Home
Location
Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base
Prisma Cloud Administrator’s Guide (Compute)
:
Scan Images with twistcli
Updated on Tue Jul 18 03:26:22 UTC 2023
Focus
Download PDF
Filter
Prisma Cloud Enterprise Edition
Prisma Cloud Enterprise Edition
Self-Hosted 30.xx
Self-Hosted 22.12
Self-Hosted 22.06
Self-Hosted 22.01
Self-Hosted 21.08 (EoL)
Self-Hosted 21.04 (EoL)
Self-Hosted 20.12 (EoL)
Self-Hosted 20.09 (EoL)
Self-Hosted 20.04 (EoL)
Self-Hosted 19.11 (EoL)
Expand all | Collapse all
Welcome
Getting started
Compute SaaS maintenance updates
NAT gateway IP addresses
Product architecture
Support lifecycle
Security Assurance Policy on Prisma Cloud Compute
Licensing
Prisma Cloud Enterprise Edition vs Compute Edition
Utilities and plugins
Install
Getting started
System Requirements
Cluster Context
Deploy Prisma Cloud Defenders
Defender Types
Manage your Defenders
Redeploy Defenders
Uninstall Defenders
Install a Single Container Defender
Deploy a Single Container Defender using the CLI
Install a single Host Defender
Auto-defend hosts
Deploy Windows Defender
Kubernetes
Deploy Orchestrator Defenders on Amazon ECS
Automatically Install Container Defender in a Cluster
Deploy Prisma Cloud Defender from the GCP Marketplace
Deploy Defenders as DaemonSets
VMware Tanzu Application Service (TAS) Defender
Deploy Defender on Google Kubernetes Engine (GKE)
Google Kubernetes Engine (GKE) Autopilot
Deploy Defender on OpenShift v4
Deploy Defender with Declarative Object Management
Serverless Defender
Deploy Serverless Defender as a Lambda Layer
Auto-defend serverless functions
Deploy App-Embedded Defender
Deploy App-Embedded Defender for Fargate
Deploy App-Embedded Defender in Azure Container Instance (ACI)
Default Setting for App-Embedded Defender File System Monitoring
Default Setting for App-Embedded Defender File System Protection
Upgrade
Support lifecycle for connected components
Upgrade process
Kubernetes
OpenShift
Helm charts
Amazon ECS
Upgrade the Single Container Defenders
Upgrade Defender DaemonSets
Upgrade Defender DaemonSets (Helm)
Agentless Scanning
Agentless Scanning Modes
Onboard Accounts for Agentless Scanning
Onboard AWS Accounts for Agentless Scanning
Configure Agentless Scanning for AWS
Onboard Azure Accounts for Agentless Scanning
Configure Agentless Scanning for Azure
Onboard GCP Accounts for Agentless Scanning
Configure Agentless Scanning for GCP
Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
Agentless Scanning Results
Technology overviews
Intelligence Stream
Prisma Cloud Advanced Threat Protection
App-specific network intelligence
Container Runtimes
Radar
Serverless Radar
Prisma Cloud Rules Guide - Docker
Defender architecture
Host Defender architecture
TLS v1.2 cipher suites
Telemetry
Configure
Rule ordering and pattern matching
Backup and restore
Custom feeds
Configuring Prisma Cloud proxy settings
Prisma Cloud Compute certificates
Configure scanning
User certificate validity period
Enable HTTP access to Console
Set different paths for Defender and Console (with DaemonSets)
Authenticate to Console with Certificates
Customize terminal output
Collections
Tags
WildFire Settings
Log Scrubbing
Permissions by feature
Authentication
Access keys
Prisma Cloud Compute User Roles
Compute user roles
Assign roles
Credentials Store
Amazon Web Services (AWS) Credentials
Azure Credentials
Google Cloud Platform (GCP) Credentials
IBM Cloud Credentials
Kubernetes Credentials
GitLab Credentials
Cloud Service Providers
Cloud discovery
Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
Prisma Cloud Vulnerability Feed
Scanning Procedure
Vulnerability Management Policies
Vulnerability Scan Reports
Scan Images for Custom Vulnerabilities
Base images
Vulnerability Explorer
CVSS scoring
CVE Viewer
Registry scanning
Configure Registry Scans
Scan images in Alibaba Cloud Container Registry
Scan images in Amazon Elastic Container Registry (ECR)
