To prepare for this update, you must upgrade your Defenders from version v22.06.xx.xxx (Kepler) or earlier to a later version.
Failure to upgrade Defenders will result in disconnection of any Defender version below 22.12 such as 22.06.
You can upgrade the Prisma Cloud console directly from any version for n-1 to n.
With 30.xx as n-1 and 31.xx as n, you can for example go directly from 30.01.153 to 31.00.129.
You have to upgrade any version of 22.12.xx to 30.xx before upgrading to 31.xx.
For example, you can upgrade from 22.12.693 to 30.02.123 and then upgrade to 31.00.129.
Expanded Support for Red Hat’s Non-RPM Content
Rather than just flagging these as vulnerable, Prisma Cloud can now leverage Red Hat’s own detailed image analysis, enhancing precision in threat detection.
Support of Registry Tags directly in Compute Collections
Added support for registry labels under collections to enable role-based access control (RBAC).
The scan results for deployed images are now segregated with a
This enhancement facilitates the association between the registry and the scanned images pertaining to that registry, along with registry-based role-based access control (RBAC) for improved security and management.
Support for Continuous Integration (CI) Scanning of Images on Linux Using Containerd
Added the ability for users to run CI scans on Linux using the containerd runtime. This change benefits customers using Kubernetes environments, which no longer support Docker as they need to perform CI scans without Docker.
GKE CIS Compliance Checks for Worker Nodes
CIS Benchmark for Google Kubernetes Engine (GKE) version 1.4.0 is now supported.
This update includes compliance checks for worker nodes.
API Changes and New APIs
Support and Identification of Registry Asset in Registry Scan
Starting with 31.00, the value in the field
for an object returned in the API endpoint response
31.00 and onwards:
Possible values: [registry,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]
30.03 and earlier:
Possible values: [image,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]
Fixed an issue limiting the support of Prisma Cloud Compute as a pluggable scanner in Harbor.
The support is now extended to instances where the Defenders operate in a CRI environment.
Fixed an issue that caused missing version detection for jar packages when the version name included a date, for example, 20171018.
Fixed an issue preventing agentless scanning of onboarded Azure government accounts
Fixed an issue caused when listing container details of containers on hosts using Docker as the CRI.
With this fix agentless scanning successfully discovers containers on the specified host. It also the scan process tolerance to errors during the retrieval of container metadata.
Fixed missing OS labels of hosts scanned using agentless scanning.
With this fix missing OS labels, both osDistro and osVersion, are added to hosts scanned by agentless scanning.
End of Support Notifications
End of Support for Docker Access Control
The Docker Access Control at
Defend > Access > Docker
and Access User role at
Manage > Authentication > Roles
were planned for End of Support in Newton (v31.00.129) as announced in 22.06 Release Notes.
The deprecation is now extended until the next release Newton Update 1 (v31.01.xxx), when the feature will be no longer supported.
Support for Cloud Native Network Segmentation (CNNS)
The ability to create CNNS policies that Defenders use to limit traffic from containers and hosts was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal (v32.0.xxx).
The configuration settings on the console (
Compute > Defend > CNNS
) and the corresponding APIs for CNNS will be dropped in v32.00.xxx.
Radar has a container and a host view, where you can view the network topology for your containerized apps and hosts respectively, and this will continue to be available.
List of API endpoints that are no longer supported:
and use of Twistcli for code repo scanning was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal (v32.00.xxx), when the support will be dropped.
You must now use the
capabilities on Prisma Cloud to scan IaC templates, code repositories, and CI pipelines for misconfigurations and vulnerabilities.