feat: A new message File is added

Google APIs · copybara-github · commit 406651201ecf · 2026-01-12T12:12:51.000-08:00
feat: A new field `files` is added to message `.grafeas.v1.DiscoveryOccurrence`
feat: A new field `return_partial_success` is added to message `.grafeas.v1.ListOccurrencesRequest`
feat: A new field `unreachable` is added to message `.grafeas.v1.ListOccurrencesResponse`
feat: A new field `return_partial_success` is added to message `.grafeas.v1.ListNotesRequest`
feat: A new field `unreachable` is added to message `.grafeas.v1.ListNotesResponse`
feat: A new message `Risk` is added
feat: A new message `CISAKnownExploitedVulnerabilities` is added
feat: A new message `ExploitPredictionScoringSystem` is added
feat: A new field `data` is added to message `.grafeas.v1.SecretOccurrence`
feat: A new field `digest` is added to message `.grafeas.v1.SecretOccurrence`
feat: A new value `SECRET_KIND_GCP_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GCP_OAUTH2_CLIENT_CREDENTIALS` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GCP_OAUTH2_ACCESS_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_ANTHROPIC_ADMIN_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_ANTHROPIC_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_AZURE_ACCESS_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_AZURE_IDENTITY_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_DOCKER_HUB_PERSONAL_ACCESS_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_APP_REFRESH_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_APP_SERVER_TO_SERVER_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_APP_USER_TO_SERVER_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_FINE_GRAINED_PERSONAL_ACCESS_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_GITHUB_OAUTH_TOKEN` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_HUGGINGFACE_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_OPENAI_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_PERPLEXITY_API_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_STRIPE_SECRET_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_STRIPE_RESTRICTED_KEY` is added to enum `SecretKind`
feat: A new value `SECRET_KIND_STRIPE_WEBHOOK_SECRET` is added to enum `SecretKind`
feat: A new field `risk` is added to message `.grafeas.v1.VulnerabilityOccurrence`
docs: A comment for enum value `SECRET_KIND_GCP_SERVICE_ACCOUNT_KEY` in enum `SecretKind` is changed

PiperOrigin-RevId: 855331622
diff --git a/grafeas/v1/BUILD.bazel b/grafeas/v1/BUILD.bazel
@@ -38,6 +38,7 @@ proto_library(
         "intoto_statement.proto",
         "package.proto",
         "provenance.proto",
+        "risk.proto",
         "sbom.proto",
         "secret.proto",
         "severity.proto",
diff --git a/grafeas/v1/discovery.proto b/grafeas/v1/discovery.proto
@@ -148,4 +148,12 @@ message DiscoveryOccurrence {
 
   // The status of an vulnerability attestation generation.
   VulnerabilityAttestation vulnerability_attestation = 10;
+
+  message File {
+    string name = 1;
+    map<string, string> digest = 2;
+  }
+
+  // Files that make up the resource described by the occurrence.
+  repeated File files = 11;
 }
diff --git a/grafeas/v1/grafeas.proto b/grafeas/v1/grafeas.proto
@@ -402,6 +402,13 @@ message ListOccurrencesRequest {
 
   // Token to provide to skip to a particular spot in the list.
   string page_token = 4;
+
+  // If set, the request will return all reachable Occurrences
+  // and report all unreachable regions in the `unreachable` field in
+  // the response.
+  //
+  // Only applicable for requests in the global region.
+  bool return_partial_success = 5;
 }
 
 // Response for listing occurrences.
@@ -412,6 +419,12 @@ message ListOccurrencesResponse {
   // `page_token` for the following request. An empty value means no more
   // results.
   string next_page_token = 2;
+  // Unreachable regions. Populated for requests from the global region
+  // when `return_partial_success` is set.
+  //
+  // Format: `projects/[PROJECT_ID]/locations/[LOCATION]`
+  repeated string unreachable = 3
+      [(google.api.field_behavior) = UNORDERED_LIST];
 }
 
 // Request to delete an occurrence.
@@ -488,6 +501,13 @@ message ListNotesRequest {
 
   // Token to provide to skip to a particular spot in the list.
   string page_token = 4;
+
+  // If set, the request will return all reachable Notes
+  // and report all unreachable regions in the `unreachable` field in
+  // the response.
+  //
+  // Only applicable for requests in the global region.
+  bool return_partial_success = 5;
 }
 
 // Response for listing notes.
@@ -498,6 +518,12 @@ message ListNotesResponse {
   // `page_token` for the following request. An empty value means no more
   // results.
   string next_page_token = 2;
+  // Unreachable regions. Populated for requests from the global region
+  // when `return_partial_success` is set.
+  //
+  // Format: `projects/[PROJECT_ID]/locations/[LOCATION]`
+  repeated string unreachable = 3
+      [(google.api.field_behavior) = UNORDERED_LIST];
 }
 
