19.11 Release Notes

This section provides a snapshot of the new features introduced in Prisma™ Cloud Compute Edition version 19.11. See the Prisma Cloud Administrator’s Guide (Compute) for more information on how to use the system.
Twistlock is now part of Palo Alto Networks Prisma Cloud. In the 19.11 release, we support two types of deployments:
  • Self-hosted
     — Customers deploy and operate the entire solution in their own environment. This is the traditional deployment model that Twistlock has supported since its inception. It’s now called Prisma Cloud Compute Edition. If you’re a current Twistlock customer, upgrade to Prisma Cloud Compute Edition.
  • Software as a Service (Saas)
     — Palo Alto Networks runs and maintains Console for you. Customers deploy Defenders to their environment to secure their hosts, containers, and serverless functions. This SaaS service is new, and it’s part of a larger product called Prisma Cloud Enterprise Edition.
The 19.11 features are rolling out globally to all new Prisma Cloud Enterprise Edition customers over the coming weeks. For Compute Edition customers, 19.11 is available immediately.

New features

  • Adds static code analysis which identifies insecure IAM permissions in serverless functions.
  • Extends Serverless Defender to support two additional runtimes: Java and .NET Core (C#).
  • Adds a new default runtime policy for serverless functions (Prisma Cloud Advanced Threat Protection).
  • Adds the ability to update Serverless Defender enforcement policy in real-time as policy is updated in Console.
  • Extends CNAF to protect serverless functions.
  • Improves view filters, as controlled by Collections. Collections now let you filter/select images and containers by host name. Collections also now let you filter/select images by namespace.
  • Digitally signs the twistcli Windows binary.
  • Enriches host scan reports with cloud provider metadata from AWS, Azure, and GCP.
  • Adds a new DevSecOps role.
  • [Prisma Cloud Enterprise Edition] Adds a system to assign Compute (inner interface) roles to Prisma Cloud (outer management interface) service accounts.
  • [Prisma Cloud Enterprise Edition] Shows detailed S3 bucket information in Serverless Radar to support the resource investigation flow.

Breaking Changes

  • [API] The response schema for image, registry, Jenkins, twistcli, host, serverless function, and PCF droplet scan reports returned from the API has changed. These changes were required to support the integration of Twistlock into the Prisma Cloud SaaS service (Prisma Cloud Enterprise Edition). If your scripts depend on these endpoints, you’ll need to refactor them. See the 19.11 API porting guide for more information. The impacted endpoints are:
    • /api/v1/images
    • /api/v1/registry
    • api/v1/scans
    • /api/v1/hosts
    • /api/v1/serverless
    • /api/v1/pcf_droplets
  • The serverless embed function in twistcli has been removed. Serverless Defender can now only be manually embedded into serverless functions.
  • Remember to upgrade all components when upgrading Twistlock 19.07 to Prisma Cloud Compute Edition 19.11. As per standard policy, versions of all deployed components must exactly match. Otherwise, they cannot interoperate. In this release, the Jenkins plugin uses a new schema. If it isn’t updated with the rest of your environment, you’ll get a null pointer exception from the plugin.

Update Notes

Prisma Cloud uses string matching in rules, and it’s especially important in resource filters. In 19.07, Twistlock used the following match logic:
  • A trailing wildcard implied 'string-contains' matching. For example,
    foo-resource*
    would match both
    example-foo-resource
    and
    foo-resource-1
    .
  • No wildcards implied 'string-ends-with' matching. For example,
    /ubuntu:latest
    would match
    docker.io/library/ubuntu:latest
In 19.11, Prisma Cloud requires explicit leading and trailing wildcards (*) to evaluate as 'string-contains'. If there’s no leading wildcard, but there’s a trailing wildcard, it’s evaluated as 'string-starts-with'. If there’s a leading wildcard, but no trailing wildcard, it’s evaluated as 'string-ends-with'. This does not apply to matching for DNS settings, which continue to work as before.
When you upgrade from 19.07 to 19.11, the resource fields in your rules are automatically are migrated to work the same as before, but with the new syntax. The migration logic (old 19.07 string matching expression → new 19.11 string matching expression) is:
name
*name
name*
*name*

Upcoming Breaking Changes

In the next major release of Prisma Cloud Compute, we will revamp the format of the scan results printed by twistcli to stdout. If your scripts parse the scan results, be sure they’re reading the JSON output generated by the --output-file option. You can depend on the format of the JSON output to be stable, but the table pretty-printed to stdout is subject to change. This notice applies to the following twistcli functions
  • twistcli scan images
  • twistcli pcf scan
  • twistcli host scan
  • twistcli serverless scan

Recommended For You