityReconciliationTaskCreateEntityReconciliationTaskRequestCreateEntityReconciliationTaskResponse

ProvidersService

Method NameRequest TypeResponse TypeDescription
GetProviderGetProviderRequestGetProviderResponse
ListProvidersListProvidersRequestListProvidersResponse
CreateProviderCreateProviderRequestCreateProviderResponse
DeleteProviderDeleteProviderRequestDeleteProviderResponse
DeleteProviderByIDDeleteProviderByIDRequestDeleteProviderByIDResponse
GetUnclaimedProvidersGetUnclaimedProvidersRequestGetUnclaimedProvidersResponseGetUnclaimedProviders returns a list of known provider configurations that this user could claim based on their identity. This is a read-only operation for use by clients which wish to present a menu of options.
ListProviderClassesListProviderClassesRequestListProviderClassesResponse

RepositoryService

Method NameRequest TypeResponse TypeDescription
RegisterRepositoryRegisterRepositoryRequestRegisterRepositoryResponse
ListRemoteRepositoriesFromProviderListRemoteRepositoriesFromProviderRequestListRemoteRepositoriesFromProviderResponse
ListRepositoriesListRepositoriesRequestListRepositoriesResponse
GetRepositoryByIdGetRepositoryByIdRequestGetRepositoryByIdResponse
GetRepositoryByNameGetRepositoryByNameRequestGetRepositoryByNameResponse
DeleteRepositoryByIdDeleteRepositoryByIdRequestDeleteRepositoryByIdResponse
DeleteRepositoryByNameDeleteRepositoryByNameRequestDeleteRepositoryByNameResponse

UserService

manage Users CRUD

Method NameRequest TypeResponse TypeDescription
CreateUserCreateUserRequestCreateUserResponse
DeleteUserDeleteUserRequestDeleteUserResponse
GetUserGetUserRequestGetUserResponse

Messages

Artifact

FieldTypeLabelDescription
artifact_pkstring
ownerstring
namestring
typestring
visibilitystring
repositorystring
versionsArtifactVersionrepeated
created_atgoogle.protobuf.Timestamp
contextContext

ArtifactType

ArtifactType defines the artifact data evaluation.

ArtifactVersion

FieldTypeLabelDescription
version_idint64
tagsstringrepeated
shastring
created_atgoogle.protobuf.Timestamp

AssignRoleRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignment is evaluated.
role_assignmentRoleAssignmentrole_assignment is the role assignment to be created.

AssignRoleResponse

FieldTypeLabelDescription
role_assignmentRoleAssignmentrole_assignment is the role assignment that was created.

AuthorizationParams

FieldTypeLabelDescription
authorization_urlstringauthorization_url is an external URL to use to authorize the provider.

BranchProtection

FieldTypeLabelDescription
branchstring
is_protectedboolAdd other relevant fields

BuiltinType

BuiltinType defines the builtin data evaluation.

FieldTypeLabelDescription
methodstring

CheckHealthRequest

CheckHealthResponse

FieldTypeLabelDescription
statusstring

Context

Context defines the context in which a rule is evaluated. this normally refers to a combination of the provider, organization and project.

Removing the 'optional' keyword from the following two fields below will break buf compatibility checks.

FieldTypeLabelDescription
providerstringoptionalname of the provider
projectstringoptionalID of the project
retired_organizationstringoptional

CreateEntityReconciliationTaskRequest

FieldTypeLabelDescription
entityEntityTypedIdentity is the entity to be reconciled.
contextContextcontext is the context in which the entity reconciliation task is created.

CreateEntityReconciliationTaskResponse

CreateProfileRequest

Profile service

FieldTypeLabelDescription
profileProfile

CreateProfileResponse

FieldTypeLabelDescription
profileProfile

CreateProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is created.
namestringname is the name of the project to create.

CreateProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was created.

CreateProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is created.
providerProviderprovider is the provider to be created.

CreateProviderResponse

FieldTypeLabelDescription
providerProviderprovider is the provider that was created.
authorizationAuthorizationParamsauthorization provides additional authorization information needed to complete the initialization of the provider.

CreateRuleTypeRequest

CreateRuleTypeRequest is the request to create a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type to be created.

CreateRuleTypeResponse

CreateRuleTypeResponse is the response to create a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type that was created.

CreateUserRequest

User service

CreateUserResponse

FieldTypeLabelDescription
idint32
organization_idstringDeprecated.
organizatio_namestringDeprecated.
project_idstring
project_namestring
identity_subjectstring
created_atgoogle.protobuf.Timestamp
contextContext

DeleteProfileRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the profile to delete

DeleteProfileResponse

DeleteProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is deleted.

DeleteProjectResponse

FieldTypeLabelDescription
project_idstringproject_id is the id of the project that was deleted.

DeleteProviderByIDRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is deleted. Only the project is required in this context.
idstringid is the id of the provider to delete

DeleteProviderByIDResponse

FieldTypeLabelDescription
idstringid is the id of the provider that was deleted

DeleteProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is deleted. Both project and provider are required in this context.

DeleteProviderResponse

FieldTypeLabelDescription
namestringname is the name of the provider that was deleted

DeleteRepositoryByIdRequest

FieldTypeLabelDescription
repository_idstring
contextContext

DeleteRepositoryByIdResponse

FieldTypeLabelDescription
repository_idstring

DeleteRepositoryByNameRequest

FieldTypeLabelDescription
providerstringDeprecated.
namestring
contextContext

DeleteRepositoryByNameResponse

FieldTypeLabelDescription
namestring

DeleteRuleTypeRequest

DeleteRuleTypeRequest is the request to delete a rule type.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the rule type to be deleted.

DeleteRuleTypeResponse

DeleteRuleTypeResponse is the response to delete a rule type.

DeleteUserRequest

DeleteUserResponse

Dependency

FieldTypeLabelDescription
ecosystemDepEcosystem
namestring
versionstring

DiffType

DiffType defines the diff data ingester.

FieldTypeLabelDescription
ecosystemsDiffType.Ecosystemrepeatedecosystems is the list of ecosystems to be used for the "dep" diff type.
typestringtype is the type of diff ingestor to use. The default is "dep" which will leverage the ecosystems array.

DiffType.Ecosystem

FieldTypeLabelDescription
namestringname is the name of the ecosystem.
depfilestringdepfile is the file that contains the dependencies for this ecosystem

EntityTypedId

EntiryTypeId is a message that carries an ID together with a type to uniquely identify an entity such as (repo, 1), (artifact, 2), ...

FieldTypeLabelDescription
typeEntityentity is the entity to get status for. Incompatible with all
idstringid is the ID of the entity to get status for. Incompatible with all

EvalResultAlert

EvalResultAlert holds the alert details for a given rule evaluation

FieldTypeLabelDescription
statusstringstatus is the status of the alert
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the alert was performed or attempted
detailsstringdetails is the description of the alert attempt if any
urlstringurl is the URL to the alert

GetArtifactByIdRequest

FieldTypeLabelDescription
idstring
contextContext

GetArtifactByIdResponse

FieldTypeLabelDescription
artifactArtifact
versionsArtifactVersionrepeated

GetArtifactByNameRequest

FieldTypeLabelDescription
namestring
contextContext

GetArtifactByNameResponse

FieldTypeLabelDescription
artifactArtifact
versionsArtifactVersionrepeated

GetAuthorizationURLRequest

FieldTypeLabelDescription
clibool
portint32
ownerstringoptional
contextContext
redirect_urlstringoptional

GetAuthorizationURLResponse

FieldTypeLabelDescription
urlstring
statestring

GetProfileByIdRequest

get profile by id

FieldTypeLabelDescription
contextContextcontext is the context which contains the profiles
idstringid is the id of the profile to get

GetProfileByIdResponse

FieldTypeLabelDescription
profileProfile

GetProfileStatusByNameRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
namestringname is the name of the profile to get
entityEntityTypedId
allbool
rulestringDeprecated. rule is the type of the rule. Deprecated in favor of rule_type
rule_typestring
rule_namestring

GetProfileStatusByNameResponse

FieldTypeLabelDescription
profile_statusProfileStatusprofile_status is the status of the profile
rule_evaluation_statusRuleEvaluationStatusrepeatedrule_evaluation_status is the status of the rules

GetProfileStatusByProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.

GetProfileStatusByProjectResponse

FieldTypeLabelDescription
profile_statusProfileStatusrepeatedprofile_status is the status of the profile

GetProviderRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider is evaluated.
namestringname is the name of the provider to get.

GetProviderResponse

FieldTypeLabelDescription
providerProviderprovider is the provider that was retrieved.

GetRepositoryByIdRequest

FieldTypeLabelDescription
repository_idstring
contextContext

GetRepositoryByIdResponse

FieldTypeLabelDescription
repositoryRepository

GetRepositoryByNameRequest

FieldTypeLabelDescription
providerstringDeprecated.
namestring
contextContext

GetRepositoryByNameResponse

FieldTypeLabelDescription
repositoryRepository

GetRuleTypeByIdRequest

GetRuleTypeByIdRequest is the request to get a rule type by id.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
idstringid is the id of the rule type.

GetRuleTypeByIdResponse

GetRuleTypeByIdResponse is the response to get a rule type by id.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type.

GetRuleTypeByNameRequest

GetRuleTypeByNameRequest is the request to get a rule type by name.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule type is evaluated.
namestringname is the name of the rule type.

