Scan images with twistcli
Prisma Cloud ships a command-line scanner for scanning container images and serverless functions. It is supported on Linux, macOS, and Windows.
The twistcli images scan function collects information about the packages and binaries in the container image, and then sends it to Console for analysis.
Data collected by twistcli includes:
- Packages in the image.
- Files installed by each package.
- Hashes for files in the image.
After Console analyzes the image for vulnerabilities, twistcli:
- Outputs a summary report.
- Exits with a pass or fail return value.
- Complete URL for Console, including the protocol and port. Only the HTTPS protocol is supported. By default, Console listens to HTTPS on port 8083, although your administrator can configure Console to listen on a different port. Defaults to https://127.0.0.1:8083.Example: --address https://console.example.com:8083
- Show all vulnerability details.
- Run the scan from inside the container.
- Include the image custom labels in the results.
- Evaluates packages listed only in manifests.
The exit code is 0 if twistcli images scan finds no vulnerabilities or compliance issues. Otherwise, the exit code is 1.
The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console. The default CI vulnerability policy alerts on all CVEs detected. The default CI compliance policy alerts on all critical and high compliance issues.
There are two reasons why twistcli images scan might return an exit code of 1.
- The scan failed because the scanner found issues that violate your CI policy.
- Twistcli failed to run due to an error.
Although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation. From an automation process perspective, you expect that the entire flow will work. If you scan an image, with or without a threshold, either it works or it does not work. If it fails, for whatever reason, you want to fail everything because there is a problem.
To view scan reports in Console, go to
Monitor > Vulnerabilities > Images > CIor
Monitor > Compliance > Images > CI.
The scan reports includes the image vulnerabilities, compliance issues, layers, process info, package info, and labels.
You can also retrieve scan reports in JSON format using the Prisma Cloud API, see the API section.
The twistcli tool can output scan results to several places:
- File. Scan results are saved in JSON format.
- Console. Scan results can be viewed underMonitor > Vulnerabilities > Images > CIorMonitor > Compliance > Images > CI.
By passing certain flags, you can adjust how the twistcli scan output looks and where it g