Scan images in Azure Container Registry (ACR)
Scan images in Docker Registry v2 (including Docker Hub)
Scan Images in GitLab Container Registry
Scan images in Google Artifact Registry
Scan images in Google Container Registry (GCR)
Scan images in Harbor Registry
Scan images in IBM Cloud Container Registry
Scan Images in JFrog Artifactory Docker Registry
Scan Images in Sonatype Nexus Registry
Scan images in OpenShift integrated Docker registry
Scan Images in CoreOS Quay Registry
Trigger registry scans with Webhooks
Configure VM image scanning
Configure code repository scanning
Malware scanning
Windows container image scanning
Serverless Functions Scanning
VMware Tanzu Blobstore Scanning
Scan App-Embedded workloads
Troubleshoot Vulnerability Detection
Access control
Role-based access control for Docker Engine
Admission control with Open Policy Agent
Compliance
Compliance Explorer
Enforce compliance checks
CIS Benchmarks
Prisma Cloud Labs compliance checks
Malware Scanning
Serverless functions compliance checks
Windows compliance checks
DISA STIG compliance checks
Custom compliance checks
Trusted images
Host scanning
VM image scanning
App-Embedded scanning
Detect secrets
OSS license management
Runtime defense
Runtime defense for containers
Runtime defense for hosts
Runtime defense for serverless functions
Runtime defense for App-Embedded
Event Aggregation
Custom runtime rules
Import and export individual rules
ATT&CK Explorer
Runtime Audits
Image analysis sandbox
Incident Explorer
Incident types
Altered binary
Backdoor admin accounts
Backdoor SSH access
Brute force
Cryptominers
Execution flow hijack attempt
Kubernetes attacks
Lateral movement
Malware
Port scanning
Reverse shell
Suspicious binary
Other incident types
Continuous integration
Jenkins plugin
Jenkins Freestyle project
Jenkins Maven project
Jenkins Pipeline project
Run Jenkins in a container
Jenkins pipeline on Kubernetes
CI plugin policy
Code repo scanning
WAAS
Web-Application and API Security (WAAS)
Deploy WAAS
Deploy WAAS In-Line for Containers
Deploy WAAS Out-Of-Band for Containers
Deploy WAAS In-Line for Hosts
Deploy WAAS Out-Of-Band for Hosts
Deploy WAAS for Containers Protected By App-Embedded Defender
Deploy WAAS for serverless functions
Deploy WAAS Agentless
WAAS Troubleshooting
WAAS Sanity Tests
WAAS Explorer
App Firewall Settings
API Protection
DoS protection
Bot Protection
WAAS Access Controls
Advanced settings
WAAS Analytics
API Discovery
API definition scan
WAAS custom rules
Detecting unprotected web apps
WAAS Sensitive Data
Firewalls
Cloud Native Network Segmentation (CNNS)
Secrets
Secrets manager
Integrate with secrets stores
Secrets Stores
AWS Secrets Manager
AWS Systems Manager Parameters Store
Azure Key Vault
CyberArk Enterprise Password Vault
HashiCorp Vault
Inject secrets into containers
Injecting secrets: end-to-end example
Alerts
Alert mechanism
AWS Security Hub
Cortex XDR alerts
Cortex XSOAR alerts
Email alerts
Google Cloud Pub/Sub
Google Cloud Security Command Center
IBM Cloud Security Advisor
JIRA Alerts
PagerDuty alerts
ServiceNow alerts for Security Incident Response
ServiceNow alerts for Vulnerability Response
Slack Alerts
Splunk Alerts
Webhook alerts
Audit
Event viewer
Host activity
Administrative activity audit trail
Annotate audit event records
Delete audit logs
Syslog and stdout integration
Log rotation
Throttling audits
Prometheus
Kubernetes auditing
Tools
twistcli
Scan Images with twistcli
Scan code repos with twistcli
Scan Infrastructure as Code (IaC)
Deployment patterns
Best practices for DNS and certificate management
Storage Limits for Audits and Reports
Performance planning
API
Howto
Disable automatic learning
Debug data
Updated on Tue Jul 18 03:26:22 UTC 2023
Focus
Home
Prisma
Prisma Cloud
Prisma Cloud Administrator’s Guide (Compute)
Tools
Scan Images with twistcli
Download PDF
Prisma Cloud Administrator’s Guide (Compute)
Scan Images with twistcli
Table of Contents
Filter
