{"resources":{"vllm":{"id":"vllm","name":"vllm","fields":{"endpoint":{"name":"endpoint","type":"\u001bvllm.endpoint","title":"vLLM HTTP endpoint posture","desc":"Examine the probe result for a single vLLM HTTP endpoint, identified by `path` and `method` (e.g., `vllm.endpoint(path: \"/v1/models\", method: \"GET\")`). Each probe records the endpoint category, whether the route was observed at all, the anonymous and authenticated status codes, whether anonymous traffic reached the route or got an auth-like rejection, and human-readable notes from the probe.","provider":"go.mondoo.com/mql/providers/vllm","is_implicit_resource":true},"endpoints":{"name":"endpoints","type":"\u0019\u001bvllm.endpoint","title":"Observed HTTP endpoint posture","provider":"go.mondoo.com/mql/providers/vllm"},"metrics":{"name":"metrics","type":"\u001bvllm.metrics","title":"Minimal exposed metrics posture","provider":"go.mondoo.com/mql/providers/vllm"},"model":{"name":"model","type":"\u001bvllm.model","title":"vLLM served model","desc":"Examine a model loaded for serving on the vLLM instance. The `id` field is the model identifier as configured at launch (typically a Hugging Face model path such as `meta-llama/Llama-3.1-8B-Instruct`). The `root` field is the underlying model path, and `maxModelLen` is the context window length in tokens configured for this deployment.","provider":"go.mondoo.com/mql/providers/vllm","is_implicit_resource":true},"models":{"name":"models","type":"\u0019\u001bvllm.model","title":"Models loaded for serving","min_provider_version":"13.0.7","provider":"go.mondoo.com/mql/providers/vllm"},"server":{"name":"server","type":"\u001bvllm.server","title":"Server-level HTTP posture summary","provider":"go.mondoo.com/mql/providers/vllm"},"version":{"name":"version","type":"\u0007","title":"vLLM server version, if the /version endpoint is observable","provider":"go.mondoo.com/mql/providers/vllm"}},"title":"vLLM inference server","desc":"Examine the security posture and model inventory of a remote vLLM HTTP inference server: the server-level summary, the per-endpoint anonymous-access probe results, the minimal metrics-exposure posture, the reported vLLM version, and the models loaded for serving.","min_provider_version":"13.0.1","provider":"go.mondoo.com/mql/providers/vllm"},"vllm.endpoint":{"id":"vllm.endpoint","name":"vllm.endpoint","fields":{"anonymousAccessible":{"name":"anonymousAccessible","type":"\u0004","title":"Whether an anonymous request reached the route without an auth-like rejection","provider":"go.mondoo.com/mql/providers/vllm"},"anonymousStatusCode":{"name":"anonymousStatusCode","type":"\u0005","title":"Status code returned by the anonymous probe","provider":"go.mondoo.com/mql/providers/vllm"},"authenticatedStatusCode":{"name":"authenticatedStatusCode","type":"\u0005","title":"Status code returned by the authenticated probe, if an API key was provided","provider":"go.mondoo.com/mql/providers/vllm"},"category":{"name":"category","type":"\u0007","title":"Endpoint category","provider":"go.mondoo.com/mql/providers/vllm"},"method":{"name":"method","type":"\u0007","is_mandatory":true,"title":"HTTP method used by the probe","provider":"go.mondoo.com/mql/providers/vllm"},"notes":{"name":"notes","type":"\u0019\u0007","title":"Human-readable probe notes","provider":"go.mondoo.com/mql/providers/vllm"},"path":{"name":"path","type":"\u0007","is_mandatory":true,"title":"URL path of the probed endpoint","provider":"go.mondoo.com/mql/providers/vllm"},"present":{"name":"present","type":"\u0004","title":"Whether the route was observed by HTTP status behavior","provider":"go.mondoo.com/mql/providers/vllm"},"requiresAuth":{"name":"requiresAuth","type":"\u0004","title":"Whether an anonymous request was rejected with an auth-like response","provider":"go.mondoo.com/mql/providers/vllm"}},"init":{"args":[{"name":"path","type":"\u0007"},{"name":"method","type":"\u0007"}]},"title":"vLLM HTTP endpoint posture","desc":"Examine the probe result for a single vLLM HTTP endpoint, identified by `path` and `method` (e.g., `vllm.endpoint(path: \"/v1/models\", method: \"GET\")`). Each probe records the endpoint category, whether the route was observed at all, the anonymous and authenticated status codes, whether anonymous traffic reached the route or got an auth-like rejection, and human-readable notes from the probe.","min_provider_version":"13.0.1","defaults":"method path category present anonymousAccessible requiresAuth","provider":"go.mondoo.com/mql/providers/vllm"},"vllm.metrics":{"id":"vllm.metrics","name":"vllm.metrics","fields":{"loadEndpointExposed":{"name":"loadEndpointExposed","type":"\u0004","title":"Whether /load is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"loadTrackingVisible":{"name":"loadTrackingVisible","type":"\u0004","title":"Whether /load appears reachable enough to expose load-tracking