Prisma Cloud Compute Edition Administrator’s Guide
    : Base images
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Base images
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Base images

    Table of Contents

    Base images

    Prisma Cloud lets you filter out base image vulnerabilities from your scan reports.
    A base image is a starting point or an initial step for the image. Dockerfile usually starts from a base image. Filtering out vulnerabilities, whose source is the base image, can help your teams focus on the vulnerabilities relevant for them to fix.
    Excluding base image vulnerabilities is currently not supported for Windows images and images built by kaniko.

    Define base images

    For Prisma Cloud to be able to exclude base image vulnerabilities, first identify the base images in your environment.
    To define your base images, go to
    Defend > Vulnerabilities > Images > Base images
    . The base images you define must reside in your registry, and they must be scanned to exclude their vulnerabilities from scan reports.
    1. Open Console.
    2. Go to
      Defend > Vulnerabilities > Images > Base images
      .
    3. Click
      Add New
      .
    4. Specify the base image and enter a
      Description
       for it.
      The base image should be specified in the following format: registry/repo:tag. You can use wildcards for the tag definition.
    5. Click
      Save
      .
    6. You can view the specific base image digests of the base image you created using the
      View images
       action.
      These are the digests found in the registry scanning that are matching the base image you defined.
      Prisma Cloud stores a maximum of the 50 latest digests per base image. When the limit is reached, the oldest digests are overwritten as new digests are discovered.

    Exclude base images vulnerabilities in the Monitor view

    When reviewing the health of the images in your environment, whether they are deployed images, registry images, or images scanned in a CI process, you can exclude the base image’s vulnerabilities from the scan results.
    If you enabled "Exclude base images vulnerabilities" under
    Defend > Vulnerabilities > Images > Deployed/CI
    , the filter will not yield any results on the scan results monitor.
    1. Open the Console, then go to
      Monitor > Vulnerabilities > Images > Deployed images/Registries/CI
      .
    2. Use the
      Exclude base images vulns
       filter to exclude the vulnerabilities coming from base images. You will see the vulnerability counters changing.
    3. Click on an image report to open a detailed report.
    4. Review the filtered vulnerabilities. For reviewing the base image, use the link at the top of the page.
    5. In the
      Layers
       tab, the vulnerabilities counters will also exclude base image vulnerabilities, and you’ll see an indication for the base image’s layers.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.