Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Prisma
Prisma Cloud
Prisma Cloud Compute Edition Administrator’s Guide
Vulnerability management
Registry scanning
Scan images in IBM Cloud Container Registry

Last Updated:

Tue May 23 16:14:25 UTC 2023

Current Version:

Self.Hosted 30.xx

Version Prisma Cloud Enterprise Edition
Version Self-Hosted 30.xx
Version Self-Hosted 22.12
Version Self-Hosted 22.06
Version Self-Hosted 22.01
Version Self-Hosted 21.08 (EoL)
Version Self-Hosted 21.04 (EoL)
Version Self-Hosted 20.12 (EoL)
Version Self-Hosted 20.09 (EoL)
Version Self-Hosted 20.04 (EoL)
Version Self-Hosted 19.11 (EoL)

Table of Contents

Filter

Welcome

Releases

Getting started

Product architecture

Support lifecycle

Security Assurance Policy on Prisma Cloud Compute

Licensing

Prisma Cloud Enterprise Edition vs Compute Edition

Utilities and plugins

Install

Getting started

System Requirements

Cluster Context

Deploy the Prisma Cloud Console

Prisma Cloud Container Images

Kubernetes

Deploy the Prisma Cloud Console on Amazon ECS

Console on Fargate

Onebox

Alibaba Cloud Container Service for Kubernetes (ACK)

Azure Container Service (ACS) with Kubernetes

Azure Kubernetes Service (AKS)

Amazon Elastic Kubernetes Service (EKS)

IBM Kubernetes Service (IKS)

OpenShift v4

Deploy Prisma Cloud Defenders

Defender Types

Manage your Defenders

Redeploy Defenders

Uninstall Defenders

Install a Single Container Defender

Deploy a Single Container Defender using the CLI

Install a single Host Defender

Auto-defend hosts

Deploy Windows Defender

Kubernetes

Deploy Orchestrator Defenders on Amazon ECS

Automatically Install Container Defender in a Cluster

Deploy Prisma Cloud Defender from the GCP Marketplace

Deploy Defenders as DaemonSets

VMware Tanzu Application Service (TAS) Defender

Deploy Defender on Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) Autopilot

Deploy Defender on OpenShift v4

Serverless Defender

Deploy Serverless Defender as a Lambda Layer

Auto-defend serverless functions

Deploy App-Embedded Defender

Deploy App-Embedded Defender for Fargate

Default Setting for App-Embedded Defender File System Monitoring

Default Setting for App-Embedded Defender File System Protection

Upgrade

Support lifecycle for connected components

Prisma Cloud’s backward compatibility and upgrade process

Upgrade Onebox

Kubernetes

OpenShift

Helm charts

Amazon ECS

Upgrade the Single Container Defenders

Upgrade Defender DaemonSets

Upgrade Defender DaemonSets (Helm)

Agentless Scanning

Agentless Scanning Modes

Onboard Accounts for Agentless Scanning

Onboard AWS Accounts for Agentless Scanning

Onboard Azure Accounts for Agentless Scanning

Onboard GCP Accounts for Agentless Scanning

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Agentless Scanning Results

Technology overviews

Intelligence Stream

Prisma Cloud Advanced Threat Protection

App-specific network intelligence

Container Runtimes

Radar

Serverless Radar

Prisma Cloud Rules Guide - Docker

Defender architecture

Host Defender architecture

TLS v1.2 cipher suites

Telemetry

Configure

Rule ordering and pattern matching

Backup and restore

Custom feeds

Configuring Prisma Cloud proxy settings

Prisma Cloud Compute certificates

Configure scanning

User certificate validity period

Enable HTTP access to Console

Set different paths for Defender and Console (with DaemonSets)