GetRuleTypeByNameResponse

GetRuleTypeByNameResponse is the response to get a rule type by name.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type.

GetUnclaimedProvidersRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the set of providers are evaluated.

GetUnclaimedProvidersResponse

FieldTypeLabelDescription
providersProviderParameterrepeatedproviders is a set of parameters which can be supplied to allow the user to assign existing unclaimed credentials to a new provider in the project via CreateProvider().

GetUserRequest

list users get user

GetUserResponse

FieldTypeLabelDescription
userUserRecordoptional
projectsProjectrepeated

GitHubAppParams

GitHubAppParams is the parameters for a GitHub App provider.

FieldTypeLabelDescription
installation_idint64The GitHub installation ID for the app. On create, this is the only parameter used; the organization parameters are ignored.
organizationstringThe GitHub organization slug where the app is installed. This is an output-only parameter, and is validated on input if set (i.e. the value must be either empty or match the org of the installation_id).
organization_idint64The GitHub organization ID where the app is installed. This is an output-only parameter, and is validated on input if set (i.e. the value must be either empty or match the org of the installation_id).

GitHubAppProviderConfig

GitHubAppProviderConfig contains the configuration for the GitHub App provider

FieldTypeLabelDescription
endpointstringEndpoint is the GitHub API endpoint. If using the public GitHub API, Endpoint can be left blank.

GitHubProviderConfig

GitHubProviderConfig contains the configuration for the GitHub client

Endpoint: is the GitHub API endpoint

If using the public GitHub API, Endpoint can be left blank disable revive linting for this struct as there is nothing wrong with the naming convention

FieldTypeLabelDescription
endpointstringEndpoint is the GitHub API endpoint. If using the public GitHub API, Endpoint can be left blank.

GitType

GitType defines the git data ingester.

FieldTypeLabelDescription
clone_urlstringclone_url is the url of the git repository.
branchstringbranch is the branch of the git repository.

ListArtifactsRequest

FieldTypeLabelDescription
providerstring
contextContext
fromstring

ListArtifactsResponse

FieldTypeLabelDescription
resultsArtifactrepeated

ListEvaluationResultsRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the evaluation results are evaluated.
profilestringID can contain either a profile name or an ID
label_filterstringFilter profiles to only those matching the specified labels.

The default is to return all user-created profiles; the string "*" can be used to select all profiles, including system profiles. This syntax may be expanded in the future. | | entity | EntityTypedId | repeated | If set, only return evaluation results for the named entities. If empty, return evaluation results for all entities | | rule_name | string | repeated | If set, only return evaluation results for the named rules. If empty, return evaluation results for all rules |

ListEvaluationResultsResponse

FieldTypeLabelDescription
entitiesListEvaluationResultsResponse.EntityEvaluationResultsrepeatedEach entity selected by the list request will have single entry in entities which contains results of all evaluations for each profile.

ListEvaluationResultsResponse.EntityEvaluationResults

FieldTypeLabelDescription
entityEntityTypedId
profilesListEvaluationResultsResponse.EntityProfileEvaluationResultsrepeated

ListEvaluationResultsResponse.EntityProfileEvaluationResults

FieldTypeLabelDescription
profile_statusProfileStatusprofile_status is the status of the profile - id, name, status, last_updated
resultsRuleEvaluationStatusrepeatedNote that some fields like profile_id and entity might be empty Eventually we might replace this type with another one that fits the API better

ListProfilesRequest

list profiles

FieldTypeLabelDescription
contextContextcontext is the context which contains the profiles
label_filterstringFilter profiles to only those matching the specified labels.

The default is to return all user-created profiles; the string "*" can be used to select all profiles, including system profiles. This syntax may be expanded in the future. |

ListProfilesResponse

FieldTypeLabelDescription
profilesProfilerepeated

ListProjectsRequest

ListProjectsResponse

FieldTypeLabelDescription
projectsProjectrepeated

ListProviderClassesRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the provider classes are evaluated.

ListProviderClassesResponse

FieldTypeLabelDescription
provider_classesstringrepeatedprovider_classes is the list of provider classes.

ListProvidersRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the providers are evaluated.
limitint32limit is the maximum number of providers to return.
cursorstringcursor is the cursor to use for the page of results, empty if at the beginning

ListProvidersResponse

FieldTypeLabelDescription
providersProviderrepeated
cursorstringcursor is the cursor to use for the next page of results, empty if at the end

ListRemoteRepositoriesFromProviderRequest

FieldTypeLabelDescription
providerstringDeprecated.
contextContext

ListRemoteRepositoriesFromProviderResponse

FieldTypeLabelDescription
resultsUpstreamRepositoryRefrepeated

ListRepositoriesRequest

FieldTypeLabelDescription
providerstringDeprecated.
limitint64
contextContext
cursorstring

ListRepositoriesResponse

FieldTypeLabelDescription
resultsRepositoryrepeated
cursorstringcursor is the cursor to use for the next page of results, empty if at the end

ListRoleAssignmentsRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignments are evaluated.

