After you build your Docker images or Serverless functions, you need somewhere to store them. You could use an on-premises registry, a hosted solution, or some combination of both. Either way, you will want to continually scan these images against the latest available threat data.

To scan a registry, Prisma Cloud uses the registry’s APIs to list and pull the images to the local system. Prisma Cloud then deconstructs and inventories each image, cross-referencing the threat data from the

Intelligence Stream

to identify vulnerable packages. By default, registry images are scanned once per day, but the period is configurable.

Prisma Cloud must have the same network connectivity and credentials that would be required run docker pull. Firewalls must be configured correctly and the correct access credentials must be provided.

Prisma Cloud supports Docker v1 and v2 registries, as well as the registries provided by Amazon, Google and Microsoft. For registries that implement the Catalog API, you can use wildcards to specify which repositories to scan - or you can leave the repository name or label blank and all repositories will be scanned. Prisma Cloud also supports PCF Blobstores, the rough equivalent of a Docker container registry.

Finally, Prisma Cloud supports webhook integration. When using Docker Hub and Docker Trusted Registry, Prisma Cloud scans can be triggered as soon as an image is uploaded. For more information about setting up webhooks, see this support article.

Prisma Cloud can also automatically watch your serverless repositories, much like the registry scanning capabilities Prisma Cloud will continually monitor your serverless function repos for changes and scan them automatically, providing you with vulnerability and compliance reporting against the policies you define. For more information on this capability, see this support article.