Scan images with twistcli

Prisma Cloud ships a command-line scanner for scanning container images and serverless functions. It is supported on Linux, macOS, and Windows.

Command reference

The twistcli command has several subcommands. Use the twistcli images scan subcommand to invoke the scanner.

Projects

When users from a tenant project run twistcli, they must set the --project option to specify the proper context for the command.

Command

twistcli images scan — Scan an image for vulnerabilities and compliance issues. The image must reside on the system where twistcli runs. If not, retrieve the image with docker pull before scanning it. Twistcli does not pull images for you.

Description

The twistcli images scan function collects information about the packages and binaries in the container image, and then sends it to Console for analysis.
Data collected by twistcli includes:
  • Packages in the image.
  • Files installed by each package.
  • Hashes for files in the image.
After Console analyzes the image for vulnerabilities, twistcli:
  • Outputs a summary report.
  • Exits with a pass or fail return value.
To specify an image to scan, use either the image ID, or repository name and tag. The image should be present on the system, having either been built or pulled there. If a repository is specified without a tag, twistcli looks for an image tagged latest.
When invoking twistcli, the last parameter should be the image to scan. If you list options after the image, they will be ignored.

Options

RETURN VALUE

The exit code is 0 if twistcli images scan finds no vulnerabilities or compliance issues. Otherwise, the exit code is 1.
The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console. The default CI vulnerability policy alerts on all CVEs detected. The default CI compliance policy alerts on all critical and high compliance issues.
There are two reasons why twistcli images scan might return an exit code of 1.
  • The scan failed because the scanner found issues that violate your CI policy.
  • Twistcli failed to run due to an error.
Although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation. From an automation process perspective, you expect that the entire flow will work. If you scan an image, with or without a threshold, either it works or it does not work. If it fails, for whatever reason, you want to fail everything because there is a problem.

Scan results

To view scan reports in Console, go to
Monitor > Vulnerabilities > Images > CI
or
Monitor > Compliance > Images > CI
.
The scan reports includes the image vulnerabilities, compliance issues, layers, process info, package info, and labels.
When scanning images in the CI pipeline with twistcli or the Jenkins plugin, Prisma Cloud collects the environment variable JOB_NAME from the machine the scan ran on, and adds it as a label to the scan report.
You can also retrieve scan reports in JSON format using the Prisma Cloud API, see the API section.

Output

The twistcli tool can output scan results to several places:
  • stdout.
  • File. Scan results are saved in JSON format.
  • Console. Scan results can be viewed under
    Monitor > Vulnerabilities > Images > CI
    or
    Monitor > Compliance > Images > CI
    .
By passing certain flags, you can adjust how the twistcli scan output looks and where it g