Aqua Security Vulnerability to Cortex XSOAR Incident

arazzo: 1.0.1
info:
  title: Aqua Security Vulnerability to Cortex XSOAR Incident
  summary: Find a vulnerable image in Aqua and open a Cortex XSOAR incident for response.
  description: >-
    A security orchestration workflow that lists scanned images in Aqua Security, reads the
    vulnerability detail for a target image, and creates an incident in Palo Alto Networks
    Cortex XSOAR so an automated playbook can drive response. Demonstrates orchestrating a
    container security platform with a SOAR platform in a single Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: aquaSecurityApi
    url: https://raw.githubusercontent.com/api-evangelist/aqua-security/refs/heads/main/openapi/aqua-security-api.yaml
    type: openapi
  - name: cortexXsoarApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cortex-xsoar-api-openapi-original.yml
    type: openapi
workflows:
  - workflowId: vuln-to-soar-incident
    summary: List Aqua images, read vulnerabilities, and open a Cortex XSOAR incident.
    description: >-
      Lists scanned images in Aqua Security, reads the vulnerability detail for an image,
      and creates a Cortex XSOAR incident to drive response.
    inputs:
      type: object
      properties:
        registry:
          type: string
        imageName:
          type: string
    steps:
      - stepId: list-images
        description: List scanned container images in Aqua Security.
        operationId: $sourceDescriptions.aquaSecurityApi.listImages
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          imageCount: $response.body#/count
      - stepId: get-image
        description: Read the vulnerability detail for the target image in Aqua Security.
        operationId: $sourceDescriptions.aquaSecurityApi.getImage
        parameters:
          - name: registry
            in: path
            value: $inputs.registry
          - name: repository
            in: path
            value: $inputs.imageName
          - name: tag
            in: path
            value: latest
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          criticalCount: $response.body#/crit_vulns
          highCount: $response.body#/high_vulns
      - stepId: create-incident
        description: Create a Cortex XSOAR incident to drive vulnerability response.
        operationId: $sourceDescriptions.cortexXsoarApi.createIncident
        requestBody:
          contentType: application/json
          payload:
            name: Aqua critical image vulnerability detected
            type: Vulnerability
            severity: 3
            details: A vulnerable container image was detected in Aqua Security and requires response.
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          incidentId: $response.body#/id
    outputs:
      criticalCount: $steps.get-image.outputs.criticalCount
      incidentId: $steps.create-incident.outputs.incidentId