Prisma Cloud Enterprise Edition
Prisma Cloud Enterprise Edition
Self-Hosted 30.xx
Self-Hosted 22.12
Self-Hosted 22.06
Self-Hosted 22.01
Self-Hosted 21.08 (EoL)
Self-Hosted 21.04 (EoL)
Self-Hosted 20.12 (EoL)
Self-Hosted 20.09 (EoL)
Self-Hosted 20.04 (EoL)
Self-Hosted 19.11 (EoL)
Expand all | Collapse all
Welcome
Getting started
Compute SaaS maintenance updates
NAT gateway IP addresses
Product architecture
Support lifecycle
Security Assurance Policy on Prisma Cloud Compute
Licensing
Prisma Cloud Enterprise Edition vs Compute Edition
Utilities and plugins
Install
Getting started
System Requirements
Cluster Context
Deploy Prisma Cloud Defenders
Defender Types
Manage your Defenders
Redeploy Defenders
Uninstall Defenders
Install a Single Container Defender
Deploy a Single Container Defender using the CLI
Install a single Host Defender
Auto-defend hosts
Deploy Windows Defender
Kubernetes
Deploy Orchestrator Defenders on Amazon ECS
Automatically Install Container Defender in a Cluster
Deploy Prisma Cloud Defender from the GCP Marketplace
Deploy Defenders as DaemonSets
VMware Tanzu Application Service (TAS) Defender
Deploy Defender on Google Kubernetes Engine (GKE)
Google Kubernetes Engine (GKE) Autopilot
Deploy Defender on OpenShift v4
Deploy Defender with Declarative Object Management
Serverless Defender
Deploy Serverless Defender as a Lambda Layer
Auto-defend serverless functions
Deploy App-Embedded Defender
Deploy App-Embedded Defender for Fargate
Deploy App-Embedded Defender in Azure Container Instance (ACI)
Default Setting for App-Embedded Defender File System Monitoring
Default Setting for App-Embedded Defender File System Protection
Upgrade
Support lifecycle for connected components
Upgrade process
Kubernetes
OpenShift
Helm charts
Amazon ECS
Upgrade the Single Container Defenders
Upgrade Defender DaemonSets
Upgrade Defender DaemonSets (Helm)
Agentless Scanning
Agentless Scanning Modes
Onboard Accounts for Agentless Scanning
Onboard AWS Accounts for Agentless Scanning
Configure Agentless Scanning for AWS
Onboard Azure Accounts for Agentless Scanning
Configure Agentless Scanning for Azure
Onboard GCP Accounts for Agentless Scanning
Configure Agentless Scanning for GCP
Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
Agentless Scanning Results
Technology overviews
Intelligence Stream
Prisma Cloud Advanced Threat Protection
App-specific network intelligence
Container Runtimes
Radar
Serverless Radar
Prisma Cloud Rules Guide - Docker
Defender architecture
Host Defender architecture
TLS v1.2 cipher suites
Telemetry
Configure
Rule ordering and pattern matching
Backup and restore
Custom feeds
Configuring Prisma Cloud proxy settings
Prisma Cloud Compute certificates
Configure scanning
User certificate validity period
Enable HTTP access to Console
Set different paths for Defender and Console (with DaemonSets)
Authenticate to Console with Certificates
Customize terminal output
Collections
Tags
WildFire Settings
Log Scrubbing
Permissions by feature
Authentication
Access keys
Prisma Cloud Compute User Roles
Compute user roles
Assign roles
Credentials Store
Amazon Web Services (AWS) Credentials
Azure Credentials
Google Cloud Platform (GCP) Credentials
IBM Cloud Credentials
Kubernetes Credentials
GitLab Credentials
Cloud Service Providers
Cloud discovery
Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
Prisma Cloud Vulnerability Feed
Scanning Procedure
Vulnerability Management Policies
Vulnerability Scan Reports
Scan Images for Custom Vulnerabilities
Base images
Vulnerability Explorer
CVSS scoring
CVE Viewer
Registry scanning
Configure Registry Scans
Scan images in Alibaba Cloud Container Registry
Scan images in Amazon Elastic Container Registry (ECR)
Scan images in Azure Container Registry (ACR)
Scan images in Docker Registry v2 (including Docker Hub)
Scan Images in GitLab Container Registry
Scan images in Google Artifact Registry
Scan images in Google Container Registry (GCR)
