Vulnerability management rules

Vulnerability policies are composed of discrete rules. Rules declare the actions to take when vulnerabilities are found in the resources in your environment. They also control the data surfaced in Prisma Cloud Console, including scan reports and Radar visualizations.
Rules let you target segments of your environment and specify actions to take when vulnerabilities of a given type are found. For example:
There are separate vulnerability policies for containers, hosts, and serverless functions. Host and serverless rules offer a subset of the capabilities of container rules, the big difference being that container rules support blocking.

Creating vulnerability rules

Prisma Cloud ships with a simple default vulnerability policy for containers, hosts, and serverless functions. These policies have a rule named Default - alert all components, which sets the alert threshold to low. With this rule, all vulnerabilities in images, hosts, and functions are reported.
As you build out your policy, you’ll create rules that filter out insignificant information, such as low severity vulnerabilities, and surface vital information, such as critical vulnerabilities.
Rule order is important. Prisma Cloud evaluates the rule list from top to bottom until it finds a match based on the object filters.
By default, Prisma Cloud optimizes resource usage by only scanning images with running containers. Therefore, you might not see a scan report for an image when it’s first pulled into your environment unless it’s been run. To scan all images on the hosts in your environment, go to
Manage > System > Scan
, set
Only scan images with running containers
, and click
To create a vulnerability rule:
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities > {Images | Hosts | Functions}
  3. Click
    Add rule
  4. Enter a rule name and configure the rule. Configuration options are discussed in the following sections.
  5. Click
  6. View the impact of your rule. Go to
    Monitor > Vulnerabilities
    to view the scan reports.

Severity-based actions

Vulnerability rules let you specify trigger thresholds for alerting and blocking. Alert and block actions let you establish quality gates in the CD segment of your continuous integration (CI) continuous deployment (CD) pipeline.
Alert and block thresholds can be set to different values. The block threshold, however,