Custom compliance checks

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment.
Prisma Cloud lets you implement your own custom image checks with simple scripts. Custom compliance checks are supported for Linux containers (docker or CRI-O), Windows containers (docker) and Linux Hosts
A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail.
Scripts are executed in the default shell. The most common default shell for Linux is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.
If you want to use a specific shell, or if your default shell is in a non-standard location, use the shebang interpreter directive at the top of your compliance check to specify the path to the executable.
For example, #!/bin/bash specifies that the Linux Bourne-again (bash) shell should parse and interpret the compliance check.
For containers, Defender runs the compliance checks inside a restricted sandboxed container instantiated from the image being scanned, thus avoiding the unnecessary risk associated with running arbitrary code.
For hosts, Defender runs the compliance checks on the host itself with unrestricted privileges to allow execution of any script. In order to limit exposure, this feature is disabled by default.
Every compliance check in the system has a unique ID. Custom checks are automatically assigned an ID, starting with the number 9000. As new custom checks are added, they are automatically assigned the next available ID (9001, 9002, and so on).
If a new rule with custom compliance checks is added, or an existing rule is updated with a new custom compliance check, Prisma Cloud drops the cached compliance and vulnerability scan results for registries, and rescans registry images. In a scaled-out environment with large registries, repeated changes to custom compliance checks could have a negative impact on Prisma Cloud’s performance.

Enabling custom compliance checks for hosts

By default, custom compliance checks for hosts is disabled.
If you enable the feature, and then later disable it, the disabled state is effective immediately. You don’t need to redeploy Defenders when you switch to the disabled state. You only need to redeploy Defenders when switching to the enabled state.
  1. Go to
    Manage > Defenders > Advanced Settings
  2. Set
    Custom Compliance Checks for hosts
    to enabled.
  3. Deploy Defenders to your environment. Or if already deployed, redeploy your Defenders.

Creating a new custom check

The flow for writing and operationalizing a custom check is:
  • Write a custom check.
  • Create a new compliance rule that includes your custom check, and specifies the action to take when the check fails (ignore, alert, block).
  1. Open Console
  2. Write a new custom check.