1. Overview

Prisma Cloud scans all Docker images on all hosts that run Defender. After Defender is installed, it automatically starts scanning images on the host. After the initial scan, subsequent scans are triggered:

  • Periodically, according to the scan interval configured in Console. By default, images are scanned every 24 hours.

  • When new images are created, pushed, or pulled onto the host.

  • When images change.

  • When scans are forced with the Scan button in Console.

Defender scans Docker images for:

  • Published Common Vulnerabilities and Exposures (CVEs).

  • Vulnerabilities from misconfigurations.

  • Malware

  • Zero day vulnerabilities

  • Compliance issues

  • Secrets

The Prisma Cloud Intelligence Stream keeps Console up to date with the latest vulnerabilities. The data in this feed is distributed to your Defenders, and employed in subsequent scans.

Through Console, Defender can be extended to scan images for custom components. For example, you can configure Defender to scan for an internally developed library named libexample.so, and set a policy to block a container from running if version 1.9.9 or earlier at installed. For more information, see Scanning custom components.

2. View image scan reports

Review the health of all images in your environment.

Sorting the table on vulnerability serverity as based on data from the last scan. If you update your vulnerability policy with a different alert threshold, recan your images if you want to be able to sort based on your new settings.
  1. Open Console, then go to Monitor > Vulnerabilities > Images.

    The table summarizes the state of each image in your environment.

    All vulnerabilities identified in the last image scan can be exported to a CSV file by clicking the CSV button in the top left of the page.

    image scan reports summary
  2. Click on an image report to open a detailed report.

  3. Click on the Vulnerabilities tab to see all CVE issues.

    CVE vulnerabilities are accompanied by a brief description. Click Show details for more information, including a link to the report on the National Vulnerability Database.

    The Vendor Status column contains terms such as 'deferred', 'fixed in…​', and 'open'. These strings are imported directly from the vendors' CVE databases. They are not Prisma Cloud-specific.

    image scan reports vendor status

3. Tagging vulnerabilities

To help you manage and fix the vulnerabilities in your environment, you can set tags on each vulnerability. Setting a tag on a vulnerability will apply to the CVE ID and package across the product. The list of available tags is defined under Manage > Collections and Tags > Tags. See Configure Tags. To add a tag to a vulnerability, click on the Add tags to CVE action in the Tags column.

scan reports tags
For tags that are not used as policy exceptions, all user roles that can view the scan results and have the Collections and Tags permission, are allowed to set these tags on CVEs. Setting tags that are used as policy exceptions is allowed only for Admin, Operator, and Vulnerability Manager user roles. Custom roles aren’t allowed to set these tags, regardless of their other permissions.

You can also add comments to each tag you apply to the CVE, for example, to explain the reason this tag was added. Do it by clicking the comment icon on the left side of the tag.

image scan reports tag comments

By default, all vulnerabilities, according to your policy, are listed. However, you can also examine vulnerabilities only with specific tags. Use the drop-down list to filter by tags.

image scan reports filter by tags

4. Per-layer vulnerability analysis

To make it easier to understand how images are constructed and what components have vulnerabilities, Prisma Cloud correlates vulnerabilities to layers. This tool helps you assess how vulnerabilities were introduced into an image, and pick a starting point for remediation.

To see the layer analysis, click on an image to open the scan report, then click the Layers tab.