1. Overview

Prisma Cloud ships a command-line scanner for scanning code repos. It is supported on Linux, macOS, and Windows.

twistcli scans repositories locally and sends a bill of materials to Console for evaluation. Console assesses the components in the BoM against the latest threat data, and replies back to twistcli with the scan results.

The policy Console uses to assess a code repo is set in Defend > Vulnerabilities > Code repositories > CI and Defend > Compliance > Code repositories > CI.

By default, twistcli publishes scan results to Console. Scan results can viewed in Console under Monitor > Vulnerabilities > Code repositories > CI.

Many developers don’t have access to Prisma Cloud directly, but may want to run twistcli to evaluate a repo before code is submitted and a build job is initiated. twistcli has can print detailed results locally and optionally suppress publishing scan results to Console (which they might not be able to access anyway).

2. Basic command line format and options

The basic command format is as follows:

twistcli coderepo scan <REPO_PATH> --repository <REPO_NAME>

Where:

  • REPO_PATH can be an absolute or relative path

  • REPO_NAME is the unique key that Console to identify the repo. If --repository isn’t specified, the repository’s path is used as the repository name.

Detailed result contain all dependencies files and a vulnerability distribution summary. For each dependency file that has any vulnerabilities, a table with information about the vulnerability is printed.

twistcli coderepo scan <REPO_PATH> --repository rowan --details

4. Excluding files from a scan

To exclude files from the scan, use the --excluded-paths argument. Attach only a single value to the argument. The value should be a relative path from the root of the repository.

To exclude a file:

twistcli coderepo scan <REPO_PATH> --repository rowan --excluded-paths <PATH1>

To exclude multiple files, specify the --excluded-paths argument multiple times:

twistcli coderepo scan <REPO_PATH> --repository rowan --excluded-paths <PATH1> --excluded-paths <PATH2>

5. Scanning specific files

To explicitly scan files scan use the --explicit-files argument. Specify one file per argument. For multiple files, specify multiple --explicit-files arguments.

6. Suppress publishing results

Using—​publish=false to avoid publishing the result to the console.

twistcli coderepo scan <REPO_PATH> --repository rowan --publish=false