Serverless function scanning

Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users. Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.


For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages. For a list of supported runtimes see system requirements.
Prisma Cloud scans are triggered by the following events:
  • When the settings change, including when new functions are added for scanning.
  • When you explicitly click the
    button in the
    Monitor > Vulnerabilities > Functions > Scanned Functions
  • Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval in
    Manage > System > Scan

Scanning a serverless function

Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scanning, all function scanning is handled by Console.
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities > Functions > Functions
  3. Click on
    Add scope
    . In the dialog, enter the following settings:
    1. (AWS only) Select
      Scan only latest versions
      to only scan the latest version of each function. Otherwise, the scanning will cover all versions of each function up to the specified
    2. (AWS only) Select
      Scan Lambda Layers
      to enable scanning function layers as well.
    3. (AWS only) Specify which regions to scan in
      AWS Scanning scope
      . By default, the scope is applied to
      Regular regions
      . Other options include
      China regions
      Goverment regins
    4. Specify a
      for the number of functions to scan.