 // Request to delete a note.
diff --git a/grafeas/v1/risk.proto b/grafeas/v1/risk.proto
@@ -0,0 +1,46 @@
+// Copyright 2025 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+message Risk {
+  // CISA maintains the authoritative source of vulnerabilities that have been
+  // exploited in the wild.
+  CISAKnownExploitedVulnerabilities cisa_kev = 1;
+  // The Exploit Prediction Scoring System (EPSS) estimates the likelihood
+  // (probability) that a software vulnerability will be exploited in the wild.
+  ExploitPredictionScoringSystem epss = 2;
+}
+
+message CISAKnownExploitedVulnerabilities {
+  // Whether the vulnerability is known to have been leveraged as part of a
+  // ransomware campaign.
+  string known_ransomware_campaign_use = 1;
+}
+
+message ExploitPredictionScoringSystem {
+  // The percentile of the current score, the proportion of all scored
+  // vulnerabilities with the same or a lower EPSS score
+  double percentile = 1;
+  // The EPSS score representing the probability [0-1] of exploitation in the
+  // wild in the next 30 days
+  double score = 2;
+}
diff --git a/grafeas/v1/secret.proto b/grafeas/v1/secret.proto
@@ -17,6 +17,7 @@ syntax = "proto3";
 package grafeas.v1;
 
 import "google/api/field_behavior.proto";
+import "google/protobuf/any.proto";
 import "google/protobuf/timestamp.proto";
 import "grafeas/v1/common.proto";
 
@@ -39,6 +40,13 @@ message SecretOccurrence {
 
   // Status of the secret.
   repeated SecretStatus statuses = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Scan result of the secret.
+  google.protobuf.Any data = 4;
+
+  // Hash value, typically a digest for the secret data, that allows unique
+  // identification of a specific secret.
+  Digest digest = 5;
 }
 
 // The location of the secret.
@@ -84,7 +92,50 @@ enum SecretKind {
   SECRET_KIND_UNSPECIFIED = 0;
   // The secret kind is unknown.
   SECRET_KIND_UNKNOWN = 1;
-  // A GCP service account key per:
+  // A Google Cloud service account key per:
   // https://cloud.google.com/iam/docs/creating-managing-service-account-keys
   SECRET_KIND_GCP_SERVICE_ACCOUNT_KEY = 2;
+  // A Google Cloud API key per:
+  // https://cloud.google.com/docs/authentication/api-keys
+  SECRET_KIND_GCP_API_KEY = 3;
+  // A Google Cloud OAuth2 client credentials per:
+  // https://developers.google.com/identity/protocols/oauth2
+  SECRET_KIND_GCP_OAUTH2_CLIENT_CREDENTIALS = 4;
+  // A Google Cloud OAuth2 access token per:
+  // https://cloud.google.com/docs/authentication/token-types#access
+  SECRET_KIND_GCP_OAUTH2_ACCESS_TOKEN = 5;
+  // An Anthropic Admin API key.
+  SECRET_KIND_ANTHROPIC_ADMIN_API_KEY = 6;
+  // An Anthropic API key.
+  SECRET_KIND_ANTHROPIC_API_KEY = 7;
+  // An Azure access token.
+  SECRET_KIND_AZURE_ACCESS_TOKEN = 8;
+  // An Azure Identity Platform ID token.
+  SECRET_KIND_AZURE_IDENTITY_TOKEN = 9;
+  // A Docker Hub personal access token.
+  SECRET_KIND_DOCKER_HUB_PERSONAL_ACCESS_TOKEN = 10;
+  // A GitHub App refresh token.
+  SECRET_KIND_GITHUB_APP_REFRESH_TOKEN = 11;
+  // A GitHub App server-to-server token.
+  SECRET_KIND_GITHUB_APP_SERVER_TO_SERVER_TOKEN = 12;
+  // A GitHub App user-to-server token.
+  SECRET_KIND_GITHUB_APP_USER_TO_SERVER_TOKEN = 13;
+  // A GitHub personal access token (classic).
+  SECRET_KIND_GITHUB_CLASSIC_PERSONAL_ACCESS_TOKEN = 14;
+  // A GitHub fine-grained personal access token.
+  SECRET_KIND_GITHUB_FINE_GRAINED_PERSONAL_ACCESS_TOKEN = 15;
+  // A GitHub OAuth token.
+  SECRET_KIND_GITHUB_OAUTH_TOKEN = 16;
+  // A Hugging Face API key.
+  SECRET_KIND_HUGGINGFACE_API_KEY = 17;
+  // An OpenAI API key.
+  SECRET_KIND_OPENAI_API_KEY = 18;
+  // A Perplexity API key.
+  SECRET_KIND_PERPLEXITY_API_KEY = 19;
+  // A Stripe secret key.
+  SECRET_KIND_STRIPE_SECRET_KEY = 20;
+  // A Stripe restricted key.
+  SECRET_KIND_STRIPE_RESTRICTED_KEY = 21;
+  // A Stripe webhook secret.
+  SECRET_KIND_STRIPE_WEBHOOK_SECRET = 22;
 }
diff --git a/grafeas/v1/swagger/grafeas.swagger.json b/grafeas/v1/swagger/grafeas.swagger.json
diff --git a/grafeas/v1/vulnerability.proto b/grafeas/v1/vulnerability.proto
