Points de terminaison d’API REST pour les métadonnées d’artefact

Lorsque vous consultez les alertes Dependabot ou code scanning pour une organisation, vous pouvez utiliser les métadonnées des artefacts pour filtrer et hiérarchiser les alertes, voir Hiérarchisation des alertes Dependabot et d'analyse de code à l'aide du contexte de production.

Create an artifact deployment record

Create or update deployment records for an artifact associated with an organization. This endpoint allows you to record information about a specific artifact, such as its name, digest, environments, cluster, and deployment.

Jetons d’accès affinés pour « Create an artifact deployment record »

Ce point de terminaison fonctionne avec les types de jetons précis suivants:

Le jeton précis doit avoir au moins l’un des ensembles d’autorisations suivants:

"Contents" repository permissions (write)
"Artifact metadata" repository permissions (write)

Paramètres pour « Create an artifact deployment record »

En-têtes
Nom, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Paramètres de chemin d’accès
Nom, Type, Description
`org` string Requis The organization name. The name is not case sensitive.

Paramètres du corps
Nom, Type, Description
`name` string Requis The name of the artifact.
`digest` string Requis The hex encoded digest of the artifact.
`version` string The artifact version.
`status` string Requis The status of the artifact. Can be either deployed or decommissioned. Peut être: `deployed`, `decommissioned`
`logical_environment` string Requis The stage of the deployment.
`physical_environment` string The physical region of the deployment.
`cluster` string The deployment cluster.
`deployment_name` string Requis The name of the deployment.
`tags` object The tags associated with the deployment.
`runtime_risks` array of strings A list of runtime risks associated with the deployment. Supported values are: `critical-resource`, `internet-exposed`, `lateral-movement`, `sensitive-data`
`github_repository` string The name of the GitHub repository associated with the artifact. This should be used when there are no provenance attestations available for the artifact. The repository must belong to the organization specified in the path parameter. If a provenance attestation is available for the artifact, the API will use the repository information from the attestation instead of this parameter.

Codes d’état de la réponse HTTP pour « Create an artifact deployment record »

Code d’état	Description
`200`	Artifact deployment record stored successfully.

Exemples de code pour « Create an artifact deployment record »

Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.

Exemple de requête

post/orgs/{org}/artifacts/metadata/deployment-record

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/artifacts/metadata/deployment-record \
  -d '{"name":"awesome-image","digest":"sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72","status":"deployed","logical_environment":"prod","physical_environment":"pacific-east","cluster":"moda-1","deployment_name":"deployment-pod","tags":{"data-access":"sensitive"}}'

Artifact deployment record stored successfully.

Status: 200

{
  "total_count": 1,
  "deployment_records": [
    {
      "id": 123,
      "digest": "sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72",
      "logical_environment": "prod",
      "physical_environment": "pacific-east",
      "cluster": "moda-1",
      "deployment_name": "prod-deployment",
      "tags": {
        "data": "sensitive"
      },
      "created": "2011-01-26T19:14:43Z",
      "updated_at": "2011-01-26T19:14:43Z",
      "attestation_id": 456
    }
  ]
}

Set cluster deployment records

Set deployment records for a given cluster.

Jetons d’accès affinés pour « Set cluster deployment records »

Ce point de terminaison fonctionne avec les types de jetons précis suivants:

Le jeton précis doit avoir au moins l’un des ensembles d’autorisations suivants:

"Contents" repository permissions (write)
"Artifact metadata" repository permissions (write)

Paramètres pour « Set cluster deployment records »

En-têtes
Nom, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Paramètres de chemin d’accès
Nom, Type, Description
`org` string Requis The organization name. The name is not case sensitive.
`cluster` string Requis The cluster name.

Nom, Type, Description

logical_environment string Requis

The stage of the deployment.

physical_environment string

The physical region of the deployment.

deployments array of objects Requis

The list of deployments to record.

