# List Sealing Rules **Description:** Retrieves the list of sealing rules configured for your tenant, with options to filter the results by project name and vulnerable package name. {% hint style="info" %} A sealing rule says, for example, "in project `my-backend-service`, replace `log4j-core 2.14.1` with `log4j-core 2.14.1+sp1`". Other rules can apply tenant-wide, or to every package in a project. Multiple rules can match the same package; broader rules (e.g. tenant-wide, or `` package) set the default, and narrower rules act as targeted overrides. For background on how rules are authored and managed, see [The Sealing Rules tab](/new-documentation/new-docs/protection-page/sealing-rules-tab.md). {% endhint %} **Path:** **Method:** GET **Authentication:** See detailed explanation [here](/apis.md#authentication). #### Request Parameters This endpoint accepts the following optional query parameters to filter the results:
Parameter NameTypeDescriptionAccepted Values
project_name_filterstringFilter rules by project name. When omitted, returns rules for every project, including tenant-wide rules. When set to a substring, returns rules whose project_name contains it (case-insensitive); does not match tenant-wide rules. When set to <ANY>, returns only tenant-wide rules.Any string, or <ANY>
package_name_filterstringFilter rules by vulnerable package name. Same three-way behavior as project_name_filter: omitted returns all, a substring filters case-insensitively, and <ANY> returns only rules that cover all packages.Any string, or <ANY>
limitintegerMaximum number of sealing rules to return in a single page.1 to 100 (default 50)
cursorstringOpaque pagination cursor returned by a previous response's next_page. Omit on the first request.Any string returned by a previous call
When both filters are provided, results must satisfy both (logical AND). {% hint style="warning" %} Only Remote (server-side) sealing rules — those created via the Seal UI or API — are returned. Local rules defined in a project's `.seal-actions.yml` are not included. {% endhint %} #### Response The API returns a paginated JSON object containing a page of sealing rules and an opaque cursor for fetching the next page. **Response Structure:** JSON ```json { "items": [ { "project_name": "string", "vulnerable_package_name": "string", "vulnerable_package_version": "string", "sealed_package_name": "string", "sealed_package_version": "string", "created_on": "string" } ], "next_page": "string | null" } ``` **Response Fields:**
Field NameTypeDescription
itemsarray of sealing rule objectsThe page of sealing rules. See the table below for each object's fields.
next_pagestring or nullOpaque cursor for the next page. Pass it back as the cursor query parameter to fetch the next page; null when there are no further pages.
The sealing rule object is composed of the following fields:
Field NameTypeDescription
project_namestringThe Seal project the rule applies to, or <ANY> to apply tenant-wide.
vulnerable_package_namestringThe name of the vulnerable package the rule replaces, or <ANY> (paired with vulnerable_package_version: <ANY>) to match every package.
vulnerable_package_versionstringThe version of the vulnerable package the rule replaces, or <ANY> (paired with vulnerable_package_name: <ANY>) to match every version.
sealed_package_namestringThe name of the sealed package that replaces the vulnerable one, or <ANY> when vulnerable_package_name is also <ANY>.
sealed_package_versionstringOne of: a specific sealed version string (pinned), <SAFEST> (resolves to the safest version at apply-time), or <ORIGIN> (do not seal, keep the origin version).
created_onstringThe date and time (ISO 8601 format, UTC) when the rule was created.
**Sentinel values:** The response uses three reserved sentinel strings to express values that a normal package, project, or version name cannot. Each sentinel is enclosed in angle brackets.
SentinelUsed in fieldsDescription
<ANY>project_name, vulnerable_package_name, vulnerable_package_version, sealed_package_nameWildcard. The rule matches any value for that field. vulnerable_package_name, vulnerable_package_version, and sealed_package_name are paired: when one is <ANY>, all three are.
<SAFEST>sealed_package_versionUn-pinned. Resolves at apply-time to the safest available version of the matched package.
<ORIGIN>sealed_package_versionFor this specific origin version, leave it as-is. Useful as a narrow exception that overrides a broader rule. <ORIGIN> only applies to rules that target a concrete vulnerable version; it cannot pair with vulnerable_package_version: <ANY>.
#### Example Requests and Responses **1. List the first page of sealing rules:** To retrieve every rule, follow `next_page` until it is `null`. **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/sealing-rules' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response (Truncated):** JSON ```json { "items": [ { "project_name": "my-backend-service", "vulnerable_package_name": "log4j-core", "vulnerable_package_version": "2.14.1", "sealed_package_name": "log4j-core", "sealed_package_version": "2.14.1+sp1", "created_on": "2026-04-22T09:14:08Z" }, { "project_name": "", "vulnerable_package_name": "lodash", "vulnerable_package_version": "4.17.20", "sealed_package_name": "lodash", "sealed_package_version": "", "created_on": "2026-04-18T16:02:51Z" }, { "project_name": "my-backend-service", "vulnerable_package_name": "", "vulnerable_package_version": "", "sealed_package_name": "", "sealed_package_version": "", "created_on": "2026-04-10T11:30:00Z" }, { "project_name": "my-backend-service", "vulnerable_package_name": "requests", "vulnerable_package_version": "2.28.1", "sealed_package_name": "requests", "sealed_package_version": "", "created_on": "2026-04-05T08:47:23Z" } ], "next_page": "eyJsYXN0X2tleSI6ICJydWxlLTEyMyJ9" } ``` **2. Filter rules by project name:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/sealing-rules?project_name_filter=backend' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response:** JSON ```json { "items": [ { "project_name": "my-backend-service", "vulnerable_package_name": "log4j-core", "vulnerable_package_version": "2.14.1", "sealed_package_name": "log4j-core", "sealed_package_version": "2.14.1+sp1", "created_on": "2026-04-22T09:14:08Z" }, { "project_name": "my-backend-service", "vulnerable_package_name": "", "vulnerable_package_version": "", "sealed_package_name": "", "sealed_package_version": "", "created_on": "2026-04-10T11:30:00Z" } ], "next_page": null } ``` **3. Get only tenant-wide rules (those that apply to every project):** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/sealing-rules?project_name_filter=%3CANY%3E' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response:** JSON ```json { "items": [ { "project_name": "", "vulnerable_package_name": "lodash", "vulnerable_package_version": "4.17.20", "sealed_package_name": "lodash", "sealed_package_version": "", "created_on": "2026-04-18T16:02:51Z" } ], "next_page": null } ``` **4. Filter by package name and paginate:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/sealing-rules?package_name_filter=log4j&limit=25' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response (first page, truncated):** JSON ```json { "items": [ { "project_name": "my-backend-service", "vulnerable_package_name": "log4j-core", "vulnerable_package_version": "2.14.1", "sealed_package_name": "log4j-core", "sealed_package_version": "2.14.1+sp1", "created_on": "2026-04-22T09:14:08Z" } ], "next_page": "eyJsYXN0X2tleSI6ICJydWxlLTEyMyJ9" } ``` To fetch the next page, pass the previous response's `next_page` value as the `cursor` query parameter: Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/sealing-rules?package_name_filter=log4j&limit=25&cursor=eyJsYXN0X2tleSI6ICJydWxlLTEyMyJ9' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/apis/list-sealing-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.