Scan images in Harbor Registry
Scan images in IBM Cloud Container Registry
Scan Images in JFrog Artifactory Docker Registry
Scan Images in Sonatype Nexus Registry
Scan images in OpenShift integrated Docker registry
Scan Images in CoreOS Quay Registry
Trigger registry scans with Webhooks
Configure VM image scanning
Configure code repository scanning
Malware scanning
Windows container image scanning
Serverless Functions Scanning
VMware Tanzu Blobstore Scanning
Scan App-Embedded workloads
Troubleshoot Vulnerability Detection
Access control
Role-based access control for Docker Engine
Admission control with Open Policy Agent
Compliance
Compliance Explorer
Enforce compliance checks
CIS Benchmarks
Prisma Cloud Labs compliance checks
Malware Scanning
Serverless functions compliance checks
Windows compliance checks
DISA STIG compliance checks
Custom compliance checks
Trusted images
Host scanning
VM image scanning
App-Embedded scanning
Detect secrets
OSS license management
Runtime defense
Runtime defense for containers
Runtime defense for hosts
Runtime defense for serverless functions
Runtime defense for App-Embedded
Event Aggregation
Custom runtime rules
Import and export individual rules
ATT&CK Explorer
Runtime Audits
Image analysis sandbox
Incident Explorer
Incident types
Altered binary
Backdoor admin accounts
Backdoor SSH access
Brute force
Cryptominers
Execution flow hijack attempt
Kubernetes attacks
Lateral movement
Malware
Port scanning
Reverse shell
Suspicious binary
Other incident types
Continuous integration
Jenkins plugin
Jenkins Freestyle project
Jenkins Maven project
Jenkins Pipeline project
Run Jenkins in a container
Jenkins pipeline on Kubernetes
CI plugin policy
Code repo scanning
WAAS
Web-Application and API Security (WAAS)
Deploy WAAS
Deploy WAAS In-Line for Containers
Deploy WAAS Out-Of-Band for Containers
Deploy WAAS In-Line for Hosts
Deploy WAAS Out-Of-Band for Hosts
Deploy WAAS for Containers Protected By App-Embedded Defender
Deploy WAAS for serverless functions
Deploy WAAS Agentless
WAAS Troubleshooting
WAAS Sanity Tests
WAAS Explorer
App Firewall Settings
API Protection
DoS protection
Bot Protection
WAAS Access Controls
Advanced settings
WAAS Analytics
API Discovery
API definition scan
WAAS custom rules
Detecting unprotected web apps
WAAS Sensitive Data
Firewalls
Cloud Native Network Segmentation (CNNS)
Secrets
Secrets manager
Integrate with secrets stores
Secrets Stores
AWS Secrets Manager
AWS Systems Manager Parameters Store
Azure Key Vault
CyberArk Enterprise Password Vault
HashiCorp Vault
Inject secrets into containers
Injecting secrets: end-to-end example
Alerts
Alert mechanism
AWS Security Hub
Cortex XDR alerts
Cortex XSOAR alerts
Email alerts
Google Cloud Pub/Sub
Google Cloud Security Command Center
IBM Cloud Security Advisor
JIRA Alerts
PagerDuty alerts
ServiceNow alerts for Security Incident Response
ServiceNow alerts for Vulnerability Response
Slack Alerts
Splunk Alerts
Webhook alerts
Audit
Event viewer
Host activity
Administrative activity audit trail
Annotate audit event records
Delete audit logs
Syslog and stdout integration
Log rotation
Throttling audits
Prometheus
Kubernetes auditing
Tools
twistcli
Scan Images with twistcli
Scan code repos with twistcli
Scan Infrastructure as Code (IaC)
Deployment patterns
Best practices for DNS and certificate management
Storage Limits for Audits and Reports
Performance planning
API
Howto
Disable automatic learning
Debug data
Scan Images with twistcli
Edit on GitHubYou can use the Prisma Cloud twistcli command-line tool to scan container images and serverless functions.
Scanning with twistcli is supported on Linux, macOS, and Windows.
Command
The twistcli command-line tool has several subcommands.
To scan, use the following subcommand.twistcli images scanThe command scans an image for vulnerabilities and compliance issues.
The image must be on the system running the twistcli command-line tool.
