Configure scanning

You can specify how often Prisma Cloud scans your environment for vulnerabilities and compliance issues. By default, Prisma Cloud scans your environment every 24 hours. Images are re-scanned when changes are detected. For example, pulling a new image triggers a scan.
Prisma Cloud scans for vulnerabilities and/or compliance issues in:
  • Images
  • PCF Blobstores
  • Containers
  • Serverless functions
  • Hosts
  • Cloud platforms
  • Registries
Scan intervals can be separately configured for each type of object.

Configuring scan intervals

The scan frequency is configurable. By default, Prisma Cloud scans your environment every 24 hours.
  1. Open Console.
  2. Go to
    Manage > System > Scan
    .
  3. Scroll down to the
    Scheduling
    section.
  4. Set the scan intervals for each type according to your requirements.
    Scan intervals are specified in hours.
  5. Scroll to the bottom of the page, and click
    Save
    .

Last scan time

Console reports the last time Defender scanned your environment. Go to
Manage > Defenders > Manage
, and click a row in the table to get a detailed status report for each deployed Defender. The status column shows the last time Defender scanned the containers and images on the host where it runs. When Defender is delegated the registry scanner role, you can also see the last time your registry was scanned.
Defender roles are displayed in the
Manage > Defenders > Manage
table. The following screenshot shows that Defender on host ian-23 is a registry scanner.

Scan performance

Scanning for malware in archives in container images consumes a lot of resources. The scanner unpacks each archive to search for malicious software. Checksums must be indiviudally calculated for each file. Because of the performance impact and the way containers tend to be used, malware in archives is an unlikely threat. As such,
Scan for malware within archives in images
is disabled by default.
If this option is enabled, Prisma Cloud supports the following archive file types.
  • ZIP
  • GZ
  • TAR
  • WAR
  • JAR
  • EAR
Note: If the archive is over 512Mb, Prisma Cloud will not scan it.

Scan JavaScript components in manifest but not on disk

When this option is enabled, Prisma Cloud scans for vulnerabilities in components listed in manifests, but not actually present in the image or function being scanned. This can be used to identify vulnerable components used in development but can lead to significant numbers of false positive results and is not recommended in production scenarios.

Unrated vulnerabilities

When
Show vulnerabilities that are of negligible severity
is enabled, the scanner reports CVEs that aren’t scored yet or have a negligible severity. Negligible severity vulnerabilities don’t pose a security risk, and are often designated with a status of "will not fix" or similar labels by the vendor. They are typically theoretical, require a very special (unlikely) situation to be exploited, or cause no real damage when exploited.
By default, this setting is disabled to strip unactionable noise from your scan reports.

Orchestration

Kubernetes and other orchestrators have control plane components implemented as containers. By default, Prisma Cloud doesn’t scan orchestrator utility contianers for vulnerability and compliance issues.

Recommended For You