Vulnerability Management Policies

Vulnerability policies are composed of discrete rules. Rules declare the actions to take when vulnerabilities are found in the resources in your environment. They also control the data surfaced in Prisma Cloud Console, including scan reports and Radar visualizations.
Rules let you target segments of your environment and specify actions to take when vulnerabilities of a given type are found. For example,
When there is no matching rule for vulnerability scanning on specific resources such as an image or a function, Prisma Cloud generates alerts on all vulnerabilities that are found.
There are separate vulnerability policies for containers, hosts, and serverless functions. Host and serverless rules offer a subset of the capabilities of container rules, the big difference being that container rules support blocking.

Create Vulnerability Rules

Prisma Cloud ships with a simple default vulnerability policy for containers, hosts, and serverless functions. These policies have a rule named Default - alert all components, which sets the alert threshold to low. With this rule, all vulnerabilities in images, hosts, and functions are reported.
As you build out your policy, you’ll create rules that filter out insignificant information, such as low-severity vulnerabilities, and surface vital information, such as critical vulnerabilities.
Rule order is important. Prisma Cloud evaluates the rule list from top to bottom until it finds a match based on the object filters.
By default, Prisma Cloud optimizes resource usage by only scanning images with running containers. Therefore, you might not see a scan report for an image when it is first pulled into your environment unless it’s been run. Note that images for short-lived containers are not scanned. To scan all images on the hosts (except CRI-O and containerd images) in your environment, go to
Manage > System > Scan
, set
Only scan images with running containers
to
Off
, and click
Save
.
When
Only scan images with running containers
is turned off, the image details show the Start time when the Defender first reads the image. This is applicable for all images (deployed and not deployed), except CRI-O and containerd images.
To create a vulnerability rule:
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities > {Images | Hosts | Functions}
    .
  3. Click
    Add rule
    .
  4. Enter a rule name and configure the rule. Configuration options are discussed in the following sections.
  5. Click
    Save
    .
  6. View the impact of your rule. Go to
    Monitor > Vulnerabilities
    to view the scan reports.

Severity-based actions

Vulnerability rules let you specify Alert/Block/Failure triggers based on severity thresholds.
The Severity-based actions let you establish quality gates in the CD segment of your continuous integration (CI) continuous deployment (CD) pipeline.
The Severity threshold can be set at different values.
Setting the alert threshold to off allows all vulnerabilities for the resources in scope (as defined by your filters). Practically, resource nodes in Radar turn green (no issues to report), and scan reports are empty (no issues to report).
When you create a blocking rule, Defender automatically installs itself as the final arbiter of all container lifecycle commands. This way, the Defender can assess a Docker command, your current policy, and the status of an image before either forwarding the command to runC for execution or blocking it altogether.

Risk factors-based actions

For deployed and CI images, you can trigger different actions such as alert, block, and fail based on risk factors - "Exploit in the wild" and "Exploit POC". All the vulnerabilities that match any severity threshold or the risk factors will be listed in the scan results under
Monitor > Vulnerabilities > Images > Deployed/Registries/CI
. For example, you can set an alert on the vulnerabilities with severity high and critical, and choose "exploit in the wild" so you will be also alerted on any vulnerability with this risk factor.
Image scan failed due to vulnerability policy violations by severity or by risk factors:
NOTE:
  • Each risk factor can be selected once per alert or block notification.
  • Setting the alert threshold to off allows all vulnerabilities for the resources in scope (as defined by your filters). Practically, resource nodes in Radar turn green (no issues to report), and scan reports are empty (no issues to report).

Exclude base image vulnerabilities

Enable
Exclude base image vulnerabilities
to ignore the vulnerabilities introduced by base images from being displayed on the monitor scan results. To use this feature, you need to first specify the base image under
Monitor > Vulnerabilities > Images > Base images
.
NOTE: Prisma Cloud does not support base image filtering for the images that are built using kaniko, owing to an issue in kaniko that filters out the vulnerabilities from the whole application.