If not and if you are using Docker, you can retrieve the image with the docker pull before scanning it.
The twistcli tool does not pull images.
Syntax
When using twistcli images scan, the image or tarball to scan must be the last parameter.
If you specify options after the image or tarball, they are ignored.
If scanning a tarball, use the --tarball option.twistcli images scan [OPTIONS] [IMAGE]
Description
The twistcli images scan tool collects information about the packages and binaries in the container image, and sends the information to the Prisma Cloud Console for analysis.The twistcli tool collects data including the following items.Packages in the image.
Files installed by each package.
Hashes for files in the image.
After the Prisma Cloud Console analyzes the image for vulnerabilities, twistcli performs the following tasks.Outputs a summary report.
Exits with a pass or fail return value.
To specify an image to scan, use either the image ID, or repository name and tag.
If you are using Windows with containerd, provide a full image ID because short IDs aren’t supported.
Get the full image ID using the following command.ctr -n images lsThe image should be present on the system, having either been built or pulled there.
If a repository is specified without a tag, twistcli looks for an image tagged latest.
Options
--address URL
--
Required.
URL for Console, including the protocol and port.
Only the HTTPS protocol is supported.
To get the address for your Console, go to Compute > Manage > System > Utilities, and copy the string under Path to Console.
Example: --address https://us-west1.cloud.twistlock.com/us-3-123456789
-u, --user Access Key ID
--
Access Key ID to access Prisma Cloud.
If not provided, the TWISTLOCK_USER environment variable is used, if defined.
Otherwise, "admin" is used as the default.
-p, --password Secret Key
--
Secret Key for the above Access Key ID specified with -u, --user.
If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable is used, if defined.
Otherwise, you will be prompted for the user’s password before the scan runs.
Access Key ID and Secret Key are generated from the Prisma Cloud user interface.
For more information, see access keys--output-file FILENAME
Write the results of the scan to a file in JSON format.
Example: --output-file scan-results.json
--details
Show all vulnerability details.
--containerized
Run the scan from inside the container.
--custom-labels
Include the image custom labels in the results.
--docker-address DOCKER_CLIENT_ADDRESS
Docker daemon listening address (default: unix:///var/run/docker.sock).
Can be specified with the DOCKER_CLIENT_ADDRESS environment variable.
--docker-tlscacert PATH
Path to Docker client CA certificate.
--docker-tlscert PATH
Path to Docker client Client certificate.
--docker-tlskey PATH
Path to Docker client Client private key.
--exit-on-error TRUE/FALSE
Immediately exit the scan if an error is encountered (not supported with the --containerized flag).
--tlscacert PATH
Path to Prisma Cloud CA certificate file.
If no CA certificate is specified, the connection to Console is insecure.
--podman-path PATH
Forces twistcli to use Podman.
To use the default installation path, set as podman.
Otherwise, provide the appropriate path.
--include-js-dependencies
Evaluates packages listed only in manifests.
--include-purl
Adds package URLs for packages and vulnerabilities.
--token TOKEN
Token to use for Prisma Cloud Console authentication.
Tokens can be retrieved from the API endpoint api/v1/authenticate or from the Manage > System > Utilities page in Console.
--publish TRUE/FALSE
Publishes scan results to the Console (default: --publish=true)
--tarball
Boolean flag that specifies the image to scan is a tar archive.
The tarball scan requires enhanced privileges, and must be executed as sudo or as a root user.
Prisma Cloud supports tar archives in the Docker Image Specification format, v1.1 and later.
The tarball option is supported on Linux only; macOS and Windows versions of twistcli do not support it.The last parameter in the twistcli command should always be the path to the tarball.
The --tarball option is simply a boolean flag.
It doesn’t accept a corresponding value (e.g. a path to a tarball).
For clarity, see the following examples:Correct usage: ./twistcli images scan --tarball --user ted image.tarIncorrect usage: ./twistcli images scan --tarball image.tar --user ted
Return Value
The exit code is 0 if twistcli images scan finds no vulnerabilities or compliance issues.
Otherwise, the exit code is 1.The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console.
The default CI vulnerability policy alerts on all CVEs detected.
The default CI compliance policy alerts on all critical and high compliance issues.
The twistcli images scan returns an exit code of 1 in the following scenarios:
The scan failed because the scanner found issues that violate your CI policy.
Twistcli failed to run due to an error.