Properties of deployments

Nom, Type, Description
`name` string Requis The name of the artifact. Note that if multiple deployments have identical 'digest' parameter values, the name parameter must also be identical across all entries.
`digest` string Requis The hex encoded digest of the artifact. Note that if multiple deployments have identical 'digest' parameter values, the name and version parameters must also be identical across all entries.
`version` string The artifact version. Note that if multiple deployments have identical 'digest' parameter values, the version parameter must also be identical across all entries.
`status` string The deployment status of the artifact. Peut être: `deployed`, `decommissioned`
`deployment_name` string Requis The unique identifier for the deployment represented by the new record. To accommodate differing containers and namespaces within a record set, the following format is recommended: {namespaceName}-{deploymentName}-{containerName}
`github_repository` string The name of the GitHub repository associated with the artifact. This should be used when there are no provenance attestations available for the artifact. The repository must belong to the organization specified in the path parameter. If a provenance attestation is available for the artifact, the API will use the repository information from the attestation instead of this parameter.
`tags` object Key-value pairs to tag the deployment record.
`runtime_risks` array of strings A list of runtime risks associated with the deployment. Supported values are: `critical-resource`, `internet-exposed`, `lateral-movement`, `sensitive-data`

Codes d’état de la réponse HTTP pour « Set cluster deployment records »

Code d’état	Description
`200`	Artifact deployment record stored successfully.

Exemples de code pour « Set cluster deployment records »

Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.

Exemple de requête

post/orgs/{org}/artifacts/metadata/deployment-record/cluster/{cluster}

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/artifacts/metadata/deployment-record/cluster/CLUSTER \
  -d '{"logical_environment":"prod","physical_environment":"pacific-east","deployments":[{"name":"awesome-image","digest":"sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72","version":"2.1.0","status":"deployed","deployment_name":"deployment-pod","tags":{"runtime-risk":"sensitive-data"}}]}'

Artifact deployment record stored successfully.

Status: 200

{
  "total_count": 1,
  "deployment_records": [
    {
      "id": 123,
      "digest": "sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72",
      "logical_environment": "prod",
      "physical_environment": "pacific-east",
      "cluster": "moda-1",
      "deployment_name": "prod-deployment",
      "tags": {
        "data": "sensitive"
      },
      "created": "2011-01-26T19:14:43Z",
      "updated_at": "2011-01-26T19:14:43Z",
      "attestation_id": 456
    }
  ]
}

Create artifact metadata storage record

Create metadata storage records for artifacts associated with an organization. This endpoint will create a new artifact storage record on behalf of any artifact matching the provided digest and associated with a repository owned by the organization.

Jetons d’accès affinés pour « Create artifact metadata storage record »

Ce point de terminaison fonctionne avec les types de jetons précis suivants:

Le jeton précis doit avoir au moins l’un des ensembles d’autorisations suivants:

"Contents" repository permissions (write)
"Artifact metadata" repository permissions (write)

Paramètres pour « Create artifact metadata storage record »

En-têtes
Nom, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Paramètres de chemin d’accès
Nom, Type, Description
`org` string Requis The organization name. The name is not case sensitive.

Paramètres du corps
Nom, Type, Description
`name` string Requis The name of the artifact.
`digest` string Requis The digest of the artifact (algorithm:hex-encoded-digest).
`version` string The artifact version.
`artifact_url` string The URL where the artifact is stored.
`path` string The path of the artifact.
`registry_url` string Requis The base URL of the artifact registry.
`repository` string The repository name within the registry.
`status` string The status of the artifact (e.g., active, inactive). Default: `active` Peut être: `active`, `eol`, `deleted`
`github_repository` string The name of the GitHub repository associated with the artifact. This should be used when there are no provenance attestations available for the artifact. The repository must belong to the organization specified in the path parameter. If a provenance attestation is available for the artifact, the API will use the repository information from the attestation instead of this parameter.

Codes d’état de la réponse HTTP pour « Create artifact metadata storage record »

Code d’état	Description
`200`	Artifact metadata storage record stored successfully.

Exemples de code pour « Create artifact metadata storage record »

Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.

Exemple de requête

post/orgs/{org}/artifacts/metadata/storage-record

curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/artifacts/metadata/storage-record \
  -d '{"name":"libfoo","version":"1.2.3","digest":"sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72","artifact_url":"https://reg.example.com/artifactory/bar/libfoo-1.2.3","registry_url":"https://reg.example.com/artifactory/","repository":"bar","status":"active"}'

Artifact metadata storage record stored successfully.