ListRoleAssignmentsResponse

FieldTypeLabelDescription
role_assignmentsRoleAssignmentrepeated

ListRolesRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the roles are evaluated.

ListRolesResponse

FieldTypeLabelDescription
rolesRolerepeated

ListRuleTypesRequest

ListRuleTypesRequest is the request to list rule types.

FieldTypeLabelDescription
contextContextcontext is the context in which the rule types are evaluated.

ListRuleTypesResponse

ListRuleTypesResponse is the response to list rule types.

FieldTypeLabelDescription
rule_typesRuleTyperepeatedrule_types is the list of rule types.

PatchProfileRequest

FieldTypeLabelDescription
contextContextThe context in which the patch is applied. Provided explicitly so that the patch itself can be minimal and contain only the attribute to set, e.g. remediate=true
idstringThe id of the profile to patch. Same explanation about explicitness as for the context
patchProfileThe patch to apply to the profile
update_maskgoogle.protobuf.FieldMaskneeded to enable PATCH, see https://grpc-ecosystem.github.io/grpc-gateway/docs/mapping/patch_feature/ is not exposed to the API user

PatchProfileResponse

FieldTypeLabelDescription
profileProfile

PatchProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is updated.
patchProjectPatchpatch is the patch to apply to the project
update_maskgoogle.protobuf.FieldMaskneeded to enable PATCH, see https://grpc-ecosystem.github.io/grpc-gateway/docs/mapping/patch_feature/ is not exposed to the API user

PatchProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was updated.

PrContents

FieldTypeLabelDescription
prPullRequest
filesPrContents.Filerepeated

PrContents.File

FieldTypeLabelDescription
namestring
file_patch_urlstring
patch_linesPrContents.File.Linerepeated

PrContents.File.Line

FieldTypeLabelDescription
line_numberint32Deliberately left as an int32: a diff with more than 2^31 lines could lead to various problems while processing.
contentstring

PrDependencies

FieldTypeLabelDescription
prPullRequest
depsPrDependencies.ContextualDependencyrepeated

PrDependencies.ContextualDependency

FieldTypeLabelDescription
depDependency
filePrDependencies.ContextualDependency.FilePatch

PrDependencies.ContextualDependency.FilePatch

FieldTypeLabelDescription
namestringfile changed, e.g. package-lock.json
patch_urlstringpoints to the the raw patchfile

Profile

Profile defines a profile that is user defined.

FieldTypeLabelDescription
contextContextcontext is the context in which the profile is evaluated.
idstringoptionalid is the id of the profile. This is optional and is set by the system.
namestringname is the name of the profile instance.
labelsstringrepeatedlabels are a set of system-provided attributes which can be used to filter profiles and status results. Labels cannot be set by the user, but are returned in ListProfiles.

Labels use DNS label constraints, with a possible namespace prefix separated by a colon (:). They are intended to allow filtering, but not to store arbitrary metadata. DNS labels are 1-63 character alphanumeric strings with internal hyphens. An RE2-style validation regex would be:

DNS_STR = "a-zA-Z0-9?" ($DNS_STR:)?$DNS_STR | | repository | Profile.Rule | repeated | These are the entities that one could set in the profile. | | build_environment | Profile.Rule | repeated | | | artifact | Profile.Rule | repeated | | | pull_request | Profile.Rule | repeated | | | remediate | string | optional | whether and how to remediate (on,off,dry_run) this is optional and defaults to "off" | | alert | string | optional | whether and how to alert (on,off,dry_run) this is optional and defaults to "on" | | type | string | | type is a placeholder for the object type. It should always be set to "profile". | | version | string | | version is the version of the profile type. In this case, it is "v1" | | display_name | string | | display_name is the display name of the profile. |

Profile.Rule

Rule defines the individual call of a certain rule type.

FieldTypeLabelDescription
typestringtype is the type of the rule to be instantiated.
paramsgoogle.protobuf.Structparams are the parameters that are passed to the rule. This is optional and depends on the rule type.
defgoogle.protobuf.Structdef is the definition of the rule. This depends on the rule type.
namestringname is the descriptive name of the rule, not to be confused with type

ProfileStatus

get the overall profile status

FieldTypeLabelDescription
profile_idstringprofile_id is the id of the profile
profile_namestringprofile_name is the name of the profile
profile_statusstringprofile_status is the status of the profile
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the profile was updated
profile_display_namestringprofile_display_name is the display name of the profile

Project

Project API Objects

FieldTypeLabelDescription
project_idstring
namestring
descriptionstring
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp
display_namestringdisplay_name allows for a human-readable name to be used. display_names are short non-unique strings to provide a user-friendly name for presentation in lists, etc.

