Scan Images with twistcli

You can use the Prisma Cloud twistcli command-line tool to scan container images and serverless functions. Scanning with twistcli is supported on Linux, macOS, and Windows.


The twistcli command-line tool has several subcommands. To scan, use the following subcommand.
twistcli images scan
The command scans an image for vulnerabilities and compliance issues. The image must be on the system running the twistcli command-line tool. If not and if you are using Docker, you can retrieve the image with the docker pull before scanning it. The twistcli tool does not pull images.


When using twistcli images scan, the image or tarball to scan must be the last parameter. If you specify options after the image or tarball, they are ignored. If scanning a tarball, use the --tarball option.
twistcli images scan [OPTIONS] [IMAGE]


The twistcli images scan tool collects information about the packages and binaries in the container image, and sends the information to the Prisma Cloud Console for analysis.
The twistcli tool collects data including the following items.
  • Packages in the image.
  • Files installed by each package.
  • Hashes for files in the image.
After the Prisma Cloud Console analyzes the image for vulnerabilities, twistcli performs the following tasks.
  • Outputs a summary report.
  • Exits with a pass or fail return value.
To specify an image to scan, use either the image ID, or repository name and tag. If you are using Windows with containerd, provide a full image ID because short IDs aren’t supported. Get the full image ID using the following command.
ctr -n <namespace> images ls
The image should be present on the system, having either been built or pulled there. If a repository is specified without a tag, twistcli looks for an image tagged latest.


  • Required. URL for Console, including the protocol and port. Only the HTTPS protocol is supported. To get the address for your Console, go to
    Compute > Manage > System > Utilities
    , and copy the string under
    Path to Console
    Example: --address
  • Access Key ID to access Prisma Cloud. If not provided, the TWISTLOCK_USER environment variable is used, if defined. Othewise, "admin" is used as the default.
  • Secret Key for the above Access Key ID specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable is used, if defined. Otherwise, you will be prompted for the user’s password before the scan runs.
Access Key ID and Secret Key are generated from the Prisma Cloud user interface. For more information, see access keys