Although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation.
From an automation process perspective, you expect that the entire flow will work.
If you scan an image, with or without a threshold, either it works or it does not work.
If it fails, for whatever reason, you want to fail everything because there is a problem.
Scan Results
To view scan reports in Console, go to Monitor > Vulnerabilities > Images > CI or Monitor > Compliance > Images > CI.The scan reports includes the image vulnerabilities, compliance issues, layers, process info, package info, and labels.When scanning images in the CI pipeline with twistcli or the Jenkins plugin, Prisma Cloud collects the environment variable JOB_NAME from the machine the scan ran on, and adds it as a label to the scan report.You can also retrieve scan reports in JSON format using the Prisma Cloud API, see the API section.
Output
The twistcli tool can output scan results to several places:stdout.
JSON file.
Console.
Scan results can be viewed under Monitor > Vulnerabilities > Images > CI and Monitor > Compliance > Images > CI.
By passing certain flags, you can adjust how the twistcli scan output looks and where it goes.
By default, twistcli writes scan results to stdout and sends the results to Console.To write scan results to stdout in tabular format, pass the --details flag to twistcli.
This does not affect where the results are sent.To write scan results to a file in JSON format, pass the --output-file flag to twistcli. The file schema is being kept for backwards compatibility.Following is the output file schema:{
"results": [
{
"id": "image id",
"name" : "image name",
"distro": "image OS distro",
"distroRelease": "image OS release",
"digest": "image digest",
"collections": [
"collectionA",
"collectionB"
],
"packages": [
{
"type": "package type",
"name": "package name",
"version": "package version",
"path": "package path, if exists",
"licenses": [
"licenseA",
"licenseB"
],
"purl": "pkg:deb/debian/[email protected]+deb11u1"
},
{
...
}
],
"applications": [
{
"name": "app name",
"version": "app version",
"path": "app path, if exists"
},
{
...
}
],
"compliances": [
{
"id": "compliance issue ID",
"title": "compliance issue title",
"severity": "compliance issue severity",
"description": "compliance issue description",
"cause": "compliance issue cause, if exists",
"layerTime": "layer time of the image layer to which the compliance issue belongs",
"category": "compliance category",
"pass": "true/false"
},
{
...
}
],
"complianceDistribution": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 0,
"total": 1
},
"complianceScanPassed": true/false,
"vulnerabilities": [
{
"id": "CVE ID",
"status": "CVE fix status",
"cvss": CVSS,
"vector": "CVSS vector",
"description": "CVE description",
"severity": "CVE severity",
"packageName": "package name",
"purl": "pkg:golang/golang.org/x/[email protected]",
"packageVersion": "package version",
"link": "link to the CVE as provided in the Console UI",
"riskFactors": [
"Attack vector: network",
"High severity",
"Has fix"
],
"tags": [
"ignored",
"in review"
],
"impactedVersions": [
"impacted versions phrase1",
"impacted versions phrase2"
],
"publishedDate": "publish date",
"discoveredDate": "discovered date",
"graceDays": "grace days",
"fixedDate": "vendor fixed date, if exists",
"layerTime": "layer time of the image layer to which the vulnerability belongs"
},
{
...
}
],
"vulnerabilityDistribution": {
"critical": 0,
"high": 1,
"medium": 0,
"low": 19,
"total": 20
},
"vulnerabilitiesScanPassed": true/false,
"history": [
{
"created": "time when the image layer was created",
"instruction": "Dockerfile instruction and arguments used to create the layer"
},
{
...
}
],
"scanTime": "the image scan time",
"scanID": "the image scan ID"
}
],
"consoleURL": "url of the scan results in the Console UI"
}
Projects
When users from a tenant project run twistcli, they must set the --project option to specify the proper context for the command.twistcli images scan --project ""
API
You can retrieve scan reports in JSON format using the Prisma Cloud Compute API.
The API returns comprehensive information for each scan report, including the full list of packages, files, and vulnerabilities.The following example curl command calls the API with Basic authentication.
You’ll need to apply some filtering with tools like jq to extract specific items from the response.
For more information on accessing the API, see the API reference.$ curl \
-u \
-o scan_results.json \
'https:///api/v1/scans?type=ciImage'If you are using assigned collections, then specify the collection in a query parameter:$ curl \
-u \
-o scan_results.json \
'https:///api/v1/scans?type=ciImage&collections='
Dockerless Scan
By default, twistcli is run from outside the container image.
