Scan images with twistcli
Prisma Cloud ships a command-line scanner for scanning container images and serverless functions. It is supported on Linux, macOS, and Windows.
The twistcli command has several subcommands. Use the twistcli images scan subcommand to invoke the scanner.
When users from a tenant project run twistcli, they must set the --project option to specify the proper context for the command.
twistcli images scan — Scan an image for vulnerabilities and compliance issues. The image must reside on the system where twistcli runs. If not, retrieve the image with docker pull before scanning it. Twistcli does not pull images for you.
The twistcli images scan function collects information about the packages and binaries in the container image, and then sends it to Console for analysis.
Data collected by twistcli includes:
- Packages in the image.
- Files installed by each package.
- Hashes for files in the image.
After Console analyzes the image for vulnerabilities, twistcli:
- Outputs a summary report.
- Exits with a pass or fail return value.
When invoking twistcli, the last parameter should be the image to scan. If you list options after the image, they will be ignored.
- Complete URL for Console, including the protocol and port. Only the HTTPS protocol is supported. By default, Console listens to HTTPS on port 8083, although your administrator can configure Console to listen on a different port. Defaults to https://127.0.0.1:8083.Example: --address https://console.example.com:8083
- Username to access Console. If not provided, the TWISTLOCK_USER environment variable will be used if defined, or "admin" is used as the default.
- Password for the user specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable will be used if defined