1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Customize image scanning

    Customize image scanning

    You can customize how Prisma Cloud scans images and reports data.

    Configuring the severity of reported CVEs

    By default, Prisma Cloud reports all vulnerabilities. Setting the minimum reported severity lets you clean up the reported vulnerabilities to an actionable set.
    To configure a minimum severity, install a new vulnerability rule, which overrides the default rule. Note that Prisma Cloud maps the Common Vulnerability Scoring System (CVSS) to a grading system that ranges from Low to Critical.
    1. Open Console, and go to
      Defend > Vulnerabilities > Policy
      .
    2. Click
      Add rule
      .
    3. Give your rule a name.
    4. In the table of
      Severity based actions
      , set the
      Severity
       in each row to an appropriate level. For example, if you want to concentrate on just the most severe issues, set every row to
      Critical
      .
    5. Click
      Save
      .
    6. View the scan reports for all the entities in your system.
      Go to
      Monitor > Vulnerabilities
      . All reported vulnerabilities match or exceed the severity setting in your custom rule.

    Scanning custom components

    Prisma Cloud lets you scan for insecure versions of proprietary software components.
    First, augment Prisma Cloud’s Intelligence Stream with your own custom data that specifies a package type, name, and version number. Then configure Prisma Cloud to take action (alert, block) when the scanner finds this package in an image. By default, Prisma Cloud raises an alert when it detects a vulnerability in a custom component.
    Prisma Cloud supports the following package types:
    • Distro packages (deb, rpm).
    • Binaries.
    • Nodejs packages.
    • Python packages.
    • Ruby gems.
    • Java artifacts (JAR files).
    For cases where Prisma Cloud does not offer built-in support for a package type, you can specify an MD5 hash for the file.

    Defining a custom vulnerability

    Define a custom vulnerability.
    1. Open Console.
    2. Go to
      Manage > System > Custom Feeds
      .
    3. Click on
      Custom Vulnerabilities
      .
    4. Click
      Add
      .
      1. Enter a name for your vulnerability..
      2. From the drop-down list, select a package type.
        For Debian packages, RPM packages, and shared libraries, select
        package
        .
        If your package type is not supported, select
        binary
        .
      3. Enter the name of your package/binary.
        Package names must be specific for matching. For example, "containerd" is valid, "containerd*" is not.
      4. Specify the range of package versions for which your rule applies.
        The following formats can be used to specify versions:
        Rule