Prisma Cloud scans all Docker images on all hosts that run Defender. After Defender is installed, it automatically starts scanning images on the host. After the initial scan, subsequent scans are triggered:
- Periodically, according to the scan interval configured in Console. By default, images are scanned every 24 hours.
- When new images are created, pushed, or pulled onto the host.
- When images change.
- When scans are forced with theScanbutton in Console.
Defender scans Docker images for:
- Published Common Vulnerabilities and Exposures (CVEs).
- Vulnerabilities from misconfigurations.
- Zero day vulnerabilities
- Compliance issues
The Prisma Cloud Intelligence Stream keeps Console up to date with the latest vulnerabilities. The data in this feed is distributed to your Defenders, and employed in subsequent scans.
Through Console, Defender can be extended to scan images for custom components. For example, you can configure Defender to scan for an internally developed library named libexample.so, and set a policy to block a container from running if version 1.9.9 or earlier at installed. For more information, see Scanning custom components.
View image scan reports
Review the health of all images in your environment.
Sorting the table on vulnerability serverity as based on data from the last scan. If you update your vulnerability policy with a different alert threshold, recan your images if you want to be able to sort based on your new settings.
- Open Console, then go toMonitor > Vulnerabilities > Images.The table summarizes the state of each image in your environment.All vulnerabilities identified in the last image scan can be exported to a CSV file by clicking theCSVbutton in the top left of the page.In case multiple images share the same image ID, but with different tags on different hosts, then these will be shown using +<Num> in the Tag column, as can be seen in the screenshot below.
- Click on an image report to open a detailed report.
- Click on theVulnerabilitiestab to see all CVE issues.CVE vulnerabilities are accompanied by a brief description. ClickShow detailsfor more information, including a link to the report on the National Vulnerability Database.TheVendor Statuscolumn contains terms such as 'deferred', 'fixed in…', and 'open'. These strings are imported directly from the vendors' CVE databases. They are not Prisma Cloud-specific.