Prisma Cloud Rules Guide - Docker

This article provides a list of all rules and their intended behavior in Prisma Cloud Console UI. The purpose of this article is to help users better understand the intention of each rule in the Console and it’s corresponding effect on the host environment.

Running Docker commands through Defender

To access Docker daemon through Defender, you must explicitly specify Defender’s host and port. For example:
$ docker -H <DEFENDER_HOST_ADDRESS>:9998 run alpine
It is possible to make the management traffic between the Docker client and the Docker daemon flow through Defender by default via two environment variables. Those can be configured on a remote machine that accesses Docker daemon on some host (such as dev laptop), or the host itself for users who do not have root privileges (which should be the majority of users).
$ export DOCKER_HOST=tcp://<defender host address>:9998
Once set, default calls to Docker flow through Defender (e.g., docker ps, docker run alpine). Throughout this guide however, in this guide, we have followed the default command without setting environment variables.

About this reference environment

This guide is designed as a reference document for all access rule policies enlisted in Prisma Cloud Console and their intended affect on host environment. These commands are run from a Docker client to a Prisma Cloud Defender using the access control feature. Access control rules can be configured at
Defend > Access > Docker
We have organized this document using the same structure as the Prisma Cloud product UI, which follows the structure in the Docker Remote API documentation. Note that there may be minor differences in the structure as the Docker Remote API evolves; this document is currently aligned with the documentation for API v 1.24 and will be updated periodically with new releases.
For understanding purposes all rules are set to deny and their corresponding influence on host environment is recorded.

Defend access rules

Navigate to
Defend > Access > Docker


For more information about the Docker API for containers, see

container_list - List containers

Affects docker ps command on host which is used to list all running containers.
docker -H --tlsverify ps
[Prisma Cloud] The command container_list denied for user admin by rule Deny

container_create - Create a container

Affects docker create command used to create a new container.
docker -H --tlsverify create morello/docker-whale
[Prisma Cloud] The command container_create denied for user admin by rule Deny

container_inspect - Inspect a container

Affects docker inspect command used for returning information about the container.