1. Overview

Prisma Cloud lets you filter out base image vulnerabilities from your scan reports.

A base image is a starting point or an initial step for the image. Dockerfile usually starts from a base image. Filtering out vulnerabilities which their source is the base image can help your teams focus on the vulnerabilities relevant for them to fix.

Excluding base image vulnerabilities is currently not supported for Windows images.

2. Define base images

For Prisma Cloud to be able to exclude base image vulnerabilities, first identify the base images in your environment.

To define your base images, create a scope setting in Defend > Vulnerabilities > Images > Base images. The base images you define must reside in your registry and they must be scanned in order to exclude their vulnerabilities from scan reports.

  1. Open Console.

  2. Go to Defend > Vulnerabilities > Images > Base images.

  3. Click Add New.

  4. Specify the base image and provide a description for it.

    The base image should be specified in the following format: registry/repo:tag. You can use wildcards for the tags definition.

  5. Click Save.

    base images new image
  6. You can view the specific base images digests for the base image scope you created using the View images action.

    These digests are the base images found in the registry scanning that are matching the base image scope you defined.

    The maximum number of base images that can be in scope is 50, where each base image is represented by a digest. If there are 50 base images in scope, and the scanner discovers a new base image, the oldest is purged and replaced with the newest.
    base images view images

3. Exclude base images vulnerabilities

When reviewing the health of the images in your environment, whether they are deployed images, registry images, or images scanned in a CI process, you can exclude the base image’s vulnerabilities from the scan results.

  1. Open the Console, then go to Monitor > Vulnerabilities > Images > Deployed images / Registries / CI.

  2. Use the Exclude base images vulns filter to exclude the vulnerabilities coming from base images. You will see the vulnerabilities counters changing.

    base images before filter
    base images after filter
  3. Click on an image report to open a detailed report.

  4. Review the filtered vulnerabilities. For reviewing the base image, use the link in the top of the page.

    base images vulnerabilities tab
  5. In the Layers tab, the vulnerabilities counters will also exclude base image vulnerabilities, and you’ll see an indication for the base image’s layers.

    base images layers tab