Authenticate to Console with certificates

Configure custom certs from a predefined directory

Customize terminal output

Collections

Tags

Logon settings

Reconfigure Prisma Cloud

Subject Alternative Names

WildFire Settings

Log Scrubbing

Clustered-DB

Permissions by feature

Authentication

Logging into Prisma Cloud

Integrating with an IdP

Integrate with Active Directory

Integrate with OpenLDAP

Integrate Prisma Cloud with Open ID Connect

Integrate with Okta via SAML 2.0 federation

Integrate Google G Suite via SAML 2.0 federation

Integrate with Azure Active Directory via SAML 2.0 federation

Integrate with PingFederate via SAML 2.0 federation

Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation

Integrate Prisma Cloud with GitHub

Integrate Prisma Cloud with OpenShift

Non-default UPN suffixes

Compute user roles

Assign roles

Credentials Store

Amazon Web Services (AWS) Credentials

Azure Credentials

Google Cloud Platform (GCP) Credentials

IBM Cloud Credentials

Kubernetes Credentials

Cloud Service Providers

Cloud Discovery

Configure Cloud Discovery

Vulnerability management

Prisma Cloud vulnerability feed

Scanning Procedure

Vulnerability Management Policies

Vulnerability Scan Reports

Scan Images for Custom Vulnerabilities

Base images

Vulnerability Explorer

CVSS scoring

CVE Viewer

Registry scanning

Configure Registry Scans

Scan images in Alibaba Cloud Container Registry

Scan images in Amazon Elastic Container Registry (ECR)

Scan images in Azure Container Registry (ACR)

Scan images in Docker Registry v2 (including Docker Hub)

Scan images in Google Artifact Registry

Scan images in Google Container Registry (GCR)

Scan images in Harbor Registry

Scan images in IBM Cloud Container Registry

Scan images in JFrog Artifactory Docker Registry

Scan Images in Sonatype Nexus Registry

Scan images in OpenShift integrated Docker registry

Trigger registry scans with Webhooks

Configure VM image scanning

Configure code repository scanning

Malware scanning

Windows container image scanning

Serverless function scanning

VMware Tanzu Blobstore Scanning

Scan App-Embedded workloads

Troubleshoot vulnerability detection

Compliance

Compliance Explorer

Enforce compliance checks

CIS Benchmarks

Prisma Cloud Labs compliance checks

Serverless functions compliance checks

Windows compliance checks

DISA STIG compliance checks

Custom compliance checks

Trusted images

Host scanning

VM image scanning

App-Embedded scanning

Detect secrets

OSS license management

Runtime defense

Runtime defense for containers

Runtime defense for hosts

Runtime defense for serverless functions

Runtime defense for App-Embedded

Custom runtime rules

Import and export individual rules

ATT&CK Explorer

Runtime Audits

Event Aggregation

Image analysis sandbox

Incident Explorer

Incident types

Altered binary

Backdoor admin accounts

Backdoor SSH access

Brute force

Cryptominers

Execution flow hijack attempt

Kubernetes attacks

Lateral movement

Malware

Port scanning

Reverse shell

Suspicious binary

Other incident types

Access control

Role-based access control for Docker Engine

Admission control with Open Policy Agent

Continuous integration

Jenkins plugin

Jenkins Freestyle project

Jenkins Maven project

Jenkins Pipeline project

Run Jenkins in a container

Jenkins pipeline on Kubernetes

CI plugin policy

Code repo scanning

WAAS

Web-Application and API Security (WAAS)

Deploy WAAS

Deploy WAAS In-Line for Containers

Deploy WAAS Out-Of-Band for Containers

Deploy WAAS In-Line for Hosts

Deploy WAAS Out-Of-Band for Hosts

Deploy WAAS for Containers Protected By App-Embedded Defender

Deploy WAAS for serverless functions

Deploy WAAS Agentless

WAAS Troubleshooting

WAAS Sanity Tests

WAAS Explorer

App Firewall Settings

API Protection

DoS protection

Bot Protection

WAAS Access Controls

Advanced Settings

WAAS Analytics

API Discovery

API definition scan

WAAS custom rules

Detecting unprotected web apps

WAAS Sensitive Data

Firewalls

Cloud Native Network Segmentation (CNNS)

Secrets

Secrets manager

Integrate with secrets stores

Secrets Stores

AWS Secrets Manager

AWS Systems Manager Parameters Store

Azure Key Vault

CyberArk Enterprise Password Vault

HashiCorp Vault

Inject secrets into containers

Injecting secrets: end-to-end example

Alerts

Alert mechanism

AWS Security Hub

Cortex XDR alerts

Cortex XSOAR alerts

Email alerts

Google Cloud Pub/Sub

Google Cloud Security Command Center

IBM Cloud Security Advisor

JIRA Alerts

PagerDuty alerts

ServiceNow alerts for Security Incident Response

ServiceNow alerts for Vulnerability Response

Slack Alerts

Splunk Alerts

Webhook alerts

Audit

Event viewer

Host activity

Administrative activity audit trail

Annotate audit event records

Delete audit logs

Syslog and stdout integration

Log rotation

Throttling audits

Prometheus

Kubernetes auditing

Tools

twistcli

Scan Images with twistcli

Scan code repos with twistcli

Install Console with twistcli

Update the Intelligence Stream in offline environments

Deployment patterns

Projects

Migration options for scale projects

Best practices for DNS and certificate management

Storage limits for audits and reports

Migrating to a SaaS Console

Performance planning

Automated deployment

High Availability and Disaster Recovery guidelines

API

Howto

Configure an AWS Classic Load Balancer for ECS

Configure Prisma Cloud Console’s listening ports

Provision tenant projects in OpenShift

Disable automatic learning

Debug data

Deploy Console and Defenders in FIPS140-2 Level 1 mode

Twistcli sandbox run third-party assessment tool.