ProjectPatch

FieldTypeLabelDescription
display_namestringoptionaldisplay_name is the display name of the project to update.
descriptionstringoptionaldescription is the description of the project to update.

Provider

FieldTypeLabelDescription
namestringname is the name of the provider.
classstringclass is the name of the provider implementation, eg. 'github' or 'gh-app'.
projectstringproject is the project where the provider is. This is ignored on input in favor of the context field in CreateProviderRequest.
versionstringversion is the version of the provider.
implementsProviderTyperepeatedimplements is the list of interfaces that the provider implements.
configgoogle.protobuf.Structconfig is the configuration of the provider.
auth_flowsAuthorizationFlowrepeatedauth_flows is the list of authorization flows that the provider supports.
parametersProviderParameterparameters is the list of parameters that the provider requires.
credentials_statestringcredentials_state is the state of the credentials for the provider. This is an output-only field. It may be: "set", "unset", "not_applicable".

ProviderParameter

FieldTypeLabelDescription
github_appGitHubAppParams

PullRequest

FieldTypeLabelDescription
urlstringThe full URL to the PR
commit_shastringCommit SHA of the PR HEAD. Will be useful to submit a review
numberint64The sequential PR number (not the DB PK!)
repo_ownerstringThe owner of the repo, will be used to submit a review
repo_namestringThe name of the repo, will be used to submit a review
author_idint64The author of the PR, will be used to check if we can request changes
actionstringThe action that triggered the webhook
contextContext

RESTProviderConfig

RESTProviderConfig contains the configuration for the REST provider.

FieldTypeLabelDescription
base_urlstringbase_url is the base URL for the REST provider.

RegisterRepoResult

FieldTypeLabelDescription
repositoryRepository
statusRegisterRepoResult.Status

RegisterRepoResult.Status

FieldTypeLabelDescription
successbool
errorstringoptional

RegisterRepositoryRequest

FieldTypeLabelDescription
providerstringDeprecated.
repositoryUpstreamRepositoryRef
contextContext

RegisterRepositoryResponse

FieldTypeLabelDescription
resultRegisterRepoResult

RemoveRoleRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the role assignment is evaluated.
role_assignmentRoleAssignmentrole_assignment is the role assignment to be removed.

RemoveRoleResponse

FieldTypeLabelDescription
role_assignmentRoleAssignmentrole_assignment is the role assignment that was removed.

Repository

FieldTypeLabelDescription
idstringoptionalThis is optional when returning remote repositories
contextContextoptional
ownerstring
namestring
repo_idint64
hook_idint64
hook_urlstring
deploy_urlstring
clone_urlstring
hook_namestring
hook_typestring
hook_uuidstring
is_privatebool
is_forkbool
registeredbool
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp
default_branchstring
licensestring

RestType

RestType defines the rest data evaluation. This is used to fetch data from a REST endpoint.

FieldTypeLabelDescription
endpointstringendpoint is the endpoint to fetch data from. This can be a URL or the path on the API.bool This is a required field and must be set. This is also evaluated via a template which allows us dynamically fill in the values.
methodstringmethod is the method to use to fetch data.
headersstringrepeatedheaders are the headers to be sent to the endpoint.
bodystringoptionalbody is the body to be sent to the endpoint.
parsestringparse is the parsing mechanism to be used to parse the data.
fallbackRestType.Fallbackrepeatedfallback provides a body that the ingester would return in case the REST call returns a non-200 status code.

RestType.Fallback

FieldTypeLabelDescription
http_codeint32
bodystring

Role

FieldTypeLabelDescription
namestringname is the name of the role.
descriptionstringdescription is the description of the role.

RoleAssignment

FieldTypeLabelDescription
rolestringrole is the role that is assigned.
subjectstringsubject is the subject to which the role is assigned.
projectstringoptionalprojectt is the projectt in which the role is assigned.

