This article outlines important upcoming changes to the API in the next release of Prisma Cloud Compute.

The current release is 20.12 (code-named Galileo).

The next release (code-named Hamilton) is scheduled to ship in H1Y21.

A new compliance dashboard will be introduced. It will simplify compliance visibility across regulations, CIS benchmarks, and policy rules.

As a result of this enhancement, the endpoint that provides the compliance statistics for the dashboard will change to include new metrics and data. The impacted endpoint is /api/v1/stats/compliance. It will add the following data:

The data currently provided by this endpoint will no longer be available.

In addition, a new endpoint will be added: api/v1/stats/compliance/download. This endpoint will let you get a list of all compliance checks in CSV format.

The mechanism for specifying the serverless scanning scope will be improved. You will be able to set scopes per account rather than specifying a scope for each region in the account.

As a result of this enhancement, the ServerlessScanSpecification schema will change as follows:

In addition, the method for POST api/v1/settings/serverless-scan will change from POST to PUT to align with the way PUT works for other similar endpoints in the product. The current POST method completely replaces all scanning scopes. In the next release, the PUT method will be used to replace all scanning scopes. A new POST method will be added. The POST method will let you add a single serverless scan spec without sending an aggregated list of all specs each time you add a new spec.

The route path for api/v1/policies/runtime/custom-rules will change to api/v1/custom-rules.

The schema of the JSON output file exported from twistcli images scanning will be stabilized. The purpose of this enhancement is to ensure backward compatibility of the schema in future releases.

Some new fields will be added to the schema and some existing fields will be adjusted as follows:

For better consistency and clarity across the product, the terms protect and protected have been replaced with the terms defend and defended. The terms indicate a Defender is protecting a resource.

The impacted endpoints are:

In 20.12, image scan reports returned from GET /api/v1/images contain the binaries[].layerTime field. In Hamilton, the layerTime field in objects in the binaries[] array will be deprecated.

In it’s place, there will be a new top-level object named applications that contains an equivalent layerTime field. The following table summarizes the change:

As a reminder, software is typically added to an image with a package manager. Sometimes, however, a binary might be added directly to an image with the Dockerfile ADD instruction (for example, when software is built from source). The binaries[].layerTime field maps a binary added to an image to a layer in the image. In practice, this field is rarely populated. As such, we expect the impact of this change on any automation you’ve built around image scan reports to be negligible.

In Hamilton, we’re extending the number of binaries we can identify and assess for vulnerabilities. As part of this extended capability, we’re introducing the applications object with its associated layerTime field, and we’re deprecating binaries[].layerTime. Any data you previously found in binaries[].layerTime can now be found in applications[].layerTime.