Table of Contents

31.00 Release Notes

The following table outlines the release particulars:
Code name
Release date
August 20, 2023
Major release
Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.

Upgrade from Previous Releases

Upgrade Defender Versions 22.06 and Earlier

With the release, Defender versions supported (n, n-1, and n-2) are,, and
To prepare for this update, you must upgrade your Defenders from version (Kepler) or earlier to a later version. Failure to upgrade Defenders will result in disconnection of any Defender version below 22.12 such as 22.06.

Upgrade the Prisma Cloud Console

With the release, the supported Console versions (n, n-1, and n-2) are,, and
You can upgrade the Prisma Cloud console directly from any version for n-1 to n. With 30.xx as n-1 and 31.xx as n, you can for example go directly from 30.01.153 to 31.00.129.
You have to upgrade any version of 22.12.xx to 30.xx before upgrading to 31.xx. For example, you can upgrade from 22.12.693 to 30.02.123 and then upgrade to 31.00.129.


Expanded Support for Red Hat’s Non-RPM Content

The Prisma Cloud Intelligence Stream now includes vulnerability data on non-RPM content from Red Hat, including binaries, Python scripts, JavaScript files, and Java JAR files within layered products like OpenShift. Rather than just flagging these as vulnerable, Prisma Cloud can now leverage Red Hat’s own detailed image analysis, enhancing precision in threat detection.

Support of Registry Tags directly in Compute Collections

Added support for registry labels under collections to enable role-based access control (RBAC). The scan results for deployed images are now segregated with a
Custom label
within collections. This enhancement facilitates the association between the registry and the scanned images pertaining to that registry, along with registry-based role-based access control (RBAC) for improved security and management.

Support for Continuous Integration (CI) Scanning of Images on Linux Using Containerd

Added the ability for users to run CI scans on Linux using the containerd runtime. This change benefits customers using Kubernetes environments, which no longer support Docker as they need to perform CI scans without Docker.

GKE CIS Compliance Checks for Worker Nodes

CIS Benchmark for Google Kubernetes Engine (GKE) version 1.4.0 is now supported. This update includes compliance checks for worker nodes.

API Changes and New APIs

Support and Identification of Registry Asset in Registry Scan

Starting with 31.00, the value in the field
for an object returned in the API endpoint response
GET, api/vVERSION/registry
is now
instead of
31.00 and onwards:
type shared.ScanType Possible values: [registry,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]
30.03 and earlier:
type shared.ScanType Possible values: [image,ciImage,container,host,agentlessHost,registry,serverlessScan,ciServerless,vm,tas,ciTas,cloudDiscovery,serverlessRadar,serverlessAutoDeploy,hostAutoDeploy,codeRepo,ciCodeRepo]

Addressed Issues

  • Fixed an issue limiting the support of Prisma Cloud Compute as a pluggable scanner in Harbor. The support is now extended to instances where the Defenders operate in a CRI environment.
  • Fixed an issue that caused missing version detection for jar packages when the version name included a date, for example, 20171018.
  • Fixed an issue preventing agentless scanning of onboarded Azure government accounts
  • Fixed an issue caused when listing container details of containers on hosts using Docker as the CRI.
    With this fix agentless scanning successfully discovers containers on the specified host. It also the scan process tolerance to errors during the retrieval of container metadata.
  • Fixed missing OS labels of hosts scanned using agentless scanning.
    With this fix missing OS labels, both osDistro and osVersion, are added to hosts scanned by agentless scanning.

End of Support Notifications

End of Support for Docker Access Control

The Docker Access Control at
Defend > Access > Docker
and Access User role at
Manage > Authentication > Roles
were planned for End of Support in Newton (v31.00.129) as announced in 22.06 Release Notes. The deprecation is now extended until the next release Newton Update 1 (, when the feature will be no longer supported.

Deprecation Notices

Support for Cloud Native Network Segmentation (CNNS)

The ability to create CNNS policies that Defenders use to limit traffic from containers and hosts was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal ( The configuration settings on the console (
Compute > Defend > CNNS
) and the corresponding APIs for CNNS will be dropped in
Radar has a container and a host view, where you can view the network topology for your containerized apps and hosts respectively, and this will continue to be available.
List of API endpoints that are no longer supported:

Support for Code Repo Scanning

Scanning your code repositories from the Prisma Cloud Compute Console at
Compute > Monitor> Vulnerabilities > Code repositories
and use of Twistcli for code repo scanning was planned for End of Support in this release v31.00.129. The deprecation notice is now extended until the next major release code named O’Neal (, when the support will be dropped.
You must now use the
Code Security
capabilities on Prisma Cloud to scan IaC templates, code repositories, and CI pipelines for misconfigurations and vulnerabilities.

Recommended For You