googleapis · sofisl · Jan 15, 2026 · Jan 12, 2026 · Jan 12, 2026
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ module.exports = {
     includePattern: '\\.js$'
   },
   templates: {
-    copyright: 'Copyright 2025 Google LLC',
+    copyright: 'Copyright 2026 Google LLC',
     includeDate: false,
     sourceFiles: false,
     systemName: '@google-cloud/containeranalysis',

@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

@@ -148,4 +148,12 @@ message DiscoveryOccurrence {
 
   // The status of an vulnerability attestation generation.
   VulnerabilityAttestation vulnerability_attestation = 10;
+
+  message File {
+    string name = 1;
+    map<string, string> digest = 2;
+  }
+
+  // Files that make up the resource described by the occurrence.
+  repeated File files = 11;
 }
@@ -402,6 +402,13 @@ message ListOccurrencesRequest {
 
   // Token to provide to skip to a particular spot in the list.
   string page_token = 4;
+
+  // If set, the request will return all reachable Occurrences
+  // and report all unreachable regions in the `unreachable` field in
+  // the response.
+  //
+  // Only applicable for requests in the global region.
+  bool return_partial_success = 5;
 }
 
 // Response for listing occurrences.
@@ -412,6 +419,12 @@ message ListOccurrencesResponse {
   // `page_token` for the following request. An empty value means no more
   // results.
   string next_page_token = 2;
+  // Unreachable regions. Populated for requests from the global region
+  // when `return_partial_success` is set.
+  //
+  // Format: `projects/[PROJECT_ID]/locations/[LOCATION]`
+  repeated string unreachable = 3
+      [(google.api.field_behavior) = UNORDERED_LIST];
 }
 
 // Request to delete an occurrence.
@@ -488,6 +501,13 @@ message ListNotesRequest {
 
   // Token to provide to skip to a particular spot in the list.
   string page_token = 4;
+
+  // If set, the request will return all reachable Notes
+  // and report all unreachable regions in the `unreachable` field in
+  // the response.
+  //
+  // Only applicable for requests in the global region.
+  bool return_partial_success = 5;
 }
 
 // Response for listing notes.
@@ -498,6 +518,12 @@ message ListNotesResponse {
   // `page_token` for the following request. An empty value means no more
   // results.
   string next_page_token = 2;
+  // Unreachable regions. Populated for requests from the global region
+  // when `return_partial_success` is set.
+  //
+  // Format: `projects/[PROJECT_ID]/locations/[LOCATION]`
+  repeated string unreachable = 3
+      [(google.api.field_behavior) = UNORDERED_LIST];
 }
 
 // Request to delete a note.

@@ -0,0 +1,46 @@
+// Copyright 2025 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+message Risk {
+  // CISA maintains the authoritative source of vulnerabilities that have been
+  // exploited in the wild.
+  CISAKnownExploitedVulnerabilities cisa_kev = 1;
+  // The Exploit Prediction Scoring System (EPSS) estimates the likelihood
+  // (probability) that a software vulnerability will be exploited in the wild.
+  ExploitPredictionScoringSystem epss = 2;
+}
+
+message CISAKnownExploitedVulnerabilities {
+  // Whether the vulnerability is known to have been leveraged as part of a
+  // ransomware campaign.
+  string known_ransomware_campaign_use = 1;
+}
+
+message ExploitPredictionScoringSystem {
+  // The percentile of the current score, the proportion of all scored
+  // vulnerabilities with the same or a lower EPSS score
+  double percentile = 1;
+  // The EPSS score representing the probability [0-1] of exploitation in the
+  // wild in the next 30 days
+  double score = 2;
+}
@@ -17,6 +17,7 @@ syntax = "proto3";
 package grafeas.v1;
 
 import "google/api/field_behavior.proto";
+import "google/protobuf/any.proto";
 import "google/protobuf/timestamp.proto";
 import "grafeas/v1/common.proto";
 
