Scan Fargate tasks

AWS Fargate is a serverless compute engine for containers under Amazon ECS that lets you run containers without needing to provision and manage servers and hosts. Each container is defined as part of a task and several containers can be run as part of the same task.
Prisma Cloud can scan your Fargate tasks for image vulnerabilities. To see the scan report for your Fargate task images, go to
Monitor > Vulnerabilities > Images
and filter the table with
Prisma Cloud Compute labels all containers running within the same task as if they run on the same host. For containers that are running in Fargate, the Host column will contain the Fargate task identifier.

Create vulnerability rules to scan Fargate tasks

Create a vulnerability rule for Fargate tasks in scope.
  1. Login to the Console.
  2. Go to
    Defend > Vulnerabilities > Images > Deployed
  3. Click
    Add rule
  4. Entar a rule name.
  5. Click on
    , to select a relevant collection, or create a new one for your Fatgate tasks:
    1. Click
      Add collection
    2. Enter collection name.
    3. In the host you can type the name of the required Fargate task name or postfix wildcards.
    4. Click
    5. Select the new fargate task collection.
    6. Click
      Select collection
  6. Click
    Block action doesn’t apply to Fargate tasks.

Deploy Fargate task

Deploy the fargate-vulnerability-compliance-task fargate tesk (described below), following the steps in Embed App-Embedded Defender into Fargate tasks.

Example Fargate task

You can use the following task definition to test Prisma Cloud’s Fargate Defender. The task deploys a ubuntu:18.04 container and runs the /bin/sh -c 'cp /bin/sleep /tmp/xmrig command that triggers the "Image contains binaries used for crypto mining" compliance check.
{ "containerDefinitions": [ { "command": [ "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'" ], "entryPoint": [ "sh", "-c" ], "essential": true, "image": "ubuntu:18.04", "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group" : "/ecs/fargate-task-definition", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" } }, "name": "Fargate-vul-comp-test", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "cpu": "256", "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole", "family": "fargate-vulnerability-compliance-task", "memory": "512", "networkMode": "awsvpc", "requiresCompatibilities": [ "FARGATE" ] }

View vulnerability scan results

View the scan results in Console.
If a Fargate task is run with a container where the user is not root, the vulnerability and compliance scanning procedure will encounter permission denied errors that are not visible to the user unless the Defender logs are downloaded. The scan flow continues even though errors are encountered.
  1. Navigate to
    Monitor > Vulnerabilities > Images > Deployed
    and validate that the deployed image appears and contains vulnerabilities.
  2. To see all images that are related to Fargate tasks, filter the image table by adding the
    filter. You can also filter the results by a specific task name or postfix wildcards, example: fargate-task OR fargate-task*. Use the