Status: 200

{
  "total_count": 1,
  "storage_records": [
    {
      "name": "libfoo",
      "digest": "sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72",
      "artifact_url": "https://reg.example.com/artifactory/bar/libfoo-1.2.3",
      "registry_url": "https://reg.example.com/artifactory/",
      "repository": "bar",
      "status": "active",
      "created_at": "2023-10-01T12:00:00Z",
      "updated_at": "2023-10-01T12:00:00Z"
    }
  ]
}

List artifact deployment records

List deployment records for an artifact metadata associated with an organization.

Jetons d’accès affinés pour « List artifact deployment records »

Ce point de terminaison fonctionne avec les types de jetons précis suivants:

Le jeton précis doit avoir au moins l’un des ensembles d’autorisations suivants:

"Contents" repository permissions (read)
"Artifact metadata" repository permissions (read)

Paramètres pour « List artifact deployment records »

En-têtes
Nom, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Paramètres de chemin d’accès
Nom, Type, Description
`org` string Requis The organization name. The name is not case sensitive.
`subject_digest` string Requis The SHA256 digest of the artifact, in the form `sha256:HEX_DIGEST`.

Codes d’état de la réponse HTTP pour « List artifact deployment records »

Code d’état	Description
`200`	Successful response

Exemples de code pour « List artifact deployment records »

Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.

Exemple de requête

get/orgs/{org}/artifacts/{subject_digest}/metadata/deployment-records

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/artifacts/SUBJECT_DIGEST/metadata/deployment-records

Successful response

Status: 200

{
  "total_count": 1,
  "deployment_records": [
    {
      "id": 123,
      "digest": "sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72",
      "logical_environment": "prod",
      "physical_environment": "pacific-east",
      "cluster": "moda-1",
      "deployment_name": "prod-deployment",
      "tags": {
        "data": "sensitive"
      },
      "created": "2011-01-26T19:14:43Z",
      "updated_at": "2011-01-26T19:14:43Z",
      "attestation_id": 456
    }
  ]
}

List artifact storage records

List a collection of artifact storage records with a given subject digest that are associated with repositories owned by an organization.

The collection of storage records returned by this endpoint is filtered according to the authenticated user's permissions; if the authenticated user cannot read a repository, the attestations associated with that repository will not be included in the response. In addition, when using a fine-grained access token the content:read permission is required.

Jetons d’accès affinés pour « List artifact storage records »

Ce point de terminaison fonctionne avec les types de jetons précis suivants:

Le jeton précis doit avoir au moins l’un des ensembles d’autorisations suivants:

"Contents" repository permissions (read)
"Artifact metadata" repository permissions (read)

Paramètres pour « List artifact storage records »

En-têtes
Nom, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Paramètres de chemin d’accès
Nom, Type, Description
`org` string Requis The organization name. The name is not case sensitive.
`subject_digest` string Requis The parameter should be set to the attestation's subject's SHA256 digest, in the form `sha256:HEX_DIGEST`.

Codes d’état de la réponse HTTP pour « List artifact storage records »

Code d’état	Description
`200`	OK

Exemples de code pour « List artifact storage records »

Si vous accédez à GitHub à GHE.com, remplacez api.github.com par le sous-domaine dédié de votre entreprise à api.SUBDOMAIN.ghe.com.

Exemple de requête

get/orgs/{org}/artifacts/{subject_digest}/metadata/storage-records

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/orgs/ORG/artifacts/SUBJECT_DIGEST/metadata/storage-records

Response

Status: 200

{
  "storage_records": [
    {
      "name": "libfoo-1.2.3",
      "digest": "sha256:1bb1e949e55dcefc6353e7b36c8897d2a107d8e8dca49d4e3c0ea8493fc0bc72",
      "artifact_url": "https://reg.example.com/artifactory/bar/libfoo-1.2.3",
      "registry_url": "https://reg.example.com/artifactory/",
      "repository": "bar",
      "status": "active",
      "created_at": "2023-10-01T12:00:00Z",
      "updated_at": "2023-10-01T12:00:00Z"
    }
  ]
}