Fargate scanning

AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.
Prisma Cloud can scan Fargate tasks for compliance issues. To see the scan report for your Fargate task images, go to
Monitor > Compliance > Images > Deployed
and filter the table with
Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

Create compliance rules for Fargate tasks

Create a compliance rule for Fargate tasks in scope.
  1. Login to the Console.
  2. Go to
    Defend > Compliance > Containers and images > Deployed
  3. Click
    Add rule
  4. Enter a rule name.
  5. Click on
    to select a relevant collection, or create a new collection for your Fatgate tasks:
    1. Click
      Add collection
    2. Enter collection name.
    3. In the host you can type the name of the required Fargate task name or postfix wildcards.
    4. Click
    5. Select the new Fargate task collection.
    6. Click
      Select collection
  6. Click
    The block action doesn’t apply to Fargate tasks.

Compliance check details

The following checks are supported for Fargate tasks:
  • 424: Sensitive information provided in environment variables
    Checks if images contain sensitive information in their environment variables.
  • 425: Private keys stored in image
    Searches for private keys stored in an image or serverless function.
  • 426: Image contains binaries used for crypto mining
    Detects when there are crypto miners in an image. Attackers have been quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images.
  • 448: Package binaries should not be altered
    Checks the integrity of package binaries in an image. During an image scan, every binary’s checksum is compared with its package info.
  • Custom compliance
    Custom checks capability works only for tasks that allows users with
    privileges. Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. For more information, see Custom compliance checks.

Deploy Fargate task

Deploy the fargate-vulnerability-compliance-task Fargate task (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

Example task definition

You can use the following task definition to test Prisma Cloud’s App-Embedded Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the
Image contains binaries used for crypto mining
compliance check.
{ "containerDefinitions": [ { "command": [ "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'" ], "entryPoint": [ "sh", "-c" ], "essential": true, "image": "ubuntu:18.04", "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group" : "/ecs/fargate-task-definition", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" } }, "name": "Fargate-vul-comp-test", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "cpu": "256", "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole", "family": "fargate-vulnerability-compliance-task", "memory": "512", "networkMode": "awsvpc", "requiresCompatibilities": [ "FARGATE" ] }

View compliance scan results

  1. Navigate to
    Monitor > Compliance > Images > Deployed
    and validate that the deployed image appears with an alerted compliance check.
  2. To see all images that are related to Fargate tasks, filter the image table by adding the