Scan App-Embedded workloads
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
- Deploy Defender with Declarative Object Management
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Configure Agentless Scanning for AWS
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Malware Scanning
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Scan App-Embedded workloads
App-Embedded Defenders can scan their workloads for vulnerabilities.
To see the scan reports, go to
Monitor > Vulnerabilities > Images > Deployed
You can filter the table by:- App-Embedded: Select— Narrows the results to just images protected by App-Embedded Defender.
- App ID— Narrows the list to specific images. App IDs are listed under the table’sAppscolumn.For ECS Fargate tasks, the App ID is partially constructed from the task name. AWS Fargate tasks can run multiple containers. All containers in a Fargate task have the same App ID.For all other workloads protected by App-Embedded Defender, the App ID is partially constructed from app name, which is a deploy-time configuration set in the App ID field of the embed workflow.
You can use wildcards to filter the table by app/image name.
For example, if the app name is dvwa, then you could find all deployments with Repository: dvwa*.
This filter would show dvwa:0438dc81a9144fab8cf09320b0e1922b and dvwa:538359b5f7f54559ab227375fe68cd7a.
Create vulnerability rules
Create a vulnerability rule for a segment of App-Embedded workloads.
- Login to the Console.
- Go toDefend > Vulnerabilities > Images > Deployed.
- ClickAdd rule.
- Entar a rule name.
- Click onScopeto select a relevant collection, or create a new collection.Workloads are scoped by App ID. App ID is specified when you embed the App-Embedded Defender into a workload, and it’s a unique identifier for the Defender/task pair.
- If creating a collection, clickAdd collection.
- Enter collection name.
- In theApp IDfield, enter one or more App IDs.Postfix wildcards are supported.
- ClickSave.
- Select the new collection.
- ClickSelect collection.
- Select an alert threshold.Thresholds select, by severity, which vulnerabilities Prisma Cloud should report.App-Embedded Defenders don’t support the block action.
- ClickSave.
Deploy an example Fargate task
Deploy the fargate-vulnerability-compliance-task Fargate task.
Follow the steps in embed App-Embedded Defender into Fargate tasks.
You can use the following task definition to test Prisma Cloud’s App-Embedded Defender.
It’s based on an Ubuntu 18.04 image.
{ "containerDefinitions": [ { "command": [ "/bin/sh -c 'cp /bin/sleep /tmp/xmrig && echo \"[+] Sleeping...\" && while true; do sleep 1000 ; done'" ], "entryPoint": [ "sh", "-c" ], "essential": true, "image": "ubuntu:18.04", "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group" : "/ecs/fargate-task-definition", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" } }, "name": "Fargate-vul-comp-test", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "cpu": "256", "executionRoleArn": "arn:aws:iam::012345678910:role/ecsTaskExecutionRole", "family": "fargate-vulnerability-compliance-task", "memory": "512", "networkMode": "awsvpc", "requiresCompatibilities": [ "FARGATE" ] }
Review vulnerability scan reports
Review the scan results in Console.
If an App-Embedded Defender protects a container where the user isn’t root, the vulnerability and compliance scanning procedure will encounter permission denied errors that you can see in the Defender logs (
Manage > Defenders > Manage > Defenders > Actions > Logs
).If an App-Embedded Defender protects a Fargate task with a container where the user isn’t root, the vulnerability and compliance scanning procedure will also encounter permission denied errors.
However, the errors won’t be visible unless you download and inspect the Defender logs.
In both cases, the scan flow continues even though errors are encountered.
For Fargate version 1.3.0 and older, Prisma Cloud shows only a single scan report if the same image is run simultaneously as:
- A task on ECS Fargate, protected by App-Embedded Defender.
- A container on a host, protected by Container Defender.
In this case, the image is categorized as "App-Embedded".
As a result, when the scan report table is filtered by
App-Embedded: Select
, a scan report will be shown.
When the table is filtered by App-Embedded: Exclude
, it will be hidden.
And when filtering by Hosts
, it will be hidden, even if the host matches, because the image is considered as App-Embedded.For Fargate version 1.4.0, two separate scan reports are shown, one for App-Embedded and one for Container Defender.
- Navigate toMonitor > Vulnerabilities > Images > Deployedand validate that the deployed image appears and contains vulnerabilities.
- To see all images that are related to Fargate tasks, filter the image table byApp-Embedded: Select.You can also filter the results by a specific task name or postfix wildcards. For example, fargate-task or fargate-task*.
- Search for the fargate-vulnerability-compliance-task Fargate task.
- Click on the image to see more details.TheAppscolumn shows a count of the number of running containers protected by App-Embedded Defender.TheLayers,Processes info,Labels,Runtime, andTrust groupstabs aren’t supported for images scanned by App-Embedded Defenders.
- Click theVulnerabilitiestab to review all findings.
- Review runtime information for the container.Go to theEnvironment > Appstab, and then click on the app in the table to open the App-Embedded observations. You can bring up the same view by going directly toMonitor > Runtime > App-Embedded observations, and clicking on the same app.TheEnvironmenttab shows cloud-provider metadata that App-Embedded Defender collected about the running container. For more information about the type of cloud-provider metadata App-Embedded Defender can collect, see Monitoring workloads at runtime.