RpcOptions

FieldTypeLabelDescription
no_logbool
target_resourceTargetResource
relationRelation

RuleEvaluationStatus

get the status of the rules for a given profile

FieldTypeLabelDescription
profile_idstringprofile_id is the id of the profile
rule_idstringrule_id is the id of the rule
rule_namestringDeprecated. rule_name is the type of the rule. Deprecated in favor of rule_type_name
entitystringentity is the entity that was evaluated
statusstringstatus is the status of the evaluation
last_updatedgoogle.protobuf.Timestamplast_updated is the last time the profile was updated
entity_infoRuleEvaluationStatus.EntityInfoEntryrepeatedentity_info is the information about the entity
detailsstringdetails is the description of the evaluation if any
guidancestringguidance is the guidance for the evaluation if any
remediation_statusstringremediation_status is the status of the remediation
remediation_last_updatedgoogle.protobuf.Timestampoptionalremediation_last_updated is the last time the remediation was performed or attempted
remediation_detailsstringremediation_details is the description of the remediation attempt if any
rule_type_namestringrule_type_name is the name of the rule
rule_description_namestringrule_description_name is the name to describe the rule
alertEvalResultAlertalert holds the alert details if the rule generated an alert in an external system
severitySeverityseverity is the severity of the rule
rule_evaluation_idstringrule_evaluation_id is the id of the rule evaluation
remediation_urlstringremediation_url is a url to get more data about a remediation, for PRs is the link to the PR
rule_display_namestringrule_display_name captures the display name of the rule

RuleEvaluationStatus.EntityInfoEntry

FieldTypeLabelDescription
keystring
valuestring

RuleType

RuleType defines rules that may or may not be user defined. The version is assumed from the folder's version.

FieldTypeLabelDescription
idstringoptionalid is the id of the rule type. This is mostly optional and is set by the server.
namestringname is the name of the rule type.
display_namestringdisplay_name is the display name of the rule type.
contextContextcontext is the context in which the rule is evaluated.
defRuleType.Definitiondef is the definition of the rule type.
descriptionstringdescription is the description of the rule type.
guidancestringguidance are instructions we give the user in case a rule fails.
severitySeverityseverity is the severity of the rule type.

RuleType.Definition

Definition defines the rule type. It encompases the schema and the data evaluation.

FieldTypeLabelDescription
in_entitystringin_entity is the entity in which the rule is evaluated. This can be repository, build_environment or artifact.
rule_schemagoogle.protobuf.Structrule_schema is the schema of the rule. This is expressed in JSON Schema.
param_schemagoogle.protobuf.Structoptionalparam_schema is the schema of the parameters that are passed to the rule. This is expressed in JSON Schema.
ingestRuleType.Definition.Ingest
evalRuleType.Definition.Eval
remediateRuleType.Definition.Remediate
alertRuleType.Definition.Alert

RuleType.Definition.Alert

FieldTypeLabelDescription
typestring
security_advisoryRuleType.Definition.Alert.AlertTypeSAoptional

RuleType.Definition.Alert.AlertTypeSA

FieldTypeLabelDescription
severitystring

RuleType.Definition.Eval

Eval defines the data evaluation definition. This pertains to the way we traverse data from the upstream endpoint and how we compare it to the rule.

FieldTypeLabelDescription
typestringtype is the type of the data evaluation. Right now only jq is supported as a driver
jqRuleType.Definition.Eval.JQComparisonrepeatedjq is only used if the jq type is selected. It defines the comparisons that are made between the ingested data and the profile rule.
regoRuleType.Definition.Eval.Regooptionalrego is only used if the rego type is selected.
vulncheckRuleType.Definition.Eval.Vulncheckoptionalvulncheck is only used if the vulncheck type is selected.
trustyRuleType.Definition.Eval.TrustyoptionalThe trusty type is no longer used, but is still here for backwards compatibility with existing stored rules
homoglyphsRuleType.Definition.Eval.Homoglyphsoptionalhomoglyphs is only used if the homoglyphs type is selected.

RuleType.Definition.Eval.Homoglyphs

FieldTypeLabelDescription
typestring

RuleType.Definition.Eval.JQComparison

FieldTypeLabelDescription
ingestedRuleType.Definition.Eval.JQComparison.OperatorIngested points to the data retrieved in the ingest section
profileRuleType.Definition.Eval.JQComparison.OperatorProfile points to the profile itself.

RuleType.Definition.Eval.JQComparison.Operator

FieldTypeLabelDescription
defstring

RuleType.Definition.Eval.Rego

FieldTypeLabelDescription
typestringtype is the type of evaluation engine to use for rego. We currently have two modes of operation: - deny-by-default: this is the default mode of operation where we deny access by default and allow access only if the profile explicitly allows it. It expects the profile to set an allow variable to true or false. - constraints: this is the mode of operation where we allow access by default and deny access only if a violation is found. It expects the profile to set a violations variable with a "msg" field.
defstringdef is the definition of the rego profile.
violation_formatstringoptionalhow are violations reported. This is only used if the constraints type is selected. The default is text which returns human-readable text. The other option is json which returns a JSON array containing the violations.

RuleType.Definition.Eval.Trusty

FieldTypeLabelDescription
endpointstringThis is no longer used, but is still here for backwards compatibility with existing stored rules

RuleType.Definition.Eval.Vulncheck

no configuration for now

RuleType.Definition.Ingest

Ingest defines how the data is ingested.