state","provider":"go.mondoo.com/mql/providers/vllm"},"prometheusExposed":{"name":"prometheusExposed","type":"\u0004","title":"Whether /metrics is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"}},"title":"Minimal vLLM metrics exposure posture","desc":"Examine whether the metrics-related endpoints are anonymously reachable: the Prometheus `/metrics` endpoint, the `/load` endpoint, and whether `/load` returns enough state to leak load-tracking information.","min_provider_version":"13.0.1","defaults":"prometheusExposed loadEndpointExposed","provider":"go.mondoo.com/mql/providers/vllm"},"vllm.model":{"id":"vllm.model","name":"vllm.model","fields":{"created":{"name":"created","type":"\t","is_mandatory":true,"title":"Model creation timestamp as reported by the server","provider":"go.mondoo.com/mql/providers/vllm"},"id":{"name":"id","type":"\u0007","is_mandatory":true,"title":"Model identifier","provider":"go.mondoo.com/mql/providers/vllm"},"maxModelLen":{"name":"maxModelLen","type":"\u0005","is_mandatory":true,"title":"Maximum context window length in tokens","provider":"go.mondoo.com/mql/providers/vllm"},"ownedBy":{"name":"ownedBy","type":"\u0007","is_mandatory":true,"title":"Entity that owns or manages the model","provider":"go.mondoo.com/mql/providers/vllm"},"parent":{"name":"parent","type":"\u0007","is_mandatory":true,"title":"Parent model identifier","desc":"Set for LoRA adapters to reference the base model they extend. Empty for base models.","provider":"go.mondoo.com/mql/providers/vllm"},"root":{"name":"root","type":"\u0007","is_mandatory":true,"title":"Underlying model path","desc":"Typically the Hugging Face repository path or a local filesystem path. May differ from `id` when the model is served under an alias.","provider":"go.mondoo.com/mql/providers/vllm"}},"title":"vLLM served model","desc":"Examine a model loaded for serving on the vLLM instance. The `id` field is the model identifier as configured at launch (typically a Hugging Face model path such as `meta-llama/Llama-3.1-8B-Instruct`). The `root` field is the underlying model path, and `maxModelLen` is the context window length in tokens configured for this deployment.","min_provider_version":"13.0.7","defaults":"id maxModelLen","provider":"go.mondoo.com/mql/providers/vllm"},"vllm.server":{"id":"vllm.server","name":"vllm.server","fields":{"baseUrl":{"name":"baseUrl","type":"\u0007","title":"Base URL used by this connection","provider":"go.mondoo.com/mql/providers/vllm"},"corsAllowsAnyOrigin":{"name":"corsAllowsAnyOrigin","type":"\u0004","title":"Whether a random origin is accepted by CORS preflight","provider":"go.mondoo.com/mql/providers/vllm"},"corsConfigured":{"name":"corsConfigured","type":"\u0004","title":"Whether CORS behavior could be observed","provider":"go.mondoo.com/mql/providers/vllm"},"devEndpointsExposed":{"name":"devEndpointsExposed","type":"\u0004","title":"Whether development-only routes are anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"docsExposed":{"name":"docsExposed","type":"\u0004","title":"Whether FastAPI documentation is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"loadEndpointExposed":{"name":"loadEndpointExposed","type":"\u0004","title":"Whether the /load endpoint is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"metricsExposed":{"name":"metricsExposed","type":"\u0004","title":"Whether Prometheus metrics are anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"openapiExposed":{"name":"openapiExposed","type":"\u0004","title":"Whether the OpenAPI document is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"profilerEndpointsExposed":{"name":"profilerEndpointsExposed","type":"\u0004","title":"Whether profiler routes are anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"reachable":{"name":"reachable","type":"\u0004","title":"Whether the server responded to a basic health probe","provider":"go.mondoo.com/mql/providers/vllm"},"tokenizerInfoExposed":{"name":"tokenizerInfoExposed","type":"\u0004","title":"Whether tokenizer information is anonymously exposed","provider":"go.mondoo.com/mql/providers/vllm"},"usesTls":{"name":"usesTls","type":"\u0004","title":"Whether the target URL uses HTTPS","provider":"go.mondoo.com/mql/providers/vllm"},"version":{"name":"version","type":"\u0007","title":"vLLM software version, if exposed by /version","provider":"go.mondoo.com/mql/providers/vllm"}},"title":"vLLM server-level HTTP posture","desc":"Examine the server-wide HTTP exposure findings: the base URL the connection probed, whether the server is reachable, the reported vLLM version, whether the connection is over TLS, and whether FastAPI docs / OpenAPI / Prometheus metrics / /load / tokenizer-info / dev / profiler endpoints are anonymously exposed. Also surfaces CORS posture (configured at all, accepts any origin).","min_provider_version":"13.0.1","defaults":"baseUrl reachable version","provider":"go.mondoo.com/mql/providers/vllm"}}}