Scope

The scope field lets you target the rule to specific resources in your environment. The scope of a rule is defined by referencing one or more collections. By default, the scope is set to the
All
collection, which applies the rule globally. For more information about creating and managing collections, see here.

Vendor fixes

Rules can be applied conditionally, depending on whether vendor fixes are available. For example, you could tune your policy to block the deployment of containers with a critical vulnerability *only if* the vulnerable package has an update that resolves the issue. Otherwise, the deployment would be allowed to proceed.
Some vulnerabilities have a vendor status of "Will not fix". This status is applied when vendors don’t intend to resolve a vulnerability because it poses no significant risk to your environment.

Rule exceptions

You can configure Prisma Cloud to:
  • Alert or block or fail on specific CVEs or tags (deny).
  • Ignore specific CVEs or tags (allow).
Under
Advanced settings
, create a list of vulnerabilities and tags and specify how the scanner should handle them. Leaving the expiration date blank enforces the action until the CVE or tag is removed from the list. If you set an expiration date, and the current date is later than the expiration date, the scanner ignores the directive. The CVE or tag remains on the list even if it’s expired. It must be manually removed. Notice that for tag exceptions, in case of a conflict (a vulnerability with two tags or more that have different actions in the rule exceptions) there’s no guarantee what action will apply.

Custom terminal output

Prisma Cloud lets you create rules that block access to resources or block the deployment of vulnerable containers. For example, you might create a rule that blocks the deployment of any image that has critical severity vulnerabilities. By default, when you try to run a vulnerable image, Prisma Cloud returns a terse response:
$ docker run -it ubuntu:14.04 sh docker: Error response from daemon: [Prisma Cloud] Image operation blocked by policy: (sdf), has 44 vulnerabilities, [low:25 medium:19].
To help the operator better understand how to handle a blocked action, you can enhance Prisma Cloud’s default response by:
  • Appending a custom message to the default message. For example, you could tell operators where to go to open a ticket.
  • Configuring Prisma Cloud to return an itemized list of compliance issues rather than just a summary. This way, the operator does not need to contact the security team to determine which issues are preventing deployment. They are explicitly listed in the response.
When terminal output verbosity is set to
Detailed
, the response looks as follows:
$ docker run -it ubuntu:14.04 sh docker: Error response from daemon: [Prisma Cloud] Image operation blocked by policy: (sdf), has 44 vulnerabilities, [low:25 medium:19]. Image ID CVE Package Version Severity Status ===== == === ======= ======= ======== ====== ubuntu:14.04 4333f1 CVE-2017-2518 sqlite3 3.8.2-1ubuntu2.1 medium deferred ubuntu:14.04 4333f1 CVE-2017-6512 perl 5.18.2-2ubuntu1.1 medium needed . . .

Grace period

Grace periods temporarily override the blocking action of a rule when new vulnerabilities are found. Grace periods give you time to address a vulnerability without compromising the availability of your app. You can configure a uniform grace period for all severities or provide different settings for each severity.
When grace periods are configured, alerts trigger as normal, notifying you that a vulnerability exists in your environment. The block action is suppressed for the number of days specified, giving you time to mitigate the vulnerability.
The start time for the grace period is the date the vulnerability was identified by the Intelligence Stream (IS), known as the "fix date". The end time is the fixed date plus the number of days configured for the grace period. For any feed collected by IS that does not provide a fix date for CVE, Prisma Cloud Compute will determine the fix date as the date when the fix for the CVE was first seen by the Intelligence Stream. Therefore, the calculation for the grace period will now start with the date on which the CVE fix was seen on the Intelligence Stream and not the CVE publish date.
For example, if a CVE was first discovered without a fix, and a fix was released later, the grace period for fixing the CVE would start from the date the fix was published, even though the vendor feed didn’t provide us with an explicit fix date.
For the feeds that do provide a fix date for the CVEs (such as RHEL), the fix date will always be determined as the fix date provided by the vendor, and the grace period will be calculated using this fix date.
There will be no change in the