1. Overview

Prisma Cloud ships a command-line configuration and control tool known as twistcli. It is supported on Linux, macOS, and Windows.

2. Installing twistcli

The twistcli tool is delivered with every Prisma Cloud release. It is statically compiled, so it does not have any external dependencies, and it can run on any Linux host. No special installation is required. To run it, simply copy it to a host, and give it executable permissions.

The twistcli tool is available from a number of places:

  • It can be download twistcli from the Console UI. Go to Manage > System > Downloads.

  • It can downloaded from the API, which is typical use case for automated workflows. For more information, see the /api/v1/util endpoint.

The requirements for running twistcli are:

  • twistcli must be able to connect to Console over the network from the host where it runs.

  • For image scanning, Docker Engine must be installed on the executing machine.

3. Connectivity to Console

Most twistcli functions require connectivity to Console. All example commands specify a variable called COMPUTE_CONSOLE, which represents the address for your Console.

To get the address for your Console, go to Compute > Manage > System > Downloads, and copy the string under Path to Console.

4. Functions

The twistcli tool supports the following functions:

  • console — Installs and uninstalls Console into a cluster. Kubernetes, OpenShift, and Docker Swarm are supported. You can also export Kubernetes or OpenShift deployment files in YAML format.

  • defender — Installs and uninstalls Defender into a cluster. Kubernetes, OpenShift, and Docker Swarm are supported. Defender is installed as either a daemon set (Kubernetes, OpenShift) or global service (Docker Swarm), which means one Defender is always automatically deployed to each node in the cluster. You can also export a Kubernetes or OpenShift deployment file in YAML format.

  • hosts — Scans hosts for vulnerabilities and compliance issues.

  • images — Scans container images for vulnerabilities and compliance issues. Because it runs from the command line, you can easily integrate Prisma Cloud’s scanning capabilities into your CI/CD pipeline.

  • intelligence — Retrieves the latest threat data from the Prisma Cloud Intelligence Stream, and push those updates to a Prisma Cloud installation running in an air-gapped environment.

  • pcf — Scan Pivotal Cloud Foundry droplets.

  • app-embedded — Embed the App Embedded Defender into a Dockerfile.

  • restore — Restore Console to the state stored in the specified backup file. An automatated backup system (enabled by default) creates and maintains daily, weekly, and monthly backups. Additional backups can made at any point in time from the Console UI.

  • serverless — Scans serverless functions for vulnerabilities.

  • iac — Scan Infrastructure-as-Code (IaC) templates for potential issues and misconfigurations. Learn more about Prisma Cloud IaC scanning capability.

  • support — Streamlines the process of collecting and sending debug information to Prisma Cloud’s support team. Collects log data from a node and uploads it to Prisma Cloud’s support area.

5. Capabilities

The twistcli tool offers feature parity across all supported operating systems, with a few exceptions. The following table highlights where functions are disabled, or work differently, on a given platform.

twistcli Platform

Command

Subcommand

Linux

macOS

Windows

console

export

Yes

Yes

Yes

install

Yes

No

No

uninstall

Yes

No

No

defender

export

Yes

Yes

Yes

install

Yes

No

No

uninstall

Yes

No

No

hosts

scan

Yes

No1

No

images

scan

Yes

Yes2

Yes3

intelligence

upload

Yes

Yes

Yes

download

Yes

Yes

Yes

pcf

scan

Yes

No

No

app-embedded

embed

Yes

Yes

Yes

restore

Yes

No

No

serverless

scan

Yes

Yes

Yes

iac5

scan

Yes

Yes

Yes

support

dump

Yes

No4

No4

upload

Yes

Yes

Yes

1 Prisma Cloud doesn’t support deployment to macOS hosts, so there is no support for scanning macOS hosts.

2 Scans Linux images on macOS hosts. Docker for Mac must be installed.

3 Twistcli can scan Windows images on Windows Server 2016 and Windows Server 2019 hosts. To scan Linux images on Windows, install Docker Machine on Windows with the Microsoft Hyper-V driver. Twistcli does not support scanning Linux images on Windows hosts with Docker for Windows.

4 The support dump function collects Console’s logs when Console malfunctions. Copy twistcli to host where Console runs, then execute twistcli support dump. Defender logs can be retrieved directly from the Console UI under Manage > Defenders > Manage.

5 IaC scanning is only available with Prisma Cloud Enterprise Edition.

For a comprehensive list of supported options for each subcommand, run:

$ twistcli <COMMAND> --help

6. Install support

Support for installing Console and Defender via twistcli is supported on several cluster types. The following table highlights the available support:

twistcli Platform

Command

Subcommand

Stand-alone1

Kubernetes

OpenShift

Swarm

Amazon ECS

DC/OS

Windows

console

export

No

Yes

Yes

No

No

No

No

install

No

Yes

Yes

Yes

No

No

No

uninstall

No

Yes

Yes

Yes

No

No

No

defender

export

No

Yes

Yes

Yes

No

Yes

No

install

No

Yes

Yes

Yes

No

No

No

uninstall

No

Yes

Yes

Yes

No

No

No

1 Stand-alone refers to installing an instance of Console or Defender onto a single host that isn’t part of a cluster. For stand-alone installations of Console, use the twistlock.sh script to install Onebox. For stand-alone installations of Defender, log into Console, go to Manage > Defenders > Deploy, and generate an install command.

The twistcli console install command for Kubernetes and OpenShift combines two steps into a single command to simplify how Console is deployed. This command internally generates a YAML configuration file and then creates Console’s resources with kubectl create in a single shot. This command is only supported on Linux. Use it when you don’t need a copy of the YAML configuration file. Otherwise, use twistcli console export.