Prisma Cloud Labs compliance checks

Prisma Cloud Labs compliance checks are designed by our research team and fill gaps not offered by other benchmarks. Like all compliance checks, Prisma Cloud’s supplementary checks monitor and enforce a baseline configuration across your environment.
Prisma Cloud Labs compliance checks can be enabled or disabled in custom rules. New rules can be created under
Defend > Compliance > Policy

Container checks

  • 596 — Potentially dangerous NET_RAW capability enabled
    Checks if a running container has the NET_RAW capability enabled. This capability grants an application the ability to craft raw packets. In the hands of an attacker, NET_RAW can enable a wide variety of networking exploits, such as ARP-spoofing and hijacking a cluster’s DNS traffic.
  • 597 — Secrets in clear text environment variables (container and serverless function check)
    Checks if a running container (instantiated from an image) or serverless function contains sensitive information in its environment variables. These env vars can be easily exposed with docker inspect, and thus compromise privacy.
  • 598 — Container app is running with weak settings
    Weak settings incidents indicate that a well-known service is running with a non-optimal configuration. This covers settings for common applications, specifically: Mongo, Postgres, Wordpress, Redis, Kibana, Elasitc Search, RabbitMQ, Tomcat, Haproxy, KubeProxy, Httpd, Nginx, MySql, and registries. These check for things such as the use of default passwords, requiring SSL, etc. The output for a failed compliance check will contain a "Cause" field that gives specifics on the exact settings detected that caused a failure.
  • 599 — Container is running as root (container check)
    Checks if the user value in the container configuration is root. If the user value is 0, root, or "" (empty string), the container is running as a root user, and the policy’s configured effect (ignore, alert, or block) is actuated.

Container image checks

  • 422 — Image contains malware (image check)
    Checks if any binary in the image matches the md5 checksum for known malicous software.
  • 423 — Image is not trusted (image check)
    Checks if unauthorized (untrusted) images are pulled or loaded into your environment.
    Prisma Cloud provides a mechanism to specify specific registries, repositories, and images that are considered trusted. Enable this check to prevent unauthorized containers from running in your critical environment. For more information, see