feat(securitycenter): update the API

yoshi-automation · yoshi-automation · commit bad0a9c17c5b · 2024-10-14T01:36:22.000Z
#### securitycenter:v1beta2

The following keys were added:
- schemas.AzureResourceGroup.properties.id.description
- schemas.AzureResourceGroup.properties.id.type
- schemas.CelPolicySpec.description
- schemas.CelPolicySpec.id
- schemas.CelPolicySpec.properties.spec.description
- schemas.CelPolicySpec.properties.spec.type
- schemas.CelPolicySpec.type
- schemas.GoogleCloudSecuritycenterV1CustomConfig.properties.celPolicy.$ref
- schemas.GoogleCloudSecuritycenterV1CustomConfig.properties.celPolicy.description
- schemas.GoogleCloudSecuritycenterV2AzureResourceGroup.properties.id.description
- schemas.GoogleCloudSecuritycenterV2AzureResourceGroup.properties.id.type
diff --git a/discovery/securitycenter-v1beta2.json b/discovery/securitycenter-v1beta2.json
@@ -1993,7 +1993,7 @@
       }
     }
   },
-  "revision": "20240927",
+  "revision": "20241004",
   "rootUrl": "https://securitycenter.googleapis.com/",
   "schemas": {
     "Access": {
@@ -2291,6 +2291,10 @@
       "description": "Represents an Azure resource group.",
       "id": "AzureResourceGroup",
       "properties": {
+        "id": {
+          "description": "The ID of the Azure resource group.",
+          "type": "string"
+        },
         "name": {
           "description": "The name of the Azure resource group. This is not a UUID.",
           "type": "string"
@@ -2385,6 +2389,17 @@
       },
       "type": "object"
     },
+    "CelPolicySpec": {
+      "description": "YAML-based rule that uses CEL, which supports the declaration of variables and a filtering predicate. A vulnerable resource is emitted if the evaluation is false. Given: 1) the resource types as: - resource_types: \"compute.googleapis.com/Instance\" - resource_types: \"compute.googleapis.com/Firewall\" 2) the CEL policy spec as: name: bad_instance resource_filters: - name: instance resource_type: compute.googleapis.com/Instance filter: > instance.status == 'RUNNING' && 'public' in instance.tags.items - name: firewall resource_type: compute.googleapis.com/Firewall filter: > firewall.direction == 'INGRESS' && !firewall.disabled && firewall.allowed.exists(rule, rule.IPProtocol.upperAscii() in ['TCP', 'ALL'] && rule.ports.exists(port, network.portsInRange(port, '11-256'))) rule: match: - predicate: > instance.networkInterfaces.exists(net, firewall.network == net.network) output: > {'message': 'Compute instance with publicly accessible ports', 'instance': instance.name} Users are able to join resource types together using the exact format as Kubernetes Validating Admission policies.",
+      "id": "CelPolicySpec",
+      "properties": {
+        "spec": {
+          "description": "The CEL policy to evaluate to produce findings. A finding is generated when the policy validation evaluates to false.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "CloudArmor": {
       "description": "Fields related to Google Cloud Armor findings.",
       "id": "CloudArmor",
@@ -3782,6 +3797,10 @@
       "description": "Defines the properties in a custom module configuration for Security Health Analytics. Use the custom module configuration to create custom detectors that generate custom findings for resources that you specify.",
       "id": "GoogleCloudSecuritycenterV1CustomConfig",
       "properties": {
+        "celPolicy": {
+          "$ref": "CelPolicySpec",
+          "description": "The CEL policy spec attached to the custom module."
+        },
         "customOutput": {
           "$ref": "GoogleCloudSecuritycenterV1CustomOutputSpec",
           "description": "Custom output properties."
@@ -4864,6 +4883,10 @@
       "description": "Represents an Azure resource group.",
       "id": "GoogleCloudSecuritycenterV2AzureResourceGroup",
       "properties": {
+        "id": {
+          "description": "The ID of the Azure resource group.",
+          "type": "string"
+        },
         "name": {
           "description": "The name of the Azure resource group. This is not a UUID.",
           "type": "string"
diff --git a/src/apis/securitycenter/v1beta2.ts b/src/apis/securitycenter/v1beta2.ts
@@ -372,6 +372,10 @@ export namespace securitycenter_v1beta2 {
    * Represents an Azure resource group.
    */
   export interface Schema$AzureResourceGroup {
+    /**
+     * The ID of the Azure resource group.
+     */
+    id?: string | null;
     /**
      * The name of the Azure resource group. This is not a UUID.
      */
@@ -448,6 +452,15 @@ export namespace securitycenter_v1beta2 {
      */
     storagePool?: string | null;
   }
+  /**
+   * YAML-based rule that uses CEL, which supports the declaration of variables and a filtering predicate. A vulnerable resource is emitted if the evaluation is false. Given: 1) the resource types as: - resource_types: "compute.googleapis.com/Instance" - resource_types: "compute.googleapis.com/Firewall" 2) the CEL policy spec as: name: bad_instance resource_filters: - name: instance resource_type: compute.googleapis.com/Instance filter: \> instance.status == 'RUNNING' && 'public' in instance.tags.items - name: firewall resource_type: compute.googleapis.com/Firewall filter: \> firewall.direction == 'INGRESS' && !firewall.disabled && firewall.allowed.exists(rule, rule.IPProtocol.upperAscii() in ['TCP', 'ALL'] && rule.ports.exists(port, network.portsInRange(port, '11-256'))) rule: match: - predicate: \> instance.networkInterfaces.exists(net, firewall.network == net.network) output: \> {'message': 'Compute instance with publicly accessible ports', 'instance': instance.name\} Users are able to join resource types together using the exact format as Kubernetes Validating Admission policies.
+   */
+  export interface Schema$CelPolicySpec {
+    /**
+     * The CEL policy to evaluate to produce findings. A finding is generated when the policy validation evaluates to false.
+     */
+    spec?: string | null;
+  }
   /**
    * Fields related to Google Cloud Armor findings.
    */
@@ -1372,6 +1385,10 @@ export namespace securitycenter_v1beta2 {
    * Defines the properties in a custom module configuration for Security Health Analytics. Use the custom module configuration to create custom detectors that generate custom findings for resources that you specify.
    */
   export interface Schema$GoogleCloudSecuritycenterV1CustomConfig {
+    /**
+     * The CEL policy spec attached to the custom module.
+     */
+    celPolicy?: Schema$CelPolicySpec;
     /**
      * Custom output properties.
      */
@@ -2119,6 +2136,10 @@ export namespace securitycenter_v1beta2 {
    * Represents an Azure resource group.
    */
   export interface Schema$GoogleCloudSecuritycenterV2AzureResourceGroup {
+    /**
+     * The ID of the Azure resource group.
+     */
+    id?: string | null;
     /**
      * The name of the Azure resource group. This is not a UUID.
      */