Welcome
Install
Upgrade
Agentless Scanning
Technology overviews
Configure
Authentication
Cloud Service Providers
- Cloud Discovery
- Configure Cloud Discovery
Vulnerability management
Compliance
Runtime defense
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
WAAS
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
Alerts
Audit
Tools
Deployment patterns
API
Howto

Document:Prisma Cloud Compute Edition Administrator’s Guide

Scan images in IBM Cloud Container Registry

Last Updated:

Tue May 23 16:14:25 UTC 2023

Current Version:

Self.Hosted 30.xx

Version Prisma Cloud Enterprise Edition
Version Self-Hosted 30.xx
Version Self-Hosted 22.12
Version Self-Hosted 22.06
Version Self-Hosted 22.01
Version Self-Hosted 21.08 (EoL)
Version Self-Hosted 21.04 (EoL)
Version Self-Hosted 20.12 (EoL)
Version Self-Hosted 20.09 (EoL)
Version Self-Hosted 20.04 (EoL)
Version Self-Hosted 19.11 (EoL)

Table of Contents

Filter

Welcome

Releases

Getting started

Product architecture

Support lifecycle

Security Assurance Policy on Prisma Cloud Compute

Licensing

Prisma Cloud Enterprise Edition vs Compute Edition

Utilities and plugins

Install

Getting started

System Requirements

Cluster Context

Deploy the Prisma Cloud Console

Prisma Cloud Container Images

Kubernetes

Deploy the Prisma Cloud Console on Amazon ECS

Console on Fargate

Onebox

Alibaba Cloud Container Service for Kubernetes (ACK)

Azure Container Service (ACS) with Kubernetes

Azure Kubernetes Service (AKS)

Amazon Elastic Kubernetes Service (EKS)

IBM Kubernetes Service (IKS)

OpenShift v4

Deploy Prisma Cloud Defenders

Defender Types

Manage your Defenders

Redeploy Defenders

Uninstall Defenders

Install a Single Container Defender

Deploy a Single Container Defender using the CLI

Install a single Host Defender

Auto-defend hosts

Deploy Windows Defender

Kubernetes

Deploy Orchestrator Defenders on Amazon ECS

Automatically Install Container Defender in a Cluster

Deploy Prisma Cloud Defender from the GCP Marketplace

Deploy Defenders as DaemonSets

VMware Tanzu Application Service (TAS) Defender

Deploy Defender on Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) Autopilot

Deploy Defender on OpenShift v4

Serverless Defender

Deploy Serverless Defender as a Lambda Layer

Auto-defend serverless functions

Deploy App-Embedded Defender

Deploy App-Embedded Defender for Fargate

Default Setting for App-Embedded Defender File System Monitoring

Default Setting for App-Embedded Defender File System Protection

Upgrade

Support lifecycle for connected components

Prisma Cloud’s backward compatibility and upgrade process

Upgrade Onebox

Kubernetes

OpenShift

Helm charts

Amazon ECS

Upgrade the Single Container Defenders

Upgrade Defender DaemonSets

Upgrade Defender DaemonSets (Helm)

Agentless Scanning

Agentless Scanning Modes

Onboard Accounts for Agentless Scanning

Onboard AWS Accounts for Agentless Scanning

Onboard Azure Accounts for Agentless Scanning

Onboard GCP Accounts for Agentless Scanning

Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning

Agentless Scanning Results

Technology overviews

Intelligence Stream

Prisma Cloud Advanced Threat Protection

App-specific network intelligence

Container Runtimes

Radar

Serverless Radar

Prisma Cloud Rules Guide - Docker

Defender architecture

Host Defender architecture

TLS v1.2 cipher suites

Telemetry

Configure

Rule ordering and pattern matching

Backup and restore

Custom feeds

Configuring Prisma Cloud proxy settings

Prisma Cloud Compute certificates

Configure scanning

User certificate validity period

Enable HTTP access to Console

Set different paths for Defender and Console (with DaemonSets)

