Document:Prisma Cloud Compute Edition Administrator’s Guide

Customize image scanning

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Disk capacity
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

Customize image scanning

You can customize how Prisma Cloud scans images and reports data.

Configuring the severity of reported CVEs

By default, Prisma Cloud reports all vulnerabilities. Setting the minimum reported severity lets you clean up the reported vulnerabilities to an actionable set.

To configure a minimum severity, install a new vulnerability rule, which overrides the default rule. Note that Prisma Cloud maps the Common Vulnerability Scoring System (CVSS) to a grading system that ranges from Low to Critical.

Open Console, and go to Defend > Vulnerabilities > Policy
.

Click Add rule
.

Give your rule a name.

In the table of Severity based actions
, set the Severity
in each row to an appropriate level. For example, if you want to concentrate on just the most severe issues, set every row to Critical
.

Click Save
.

View the scan reports for all the entities in your system.

Go to Monitor > Vulnerabilities
. All reported vulnerabilities match or exceed the severity setting in your custom rule.

Scanning custom components

Prisma Cloud lets you scan for insecure versions of proprietary software components.

First, augment Prisma Cloud’s Intelligence Stream with your own custom data that specifies a package type, name, and version number. Then configure Prisma Cloud to take action (alert, block) when the scanner finds this package in an image. By default, Prisma Cloud raises an alert when it detects a vulnerability in a custom component.

Prisma Cloud supports the following package types:

Distro packages (deb, rpm).

Binaries.

Nodejs packages.

Python packages.

Ruby gems.

Java artifacts (JAR files).

For cases where Prisma Cloud does not offer built-in support for a package type, you can specify an MD5 hash for the file.

Defining a custom vulnerability

Define a custom vulnerability.

Open Console.

Go to Manage > System > Custom Feeds
.

Click on Custom Vulnerabilities
.

Click Add
.

Enter a name for your vulnerability..

From the drop-down list, select a package type.

For Debian packages, RPM packages, and shared libraries, select package
.

If your package type is not supported, select binary
.

Enter the name of your package/binary.

Package names can be specified using wild cards (*).

Specify the range of package versions for which your rule applies.

The following formats can be used to specify versions:

Rule	Format	Example
Specific version	Enter a single multi-dot number.	1.1
Range of versions: Min and max are known.	Enter two multi-dot numbers, separated by a dash.	5.4-5.5
Range of versions: Only min version is known.	Specify a multi-dot number for the minimum version, followed by a dash, then a wild card.	0.22.4.1-*
Range of versions: Only max version is known.	Specify a wild card (*) for the minimum version, followed by a dash, then a multi-dot number for the maximum version.	*-0.22.4.1

If package type is set to binary, the version fields are not visible. Instead, enter the MD5 hash for your file or binary.

Click Save
.

Your custom vulnerability is now available to the scanner.

By default, an alert is logged if an image scan detects a component that you have designated as vulnerable. To see the default rule, go to Defend > Vulnerabilities > Images
, and click on the Default - alert all components
rule. To change the default rule, select a different Alert or block threshold. To take a different action, create a new vulnerability rule.

Document:Prisma Cloud Compute Edition Administrator’s Guide

Customize image scanning

Table of Contents

Customize image scanning

Configuring the severity of reported CVEs

Scanning custom components

Defining a custom vulnerability

Most Popular