1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Serverless function scanning
    End-of-Life (EoL)

    Serverless function scanning

    Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.
    Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users. Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.

    Capabilities

    For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages. For a list of supported runtimes see system requirements.
    Prisma Cloud scans are triggered by the following events:
    • When the settings change, including when new functions are added for scanning.
    • When you explicitly click the
      Scan
       button in the
      Monitor > Vulnerabilities > Functions > Scanned Functions
       page.
    • Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval in
      Manage > System > Scan
      .

    Scanning a serverless function

    Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scanning, all function scanning is handled by Console.
    1. Open Console.
    2. Go to
      Defend > Vulnerabilities > Functions > Functions
      .
    3. Click on
      Add scope
      . In the dialog, enter the following settings:
      1. Specify a cap for the number of functions to scan.
        Prisma Cloud scans the X most recent functions, where X is the cap value. Set this value to '0' to scan all functions.
      2. (AWS only) Specify which regions to scan. By default, the scope is applied to
        Regular regions
        . Other options include
        China regions
         or
        Goverment regins
        .
      3. (AWS only) Select
        Scan only latest versions
         to only scan the latest version of each function. Otherwise, the scanning will cover all versions of each function up to the specified
        cap
         value.
      4. (AWS only) Select
        Scan Lambda Layers
         to enable scanning function layers as well.
      5. Select the accounts to scan by credential. If you wish to add an account, click on
        Add credential
        .
      6. Click
        Add
        .
    4. Click the green save button.
    5. View the scan report.
      Go to
      Monitor > Vulnerabilities > Functions > Scanned functions
      .
      All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by clicking on the CSV button in the top right of the table.

    View AWS Lambda Layers scan report

    Prisma Cloud can scan the AWS Lambda Layers code as part of the Lambda function’s code scanning. This capability can help you determine whether the vulnerability issues are associated with the function or function Layers. Follow the steps below to view the Lambda Layers scan results:
    1. Open Console.
    2. Make sure you selected the
      Scan Lambda layers
       in the Defend > Vulnerabilities > Functions > Functions > Serverless Accounts >
      Function scan scope
    3. Go to
      Monitor > Vulnerabilities > Functions > Scanned functions
      .
    4. Filter the table to include functions with the desired Layer by adding the
      Layers
       filter.
      You can also filter the results by a specific layer name or postfix wildcards. Example: Layers:* OR Layers:arn:aws:lambda:*
    5. Open the
      Function details
       dialog to view the details about the Layers and the vulnerabilities associated with them:
      1. Click on a specific function
      2. See the Function’s vulnerabilities, compliance issues and package info in the related tabs. Use the
        Found in
         column to determine if the component is associated with the Function or with the Function’s Layers.
      3. Use the
        Layers info
         tab to see the full list of the Function’s Layers, and aggregated information about the Layers vulnerabilities. In case that there are vulnerabilities associated with the layer you will be able to expand the layer raw to list all the vulnerabilities.

    Authenticating with AWS

    The serverless scanner is implemented as part of Console. The scanner requires the
    AWSLambda_ReadOnlyAccess
     permissions policy.
    IAM User
    If authenticating with an IAM user, use the Security Token Service (STS) to temporarily issue security credentials to Prisma Cloud to scan your Lambda functions. AWS STS is considered a best practice for IAM users per the AWS Well-Architected Framework. For more on how to use AWS STS, see here.
    When authenticating with an IAM user, Console can access and scan functions across multiple regions.
    IAM Role
    The Prisma Cloud serverless scanner can also authenticate with AWS using an IAM role. If Console authenticates with AWS using an IAM role, it can assume roles using STS to assume roles in other regions.

    Scanning Azure Functions

    Azure Functions are architected differently than AWS Lambda and Google Cloud Functions. Azure function apps can hold multiple functions. The functions are not segregated from each other. They share the same file system. Rather than separately scanning each function in a function app, download the root directory of the function app, which contains all its functions, and scan them as a bundle.
    Prisma Cloud only scans Linux functions that use
    External package URL
     as the deployment technology. For more information, see Deployment technologies in Azure Functions.
    To do this, you must know the Region, Name (of the function), and Service Key. To get the Service Key, download and install the Azure CLI, then:
    1. Log into your account with a user that has the User Account Administrator role.
      $ az login
    2. Get the service key.
      $ az ad sp create-for-rbac --sdk-auth --name twistlock-azure-serverless-scanning --role contributor
      Sample output from the previous command:
      {
  "clientId": "f8e9de2o-45bd-af94-ae11-b9r8c5tfy3b6",
  "clientSecret": "4dfds482-6sdd-4dsb-b5ff-56123043c4dc",
  "subscriptionId": "ea19322m-z2bd-501c-dd11-234m547a944e",
  "tenantId": "c189c61a-6c27-41c3-9949-ca5c8cc4a624",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}
    3. Copy the JSON output, which is your secret key, and paste it into the
      Service Key
       field for your Azure credentials in Prisma Cloud Console.

    Scanning functions at build time with twistcli

    You can also use the twistcli command line utility to scan your serverless functions. First download your serverless function as a ZIP file, then run:
    $ twistcli serverless scan <SERVERLESS_FUNCTION.ZIP>
    To view scan reports in Console, go to
    Monitor > Vulnerabilities > Functions > CI
     or
    Monitor > Compliance > Functions > CI
    .

    Twistcli Options