Authenticate to Console with certificates

Configure custom certs from a predefined directory

Customize terminal output

Collections

Tags

Logon settings

Reconfigure Prisma Cloud

Subject Alternative Names

WildFire Settings

Log Scrubbing

Clustered-DB

Permissions by feature

Authentication

Logging into Prisma Cloud

Integrating with an IdP

Integrate with Active Directory

Integrate with OpenLDAP

Integrate Prisma Cloud with Open ID Connect

Integrate with Okta via SAML 2.0 federation

Integrate Google G Suite via SAML 2.0 federation

Integrate with Azure Active Directory via SAML 2.0 federation

Integrate with PingFederate via SAML 2.0 federation

Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation

Integrate Prisma Cloud with GitHub

Integrate Prisma Cloud with OpenShift

Non-default UPN suffixes

Compute user roles

Assign roles

Credentials Store

Amazon Web Services (AWS) Credentials

Azure Credentials

Google Cloud Platform (GCP) Credentials

IBM Cloud Credentials

Kubernetes Credentials

Cloud Service Providers

Cloud Discovery

Configure Cloud Discovery

Vulnerability management

Prisma Cloud vulnerability feed

Scanning Procedure

Vulnerability Management Policies

Vulnerability Scan Reports

Scan Images for Custom Vulnerabilities

Base images

Vulnerability Explorer

CVSS scoring

CVE Viewer

Registry scanning

Configure Registry Scans

Scan images in Alibaba Cloud Container Registry

Scan images in Amazon Elastic Container Registry (ECR)

Scan images in Azure Container Registry (ACR)

Scan images in Docker Registry v2 (including Docker Hub)

Scan images in Google Artifact Registry

Scan images in Google Container Registry (GCR)

Scan images in Harbor Registry

Scan images in IBM Cloud Container Registry

Scan images in JFrog Artifactory Docker Registry

Scan Images in Sonatype Nexus Registry

Scan images in OpenShift integrated Docker registry

Trigger registry scans with Webhooks

Configure VM image scanning

Configure code repository scanning

Malware scanning

Windows container image scanning

Serverless function scanning

VMware Tanzu Blobstore Scanning

Scan App-Embedded workloads

Troubleshoot vulnerability detection

Compliance

Compliance Explorer

Enforce compliance checks

CIS Benchmarks

Prisma Cloud Labs compliance checks

Serverless functions compliance checks

Windows compliance checks

DISA STIG compliance checks

Custom compliance checks

Trusted images

Host scanning

VM image scanning

App-Embedded scanning

Detect secrets

OSS license management

Runtime defense

Runtime defense for containers

Runtime defense for hosts

Runtime defense for serverless functions

Runtime defense for App-Embedded

Custom runtime rules

Import and export individual rules

ATT&CK Explorer

Runtime Audits

Event Aggregation

Image analysis sandbox

Incident Explorer

Incident types

Altered binary

Backdoor admin accounts

Backdoor SSH access

Brute force

Cryptominers

Execution flow hijack attempt

Kubernetes attacks

Lateral movement

Malware

Port scanning

Reverse shell

Suspicious binary

Other incident types

Access control

Role-based access control for Docker Engine

Admission control with Open Policy Agent

Continuous integration

Jenkins plugin

Jenkins Freestyle project

Jenkins Maven project

Jenkins Pipeline project

Run Jenkins in a container

Jenkins pipeline on Kubernetes

CI plugin policy

Code repo scanning

WAAS

Web-Application and API Security (WAAS)

Deploy WAAS

Deploy WAAS In-Line for Containers

Deploy WAAS Out-Of-Band for Containers

Deploy WAAS In-Line for Hosts

Deploy WAAS Out-Of-Band for Hosts

Deploy WAAS for Containers Protected By App-Embedded Defender

Deploy WAAS for serverless functions

Deploy WAAS Agentless

WAAS Troubleshooting

WAAS Sanity Tests

WAAS Explorer

App Firewall Settings

API Protection

DoS protection

Bot Protection

WAAS Access Controls

Advanced Settings

WAAS Analytics

API Discovery

API definition scan

WAAS custom rules

Detecting unprotected web apps

WAAS Sensitive Data

Firewalls

Cloud Native Network Segmentation (CNNS)

Secrets

Secrets manager

Integrate with secrets stores

Secrets Stores

AWS Secrets Manager

AWS Systems Manager Parameters Store

Azure Key Vault

CyberArk Enterprise Password Vault

HashiCorp Vault