Scan Images with twistcli
The twistcli command-line tool has several subcommands. To scan, use the following subcommand.
twistcli images scan
The command scans an image for vulnerabilities and compliance issues. The image must be on the system running the twistcli command-line tool. If not and if you are using Docker, you can retrieve the image with the docker pull before scanning it. The twistcli tool does not pull images.
When using twistcli images scan, the image or tarball to scan must be the last parameter. If you specify options after the image or tarball, they are ignored. If scanning a tarball, use the --tarball option.
twistcli images scan [OPTIONS] [IMAGE]
The twistcli images scan tool collects information about the packages and binaries in the container image, and sends the information to the Prisma Cloud Console for analysis.
The twistcli tool collects data including the following items.
- Packages in the image.
- Files installed by each package.
- Hashes for files in the image.
After the Prisma Cloud Console analyzes the image for vulnerabilities, twistcli performs the following tasks.
- Outputs a summary report.
- Exits with a pass or fail return value.
To specify an image to scan, use either the image ID, or repository name and tag. If you are using Windows with containerd, provide a full image ID because short IDs aren’t supported. Get the full image ID using the following command.
- Required. URL for Console, including the protocol and port. Only the HTTPS protocol is supported. To get the address for your Console, go toCompute > Manage > System > Utilities, and copy the string underPath to Console.Example: --address https://us-west1.cloud.twistlock.com/us-3-123456789
- Access Key ID to access Prisma Cloud. If not provided, the TWISTLOCK_USER environment variable is used, if defined. Othewise, "admin" is used as the default.
- Secret Key for the above Access Key ID specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable is used, if defined. Otherwise, you will be prompted for the user’s password before the scan runs.
Access Key ID and Secret Key are generated from the Prisma Cloud user interface. For more information, see access keys
- Write the results of the scan to a file in JSON format.Example: --output-file scan-results.json
- Show all vulnerability details.
- Run the scan from inside the container.
- Include the image custom labels in the results.
- Docker daemon listening address (default: unix:///var/run/docker.sock). Can be specified with the DOCKER_CLIENT_ADDRESS environment variable.
- Path to Docker client CA certificate.
- Path to Docker client Client certificate.
- Path to Docker client Client private key.
- Immediately exit the scan if an error is encountered (not supported with the --containerized flag).
- Path to Prisma Cloud CA certificate file. If no CA certificate is specified, the connection to Console is insecure.
- Forces twistcli to use Podman. To use the default installation path, set as podman. Otherwise, provide the appropriate path.