io.atcr.hold.scan Documentation (EN)

main record

Vulnerability scan results for a container manifest. Stored in the hold's embedded PDS. Record key is deterministic: the manifest digest hex without the 'sha256:' prefix, so re-scans upsert the existing record.

Record Key any Any valid record key

Properties

critical integer Required

Count of critical severity vulnerabilities

minimum: 0

high integer Required

Count of high severity vulnerabilities

minimum: 0

low integer Required

Count of low severity vulnerabilities

minimum: 0

manifest string at-uri Required

AT-URI of the scanned manifest (e.g., at://did:plc:xyz/io.atcr.manifest/abc123...)

medium integer Required

Count of medium severity vulnerabilities

minimum: 0

repository string Required

Repository name (e.g., myapp)

maxLength: 256 bytes

sbomBlob blob Optional

SBOM blob (SPDX JSON format) uploaded to the hold's blob storage

scannedAt string datetime Required

RFC3339 timestamp of when the scan completed

scannerVersion string Required

Version of the scanner that produced this result (e.g., atcr-scanner-v1.0.0)

maxLength: 64 bytes

total integer Required

Total vulnerability count

minimum: 0

userDid string did Required

DID of the image owner

vulnReportBlob blob Optional

Grype vulnerability report blob (JSON) with full CVE details

View raw schema

{
  "key": "any",
  "type": "record",
  "record": {
    "type": "object",
    "required": [
      "manifest",
      "repository",
      "userDid",
      "critical",
      "high",
      "medium",
      "low",
      "total",
      "scannerVersion",
      "scannedAt"
    ],
    "properties": {
      "low": {
        "type": "integer",
        "minimum": 0,
        "description": "Count of low severity vulnerabilities"
      },
      "high": {
        "type": "integer",
        "minimum": 0,
        "description": "Count of high severity vulnerabilities"
      },
      "total": {
        "type": "integer",
        "minimum": 0,
        "description": "Total vulnerability count"
      },
      "medium": {
        "type": "integer",
        "minimum": 0,
        "description": "Count of medium severity vulnerabilities"
      },
      "userDid": {
        "type": "string",
        "format": "did",
        "description": "DID of the image owner"
      },
      "critical": {
        "type": "integer",
        "minimum": 0,
        "description": "Count of critical severity vulnerabilities"
      },
      "manifest": {
        "type": "string",
        "format": "at-uri",
        "description": "AT-URI of the scanned manifest (e.g., at://did:plc:xyz/io.atcr.manifest/abc123...)"
      },
      "sbomBlob": {
        "type": "blob",
        "accept": [
          "application/spdx+json"
        ],
        "description": "SBOM blob (SPDX JSON format) uploaded to the hold's blob storage"
      },
      "scannedAt": {
        "type": "string",
        "format": "datetime",
        "description": "RFC3339 timestamp of when the scan completed"
      },
      "repository": {
        "type": "string",
        "maxLength": 256,
        "description": "Repository name (e.g., myapp)"
      },
      "scannerVersion": {
        "type": "string",
        "maxLength": 64,
        "description": "Version of the scanner that produced this result (e.g., atcr-scanner-v1.0.0)"
      },
      "vulnReportBlob": {
        "type": "blob",
        "accept": [
          "application/vnd.atcr.vulnerabilities+json"
        ],
        "description": "Grype vulnerability report blob (JSON) with full CVE details"
      }
    }
  },
  "description": "Vulnerability scan results for a container manifest. Stored in the hold's embedded PDS. Record key is deterministic: the manifest digest hex without the 'sha256:' prefix, so re-scans upsert the existing record."
}