FieldTypeLabelDescription
typestringtype is the type of the data ingestion. we currently support rest, artifact and builtin.
restRestTypeoptionalrest is the rest data ingestion. this is only used if the type is rest.
builtinBuiltinTypeoptionalbuiltin is the builtin data ingestion.
artifactArtifactTypeoptionalartifact is the artifact data ingestion.
gitGitTypeoptionalgit is the git data ingestion.
diffDiffTypeoptionaldiff is the diff data ingestion.

RuleType.Definition.Remediate

FieldTypeLabelDescription
typestring
restRestTypeoptional
gh_branch_protectionRuleType.Definition.Remediate.GhBranchProtectionTypeoptional
pull_requestRuleType.Definition.Remediate.PullRequestRemediationoptional

RuleType.Definition.Remediate.GhBranchProtectionType

FieldTypeLabelDescription
patchstring

RuleType.Definition.Remediate.PullRequestRemediation

the name stutters a bit but we already use a PullRequest message for handling PR entities

FieldTypeLabelDescription
titlestringthe title of the PR
bodystringthe body of the PR
contentsRuleType.Definition.Remediate.PullRequestRemediation.Contentrepeated
methodstringthe method to use to create the PR. For now, these are supported: -- minder.content - ensures that the content of the file is exactly as specified refer to the Content message for more details -- minder.actions.replace_tags_with_sha - finds any github actions within a workflow file and replaces the tag with the SHA
actions_replace_tags_with_shaRuleType.Definition.Remediate.PullRequestRemediation.ActionsReplaceTagsWithShaoptionalIf the method is minder.actions.replace_tags_with_sha, this is the configuration for that method

RuleType.Definition.Remediate.PullRequestRemediation.ActionsReplaceTagsWithSha

FieldTypeLabelDescription
excludestringrepeatedList of actions to exclude from the replacement

RuleType.Definition.Remediate.PullRequestRemediation.Content

FieldTypeLabelDescription
pathstringthe file to patch
actionstringhow to patch the file. For now, only replace is supported
contentstringthe content of the file
modestringoptionalthe GIT mode of the file. Not UNIX mode! String because the GH API also uses strings the usual modes are: 100644 for regular files, 100755 for executable files and 040000 for submodules (which we don't use but now you know the meaning of the 1 in 100644) see e.g. https://github.com/go-git/go-git/blob/32e0172851c35ae2fac495069c923330040903d2/plumbing/filemode/filemode.go#L16

Severity

Severity defines the severity of the rule.

FieldTypeLabelDescription
valueSeverity.Valuevalue is the severity value.

StoreProviderTokenRequest

FieldTypeLabelDescription
providerstringDeprecated.
access_tokenstring
ownerstringoptional
contextContext

StoreProviderTokenResponse

UpdateProfileRequest

FieldTypeLabelDescription
profileProfile

UpdateProfileResponse

FieldTypeLabelDescription
profileProfile

UpdateProjectRequest

FieldTypeLabelDescription
contextContextcontext is the context in which the project is updated.
display_namestringdisplay_name is the display name of the project to update.
descriptionstringdescription is the description of the project to update.

UpdateProjectResponse

FieldTypeLabelDescription
projectProjectproject is the project that was updated.

UpdateRuleTypeRequest

UpdateRuleTypeRequest is the request to update a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type to be updated.

UpdateRuleTypeResponse

UpdateRuleTypeResponse is the response to update a rule type.

FieldTypeLabelDescription
rule_typeRuleTyperule_type is the rule type that was updated.

UpstreamRepositoryRef

FieldTypeLabelDescription
ownerstring
namestring
repo_idint64The upstream identity of the repository, as an integer. This is only set on output, and is ignored on input.
contextContext

UserRecord

user record to be returned

FieldTypeLabelDescription
idint32
identity_subjectstring
created_atgoogle.protobuf.Timestamp
updated_atgoogle.protobuf.Timestamp

VerifyProviderCredentialRequest

VerifyProviderCredentialRequest contains the enrollment nonce (aka state) that was used when enrolling the provider

FieldTypeLabelDescription
contextContext
enrollment_noncestringenrollment_nonce is the state parameter returned when enrolling the provider

VerifyProviderCredentialResponse

VerifyProviderCredentialRequest responds with a boolean indicating if the provider has been created and the provider name, if it has been created

FieldTypeLabelDescription
createdbool
provider_namestring

VerifyProviderTokenFromRequest

FieldTypeLabelDescription
providerstringDeprecated.
timestampgoogle.protobuf.Timestamp
contextContext

