Because Prisma Cloud knows the state of all the images in your environment, it can show you all the places you might be at risk to a given set of vulnerabilities.
To generate a risk tree, provide a CVE, and Prisma Cloud returns:
A list of images that contain packages affected by the specified CVE.
A list of running containers (created from the images listed above) that are affected by the specified CVE.
A list of hosts where the images affected by the specified CVE reside.
The risk tree lets you create a detailed map of your exposure to a vulnerability, and can help you identify the best way to resolve it in your upstream images.
Generating a risk tree
shows you risk trees for the top ten vulnerabilities in your container ecosystem.
To see the risk tree for any arbitrary CVE, you must use the Prisma Cloud API.
To generate a risk tree, submit a CVE to the API.
The API returns an ordered tree of the images that contain those vulnerabilities, containers that are derived from those images, and hosts where those images live.
This allows you to automate, with a single API call, the creation of a detailed map of your exposure to the vulnerabilities.
To generate a risk tree, use the following endpoint:
For example, to generate a risk tree for CVE-2016-2109:
The following listing shows an example response.
For complete details about the response object, see the API reference.