1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Scan Fargate tasks

    Scan Fargate tasks

    AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.
    Prisma Cloud can scan your Fargate tasks for image vulnerabilities. To see the scan report for your Fargate task images, go to
    Monitor > Vulnerabilities > Images
     and filter the table with
    Fargate:Select
    .
    Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

    Create vulnerability rules to scan Fargate tasks

    Create a vulnerability rule for Fargate tasks in scope.
    1. Login to the Console.
    2. Go to
      Defend > Vulnerabilities > Images > Deployed
      .
    3. Click
      Add rule
      .
    4. Entar a rule name.
    5. Click on
      Scope
      , to select a relevant collection, or create a new one for your Fatgate tasks:
      1. Click
        Add collection
        .
      2. Enter collection name.
      3. In the host you can type the name of the required Fargate task name or postfix wildcards.
      4. Click
        Save
        .
      5. Select the new fargate task collection.
      6. Click
        Select collection
        .
    6. Click
      Save
      .
      Block action doesn’t apply to Fargate tasks.

    Deploy Fargate task

    Deploy the fargate-vulnerability-compliance-task fargate tesk (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

    Example Fargate task

    You can use the following task definition to test Prisma Cloud’s Fargate Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the "Image contains binaries used for crypto mining" compliance check.
    {
  "containerDefinitions": [
     {
        "command": [
           "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'"
        ],
        "entryPoint": [
           "sh",
           "-c"
        ],
        "essential": true,
        "image": "ubuntu:18.04",
        "logConfiguration": {
           "logDriver": "awslogs",
           "options": {
              "awslogs-group" : "/ecs/fargate-task-definition",
              "awslogs-region": "us-east-1",
              "awslogs-stream-prefix": "ecs"
           }
        },
        "name": "Fargate-vul-comp-test",
        "portMappings": [
           {
              "containerPort": 80,
              "hostPort": 80,
              "protocol": "tcp"
           }
        ]
     }
  ],
  "cpu": "256",
  "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole",
  "family": "fargate-vulnerability-compliance-task",
  "memory": "512",
  "networkMode": "awsvpc",
  "requiresCompatibilities": [
      "FARGATE"
   ]
}

    View vulnerability scan results

    View the scan results in Console.
    If a Fargate task is run with a container where the user is not root, the vulnerability and compliance scanning procedure will encounter permission denied errors that are not visible to the user unless the Defender logs are downloaded. The scan flow continues even though errors are encountered.
    1. Navigate to
      Monitor > Vulnerabilities > Images > Deployed
       and validate that the deployed image appears and contains vulnerabilities.
    2. To see all images that are related to Fargate tasks, filter the image table by adding the
      Fargate:Select
       filter. You can also filter the results by a specific task name or postfix wildcards, example: fargate-task OR fargate-task*. Use the