VerifyProviderTokenFromResponse

FieldTypeLabelDescription
statusstring
ExtensionTypeBaseNumberDescription
namestring.google.protobuf.EnumValueOptions42445
rpc_optionsRpcOptions.google.protobuf.MethodOptions51077

AuthorizationFlow

NameNumberDescription
AUTHORIZATION_FLOW_UNSPECIFIED0
AUTHORIZATION_FLOW_NONE1
AUTHORIZATION_FLOW_USER_INPUT2
AUTHORIZATION_FLOW_OAUTH2_AUTHORIZATION_CODE_FLOW3
AUTHORIZATION_FLOW_GITHUB_APP_FLOW4

CredentialsState

NameNumberDescription
CREDENTIALS_STATE_UNSPECIFIED0
CREDENTIALS_STATE_SET1
CREDENTIALS_STATE_UNSET2
CREDENTIALS_STATE_NOT_APPLICABLE3

DepEcosystem

NameNumberDescription
DEP_ECOSYSTEM_UNSPECIFIED0
DEP_ECOSYSTEM_NPM1
DEP_ECOSYSTEM_GO2
DEP_ECOSYSTEM_PYPI3

Entity

Entity defines the entity that is supported by the provider.

NameNumberDescription
ENTITY_UNSPECIFIED0
ENTITY_REPOSITORIES1
ENTITY_BUILD_ENVIRONMENTS2
ENTITY_ARTIFACTS3
ENTITY_PULL_REQUESTS4

ObjectOwner

NameNumberDescription
OBJECT_OWNER_UNSPECIFIED0
OBJECT_OWNER_PROJECT2
OBJECT_OWNER_USER3

ProviderClass

NameNumberDescription
PROVIDER_CLASS_UNSPECIFIED0
PROVIDER_CLASS_GITHUB1
PROVIDER_CLASS_GITHUB_APP2

ProviderType

ProviderTrait is the type of the provider.

NameNumberDescription
PROVIDER_TYPE_UNSPECIFIED0
PROVIDER_TYPE_GITHUB1
PROVIDER_TYPE_REST2
PROVIDER_TYPE_GIT3
PROVIDER_TYPE_OCI4
PROVIDER_TYPE_REPO_LISTER5

Relation

NameNumberDescription
RELATION_UNSPECIFIED0
RELATION_CREATE1
RELATION_GET2
RELATION_UPDATE3
RELATION_DELETE4
RELATION_ROLE_LIST5
RELATION_ROLE_ASSIGNMENT_LIST6
RELATION_ROLE_ASSIGNMENT_CREATE7
RELATION_ROLE_ASSIGNMENT_REMOVE8
RELATION_REPO_GET9
RELATION_REPO_CREATE10
RELATION_REPO_UPDATE11
RELATION_REPO_DELETE12
RELATION_ARTIFACT_GET13
RELATION_ARTIFACT_CREATE14
RELATION_ARTIFACT_UPDATE15
RELATION_ARTIFACT_DELETE16
RELATION_PR_GET17
RELATION_PR_CREATE18
RELATION_PR_UPDATE19
RELATION_PR_DELETE20
RELATION_PROVIDER_GET21
RELATION_PROVIDER_CREATE22
RELATION_PROVIDER_UPDATE23
RELATION_PROVIDER_DELETE24
RELATION_RULE_TYPE_GET25
RELATION_RULE_TYPE_CREATE26
RELATION_RULE_TYPE_UPDATE27
RELATION_RULE_TYPE_DELETE28
RELATION_PROFILE_GET29
RELATION_PROFILE_CREATE30
RELATION_PROFILE_UPDATE31
RELATION_PROFILE_DELETE32
RELATION_PROFILE_STATUS_GET33
RELATION_REMOTE_REPO_GET34
RELATION_ENTITY_RECONCILIATION_TASK_CREATE35

Severity.Value

Value enumerates the severity values.

NameNumberDescription
VALUE_UNSPECIFIED0
VALUE_UNKNOWN1unknown severity means that the severity is unknown or hasn't been set.
VALUE_INFO2info severity means that the severity is informational and does not incur risk.
VALUE_LOW3low severity means that the severity is low and does not incur significant risk.
VALUE_MEDIUM4medium severity means that the severity is medium and may incur some risk.
VALUE_HIGH5high severity means that the severity is high and may incur significant risk.
VALUE_CRITICAL6critical severity means that the severity is critical and requires immediate attention.

TargetResource

NameNumberDescription
TARGET_RESOURCE_UNSPECIFIED0
TARGET_RESOURCE_NONE1
TARGET_RESOURCE_USER2
TARGET_RESOURCE_PROJECT3

File-level Extensions

ExtensionTypeBaseNumberDescription
namestring.google.protobuf.EnumValueOptions42445
rpc_optionsRpcOptions.google.protobuf.MethodOptions51077

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)