Podman Twistcli Scans
Twistcli can run scans on Podman hosts.
Use --podman-path PATH to specify the path to podman and force the twistcli scanner to use podman.
For additional information, see the Podman section.
Running from inside a Container
In some cases, you might need to copy twistcli to the container’s file system, and then run the scanner from inside the container.One reason you might want to run the scanner this way is when your build platform doesn’t give you access to the Docker socket.
CodeFresh is an example of such a platform.There are some shortcomings with scanning from inside a container, so you should only use this approach when no other approach is viable.
The shortcomings are:Automating the scan in your continuous integration pipeline is more difficult.
Image metadata, such as registry, repository, and tag aren’t available in the scan report.
When twistcli is run from outside the container, this information is retrieved from the Docker API.
The image ID isn’t available in the scan report because it cannot be determined when the scan is run from inside a container.
The scan report won’t show a layer-by-layer analysis of the image.
To run a twistcli image scan within a container and without passing the --containerized flag, you need to run the container as a privileged container.
Usage
When running the scanner from inside a container, you need to properly orient it by passing it the --containerized flag.
There are a couple of ways to run twistcli with the --containerized flag: build-time and run-time.For security reasons, Prisma Cloud recommends that you create a user with the CI User role for running scans.
Build-time Invocation
After building an image, run it.
Mount the host directory that holds the twistcli binary, pass the Prisma Cloud Console user credentials to the container with environment variables, then run the scanner inside the container.
The is a user defined string that uniquely identifies the scan report in the Console UI.$ docker run \
-v /PATH/TO/TWISTCLIDIR:/tools \
-e TW_USER= \
-e TW_PASS= \
-e TW_CONSOLE= \
--entrypoint="" \
\
/tools/twistcli images scan \
--containerized \
--details \
--address $TW_CONSOLE \
--user $TW_USER \
--password $TW_PASS \
Rather than username and password, twistcli can also authenticate to Console with a token.
Your API token can be found in Console under Manage > System > Utilities > API token.$ docker run \
-v /PATH/TO/TWISTCLI_DIR:/tools \
-e TW_TOKEN= \
-e TW_CONSOLE= \
--entrypoint="" \
\
/tools/twistcli images scan \
--containerized \
--details \
--address $TW_CONSOLE \
--token $TW_TOKEN \
Run-time Invocation
If you have access to the orchestrator, you can exec into the running container to run the twistcli scanner.
Alternatively, you could SSH to the container.
Once you have a shell on the running container, invoke the scanner:$ ./twistcli images scan \
--address \
--user \
--password \
--containerized \
To invoke the scanner with an API token:$ ./twistcli images scan \
--address \
--token \
--containerized \
Simple Scan
Scan an image with twistcli and print the summary report to stdout.
Scan an image named nginx:latest.
$ twistcli images scan \
--address \
--user \
--password \
nginx:latest
Command output:
Scan with Detailed Report
You can have twistcli generate a detailed report for each scan.
The following procedure shows you how to scan an image with twistcli, and then retrieve the results from Console.
Scan an image named nginx:latest.
$ twistcli images scan \
--address \
--user \
--password \
--details \
nginx:latest
Sample command output (results have been truncated):
This outputs a tabular representation of your scan results to stdout.
If you need to retrieve the results of your scan in JSON format, this can be done using the API.
For more information on the API, see the API reference.Call the API with authentication (demonstrated here using Basic authentication) to fetch the results of the scan.
$ curl \
-o scan_results.json \
-H 'Authorization: Basic YXBpOmFwaQ==' \
'https:///api/v1/scans?search=myimage&limit=1&reverse=true&type=ciImage'
Format the scan results into human-readable format.
$ python -m json.tool scan_results.json > scan_results_pp.json
Inspect the results.
Open scan_results_pp.json to view the results. Vulnerability information can be found in the vulnerabilities array, and compliance results can be found in the complianceIssues array.
[
{
"entityInfo": {
"_id": "",
"type": "ciImage",
...
