Document:Prisma Cloud Administrator’s Guide (Compute)

Vulnerability Scan Reports

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Vulnerability Scan Reports

Prisma Cloud scans images, hosts, and functions to detect vulnerabilities. The Prisma Cloud Intelligence Stream keeps Console up to date with the latest vulnerabilities. The data in this feed is used both for agentless scanning and is distributed to your Defenders for scans. The initial scan is triggered when a Defender is installed, or when you enable agentless scanning, the scans check for:

Published Common Vulnerabilities and Exposures (CVEs).

Vulnerabilities from misconfigurations.

Malware

Zero-day vulnerabilities

Compliance issues

Secrets After the initial scan, subsequent scans are triggered:

Periodically, according to the scan interval configured in Console. By default, images are scanned every 24 hours.

When new images are deployed onto the host.

When scans are forced with the Scan
button in Console.

Through Console, Defender can be extended to scan images for custom components. For example, you can configure Defender to scan for an internally developed library named libexample.so, and set a policy to block a container from running if version 1.9.9 or earlier at installed. For more information, see Scanning custom components.

View image scan reports

Review the health of all images in your environment.

Sorting the table on vulnerability severity based on data from the last scan. If you update your vulnerability policy with a different alert threshold, rescan your images if you want to be able to sort based on your new settings.

Open Console, then go to Monitor > Vulnerabilities > Images
.

The table summarizes the state of each image in your environment.

All vulnerabilities identified in the last image scan can be exported to a CSV file by clicking the CSV
button in the top left of the page.

In case multiple images share the same image ID, but with different tags on different hosts, then these will be shown using +<Num> in the Tag column, as can be seen in the screenshot below.

Click on an image report to open a detailed report.

Click on the Vulnerabilities
tab to see all CVE issues.

CVE vulnerabilities are accompanied by a brief description. Click Show details
for more information, including a link to the report on the National Vulnerability Database.

The Vendor Status
column contains terms such as 'deferred', 'fixed in…', and 'open'. These strings are imported directly from the vendors' CVE databases. They are not Prisma Cloud-specific.

Tagging vulnerabilities

To help you manage and fix the vulnerabilities in your environment, you can assign tags to each vulnerability. The list of available tags is defined under Manage > Collections and Tags > Tags > Tag definition
(see Tag definition). To assign a tag to a vulnerability, click on the Add tags to CVE
action in the Tags
column.

Tagging a vulnerability will apply by default to the CVE ID, package, and resource you assigned the tag from. You can granularly adjust and extend the tag scope under Manage > Collections and Tags > Tags > Tag assignment
(see Tag assignment).

For example, assigning a tag from the following scan report, will apply to CVE-2020-16156, package perl, and image ubuntu:20.04.

You can also add comments to each tag assignment, for example, to explain the reason this tag was added. Do it by clicking the comment icon on the left side of the tag.

By default, all vulnerabilities, according to your policy, are listed. However, you can also examine vulnerabilities only with specific tags. Use the drop-down list to filter by tags.

Remove a tag from a vulnerability using the close action available on the tag.

When removing a tag from the scan report, the entire tag assignment is removed, which may be wider than just the single place you remove it from. For example, removing a tag that is applied to image ubuntu:20.04 by a tag assignment defined for images ubuntu:*, will remove the entire tag assignment, which means the tag will be removed from all ubuntu images.

For more granular tag removal, go to the Manage > Collections and Tags > Tags > Tag assignment
, and adjust the relevant tag scope.

Per-layer vulnerability analysis

To make it easier to understand how images are constructed and what components have vulnerabilities, Prisma Cloud correlates vulnerabilities to layers. This tool helps you assess how vulnerabilities were introduced into an image, and pick a starting point for remediation.

To see the layer analysis, click on an image to open the scan report, then click the Layers
tab.

RHEL images

The Prisma Cloud layers tool shows the instructions used to create each layer in an image. RHEL images, however, don’t contain the necessary metadata, so the Prisma Cloud layers tool shows an empty black box.

To validate that the required metadata is absent, run docker history IMAGE-ID on a non-RHEL image. The CREATED BY column is fully populated.

Next, run

Document:Prisma Cloud Administrator’s Guide (Compute)

Vulnerability Scan Reports

Table of Contents

Vulnerability Scan Reports

View image scan reports

Tagging vulnerabilities

Per-layer vulnerability analysis

RHEL images