@@ -39,6 +40,13 @@ message SecretOccurrence {
 
   // Status of the secret.
   repeated SecretStatus statuses = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Scan result of the secret.
+  google.protobuf.Any data = 4;
+
+  // Hash value, typically a digest for the secret data, that allows unique
+  // identification of a specific secret.
+  Digest digest = 5;
 }
 
 // The location of the secret.
@@ -84,7 +92,50 @@ enum SecretKind {
   SECRET_KIND_UNSPECIFIED = 0;
   // The secret kind is unknown.
   SECRET_KIND_UNKNOWN = 1;
-  // A GCP service account key per:
+  // A Google Cloud service account key per:
   // https://cloud.google.com/iam/docs/creating-managing-service-account-keys
   SECRET_KIND_GCP_SERVICE_ACCOUNT_KEY = 2;
+  // A Google Cloud API key per:
+  // https://cloud.google.com/docs/authentication/api-keys
+  SECRET_KIND_GCP_API_KEY = 3;
+  // A Google Cloud OAuth2 client credentials per:
+  // https://developers.google.com/identity/protocols/oauth2
+  SECRET_KIND_GCP_OAUTH2_CLIENT_CREDENTIALS = 4;
+  // A Google Cloud OAuth2 access token per:
+  // https://cloud.google.com/docs/authentication/token-types#access
+  SECRET_KIND_GCP_OAUTH2_ACCESS_TOKEN = 5;
+  // An Anthropic Admin API key.
+  SECRET_KIND_ANTHROPIC_ADMIN_API_KEY = 6;
+  // An Anthropic API key.
+  SECRET_KIND_ANTHROPIC_API_KEY = 7;
+  // An Azure access token.
+  SECRET_KIND_AZURE_ACCESS_TOKEN = 8;
+  // An Azure Identity Platform ID token.
+  SECRET_KIND_AZURE_IDENTITY_TOKEN = 9;
+  // A Docker Hub personal access token.
+  SECRET_KIND_DOCKER_HUB_PERSONAL_ACCESS_TOKEN = 10;
+  // A GitHub App refresh token.
+  SECRET_KIND_GITHUB_APP_REFRESH_TOKEN = 11;
+  // A GitHub App server-to-server token.
+  SECRET_KIND_GITHUB_APP_SERVER_TO_SERVER_TOKEN = 12;
+  // A GitHub App user-to-server token.
+  SECRET_KIND_GITHUB_APP_USER_TO_SERVER_TOKEN = 13;
+  // A GitHub personal access token (classic).
+  SECRET_KIND_GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN = 14;
+  // A GitHub fine-grained personal access token.
+  SECRET_KIND_GITHUB_FINE_GRAINED_PERSONAL_ACCESS_TOKEN = 15;
+  // A GitHub OAuth token.
+  SECRET_KIND_GITHUB_OAUTH_TOKEN = 16;
+  // A Hugging Face API key.
+  SECRET_KIND_HUGGINGFACE_API_KEY = 17;
+  // An OpenAI API key.
+  SECRET_KIND_OPENAI_API_KEY = 18;
+  // A Perplexity API key.
+  SECRET_KIND_PERPLEXITY_API_KEY = 19;
+  // A Stripe secret key.
+  SECRET_KIND_STRIPE_SECRET_KEY = 20;
+  // A Stripe restricted key.
+  SECRET_KIND_STRIPE_RESTRICTED_KEY = 21;
+  // A Stripe webhook secret.
+  SECRET_KIND_STRIPE_WEBHOOK_SECRET = 22;
 }
@@ -21,6 +21,7 @@ import "google/protobuf/timestamp.proto";
 import "grafeas/v1/common.proto";
 import "grafeas/v1/cvss.proto";
 import "grafeas/v1/package.proto";
+import "grafeas/v1/risk.proto";
 import "grafeas/v1/severity.proto";
 import "grafeas/v1/vex.proto";
 
@@ -301,5 +302,8 @@ message VulnerabilityOccurrence {
   // Occurrence-specific extra details about the vulnerability.
   string extra_details = 14;
 
-  // Next free ID is 15.
+  // Risk information about the vulnerability, such as CISA, EPSS, etc.
+  Risk risk = 15;
+
+  // Next free ID is 16.
 }