1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Scan reports
    End-of-Life (EoL)

    Scan reports

    Prisma Cloud scans all Docker images on all hosts that run Defender. After Defender is installed, it automatically starts scanning images on the host. After the initial scan, subsequent scans are triggered:
    • Periodically, according to the scan interval configured in Console. By default, images are scanned every 24 hours.
    • When new images are created, pushed, or pulled onto the host.
    • When images change.
    • When scans are forced with the
      Scan
       button in Console.
    Defender scans Docker images for:
    • Published Common Vulnerabilities and Exposures (CVEs).
    • Vulnerabilities from misconfigurations.
    • Malware
    • Zero day vulnerabilities
    • Compliance issues
    • Secrets
    The Prisma Cloud Intelligence Stream keeps Console up to date with the latest vulnerabilities. The data in this feed is distributed to your Defenders, and employed in subsequent scans.
    Through Console, Defender can be extended to scan images for custom components. For example, you can configure Defender to scan for an internally developed library named libexample.so, and set a policy to block a container from running if version 1.9.9 or earlier at installed. For more information, see Scanning custom components.

    View image scan reports

    Review the health of all images in your environment.
    Sorting the table on vulnerability serverity as based on data from the last scan. If you update your vulnerability policy with a different alert threshold, recan your images if you want to be able to sort based on your new settings.
    1. Open Console, then go to
      Monitor > Vulnerabilities > Images
      .
      The table summarizes the state of each image in your environment.
      All vulnerabilities identified in the last image scan can be exported to a CSV file by clicking the
      CSV
       button in the top left of the page.
    2. Click on an image report to open a detailed report.
    3. Click on the
      Vulnerabilities
       tab to see all CVE issues.
      CVE vulnerabilities are accompanied by a brief description. Click
      Show details
       for more information, including a link to the report on the National Vulnerability Database.
      The
      Vendor Status
       column contains terms such as 'deferred', 'fixed in…​', and 'open'. These strings are imported directly from the vendors' CVE databases. They are not Prisma Cloud-specific.

    Tagging vulnerabilities

    To help you manage and fix the vulnerabilities in your environment, you can set tags on each vulnerability. Setting a tag on a vulnerability will apply to the CVE ID and package across the product. The list of available tags is defined under
    Manage > Collections and Tags > Tags
    . See Configure Tags. To add a tag to a vulnerability, click on the
    Add tags to CVE
     action in the
    Tags
     column.
    For tags that are not used as policy exceptions, all user roles that can view the scan results and have the Collections and Tags permission, are allowed to set these tags on CVEs. Setting tags that are used as policy exceptions is allowed only for Admin, Operator, and Vulnerability Manager user roles. Custom roles aren’t allowed to set these tags, regardless of their other permissions.
    You can also add comments to each tag you apply to the CVE, for example, to explain the reason this tag was added. Do it by clicking the comment icon on the left side of the tag.
    By default, all vulnerabilities, according to your policy, are listed. However, you can also examine vulnerabilities only with specific tags. Use the drop-down list to filter by tags.

    Per-layer vulnerability analysis

    To make it easier to understand how images are constructed and what components have vulnerabilities, Prisma Cloud correlates vulnerabilities to layers. This tool helps you assess how vulnerabilities were introduced into an image, and pick a starting point for remediation.
    To see the layer analysis, click on an image to open the scan report, then click the
    Layers
     tab.

    RHEL images

    The Prisma Cloud layers tool shows the instructions used to create each layer in an image. RHEL images, however, don’t contain the necessary metadata, so the Prisma Cloud layers tool shows an empty black box.
    To validate the required metadata is absent, run docker history IMAGE-ID on a non-RHEL image. The CREATED BY column is fully populated.
    Next, run docker history IMAGE-ID on a RHEL image. Notice that the CREATED BY column is empty.

    Packages in use

    Prisma Cloud uses risk scores to calculate the severity of vulnerabilities in your environment. One of the factors in the risk score is called "Package in use", which indicates a package is utilized by running software.
    Scan reports have a
    Package info
     tab, which lists all the packages installed in an image or host. It also shows all active packages, which are packages used by running sofware.
    To see these active packages, open a scan report, open the
    Package info
     tab, and look at the
    Binaries
     column (see the
    App
     column in host scan reports). This column shows what’s actually running in the container. For example, the fluent/fluentd:latest container in the following screenshot runs /usr/bin/ruby. One of the packages utilized by the Ruby runtime is the bigdecimal gem. If you were prioritizing mitigation work, and there were a severe vulnerability in bigdecimal, bigdecimal would be a good candidate to address first.

    Process info

    Prisma Cloud scan reports provide visibility over the startup processes of the image. To see the image startup processes, open a scan report and go to the
    Process info
     tab.
    The processes list is created by a static analysis of the image, which first parses the image history to get the list of startup binaries. The algorithm then iterates over the image binaries and tries to find these startup binaries on the disk (in the file system). Those which were found are displayed under the
    Process info
     tab.

    Per-finding timestamps

    Prisma Cloud’s image scan reports show the following per-vulnerability timestamps:
    • Age of the vulnerability based on the discovery date. This is the first date that the Prisma Cloud scanner found the vulnerability.
    • Age of the vulnerability based on its published date. This represents the date the vulnerability was announced to the world.
    Host scan reports and registry scan reports show the published date only.
    Timestamps are per-image, per-vulnerability. For example, if CVE-2019-1234 was found in image foo/foo:3.1 last week and image bar/bar:7.8 is created from foo/foo:3.1 today, then the scan results for foo show the discovery date for CVE-2019-1234 to be last week and for bar it shows today.
    Timestamped findings are useful when you have time-based SLAs for remediating vulnerabilities (e.g. all critical CVEs must be fixed within 30 days). Per-finding timestamp data makes it possible to track compliance with these SLAs.

    Host and VM image scanning

    Prisma Cloud also scans your hosts and VM images for vulnerabilities. To see the scan report for your hosts and VM images, go to
    Monitor > Vulnerabilities > Hosts
    .
    By default, all vulnerable packages, according to your policy, are listed. However, you can also examine vulnerabilities specific to an app (systemd service). Use the drop-down list to select an app. Clear the selection to see all vulnerabilities for a host/VM image.
    The
    Package Info
     tab lists all packages installed on the host/VM image. If a package has a component utilized by a running app, the affected running apps are listed in the
    Apps
     column.
    Prisma Cloud also collects and displays package license details. License information is available at all places where package details are displayed, such as
    Monitor > Vulnerabilities > Images
     (under the
    Package Info
     tab),
    Monitor > Vulnerabilities > Hosts
     and
    Monitor > Vulnerabilities > Registry
    , as well as the corresponding API endpoints.
    Licensing compliance is currently supported only for viewing purposes and cannot be included in policies for alert/block capabilities.