Tags are predefined labels that can help you manage the vulnerabilities in your environment. They are centrally defined and can be set to vulnerabilities and as policy exceptions.
Tags are used as:
- Vulnerability labels. They provide a convenient way to categorize the vulnerabilities in your environment.
- Policy exceptions. They can be a part of your rules in order to have a specific effect on tagged vulnerabilities.
Tags are useful when you have large container deployments with multiple teams working in the same environment. For example, you might have different teams handling different types of vulnerabilities. Then you can set tags in order to define responsibilities over vulnerabilities. Other uses would be to set the status of fixing the vulnerability, or to mark vulnerabilities to ignore when they are a known problem that can’t be fixed in the near future.
You can define as many tags as you like.
- To define a new tag, navigate toManage > Collections and Tags > Tags.Prisma Cloud ships with a predefined set of tags: Ignored, In progress, For review, DevOps notes. The predefined tags are editable and you can use them according to your needs.
- ClickAdd Tag.
- In theCreate new tagdialog, enter a name and description.
- Pick a color for easy visibility and differentiation.
You can assign tags to vulnerabilities, and specify their scope based on CVE ID, packages and resources. Alternatively, you can manually tag vulnerabilities from scan reports.
Note that a tag assignment is uniquely identified by tag, CVE ID, package scope and resource type, therefore, you can not create multiple tag assignments for the same tag, CVE ID, package scope and resource type. To extend the scope of a tag applied to a CVE, edit its existing tag assignment to apply to more packages or resources.
For example, assign the tag Ignored to CVE-2020-1971, package openssl, and all ubuntu images as follows:
You can also adjust the scope of a tag assigned either from the tags management page or from scan reports. Click the
Editbutton to start editing the tag assignment. For example, extend the scope of the tag Ignored for CVE-2020-1971 to all packages affected by this CVE by changing the
As another example, after the In progress tag was assgined to CVE-2019-14697 for specific alpine images from the scan re