"complianceIssues": [
{
"text": "",
"id": 41,
"severity": "high",
"cvss": 0,
"status": "",
"cve": "",
"cause": "",
"description": "It is a good practice to run the container as a non-root user, if possible. Though user\nnamespace mapping is now available, if a user is already defined in the container image, the\ncontainer is run as that user by default and specific user namespace remapping is not\nrequired",
"title": "(CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user",
"vecStr": "",
"exploit": "",
"riskFactors": null,
"link": "",
"type": "image",
"packageName": "",
"packageVersion": "",
"layerTime": 0,
"templates": [],
"twistlock": false,
"published": 0,
"discovered": "0001-01-01T00:00:00Z"
}
],
...
"vulnerabilities": [
{
"text": "",
"id": 46,
"severity": "medium",
"cvss": 9.8,
"status": "deferred",
"cve": "CVE-2018-20839",
"cause": "",
"description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.",
"title": "",
"vecStr": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"exploit": "",
"riskFactors": {
"Attack complexity: low": {},
"Attack vector: network": {},
"Medium severity": {}
},
"link": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20839",
"type": "image",
"packageName": "systemd",
"packageVersion": "237-3ubuntu10.39",
"layerTime": 1587690420,
"templates": [],
"twistlock": false,
"published": 1558067340,
"discovered": "0001-01-01T00:00:00Z",
"binaryPkgs": [
"libnss-systemd",
"libsystemd0",
"libpam-systemd",
"udev",
"systemd-sysv",
"libudev1",
"systemd"
]
},
...
],
...
},
...
}
]
Scan Images Built with Jenkins in an OpenShift Environment
If you are building and deploying images on OpenShift Container Platform (OCP), and you are utilizing their Jenkins infrastructure, then invoke a scan with the twistcli hosts scan command, not the twistcli images scan command.
You can scan images generated by Jenkins with the OpenShift plugin by invoking twistcli from a
build hook.
Build hooks let you inject custom logic into the build process.
They run your commands inside a temporary container instantiated from build output image.
Build hooks are called when the last layer of the image has been committed, but before the image is pushed to a registry.
An non-zero exit code fails the build.
A zero exit code passes the build, and allows it to proceed to the next step.
To call twistcli from a build hook:
Download twistcli into your build environment.
Depending on your build strategy, one option is to download it as an external artifact using a save-artifacts S2I script.In your BuildConfig, call twistcli as a script from the postCommit hook.
$ twistcli hosts scan \
--address \
--user \
--password \
--skip-docker \
--include-3rd-party
Where the --skip-docker option skips all Docker compliance checks such as the Docker daemon configuration and the --include-3rd-party option scans application-specific files such as JARs.
Scan Images when the Docker Docket Isn’t in the Default Location
The twistcli scanner uses the Docker API, so it must be able to access the socket where the Docker daemon listens.
If your Docker socket isn’t in the default location, use the --docker-address option to tell twistcli where to find it:
--docker-address PATH
--
Path to the Docker socket.
By default, twistcli looks for the Docker socket unix:///var/run/docker.sock.
$ ./twistcli images scan \
--address \
--user \
--password \
--docker-address unix:////docker.sock \
Scan Podman/CRI Images
Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux.
The twistcli tool can use the preinstalled Podman binary to scan CRI images.
NOTE: To run a twistcli image scan within a container using podman and without passing the --containerized flag, you need to run the container as a privileged container.
--podman-path PATH
--
Forces twistcli to use Podman.
To call podman from its default install path, specify podman.
Otherwise, specify an explicit path.
$ ./twistcli images scan \
--address \
--user \
--password \
--podman-path podman \
CI/CD Automation
Twistcli images scan can be used to shift-left security scans inside of your build pipeline.
Plugins are available for Jenkins and other CI/CD tools, but twistcli can also be used from a CI pipeline in order to initiate vulnerability and compliance scans on images.The exit status code can be verified inside of your pipeline to determine pass and fail status of the image scan.
A zero exit code signals the scan passes, and any non-zero exit code signals a failure.In order to automate the download and version sync of twistcli, reference the sample Jenkins code below:stage('Check twistcli version') {
def TCLI_VERSION = sh(script: "./twistcli | grep -A1 VERSION | sed 1d", returnStdout:true).trim()
def CONSOLE_VERSION = sh(script: "curl -k -u \"$TL_USER:$TL_PASS\" https://$TL_CONSOLE/api/v1/version | tr -d \'\"'", returnStdout:true).trim()
println "TCLI_VERSION = $TCLI_VERSION"
println "CONSOLE_VERSION = $CONSOLE_VERSION"
if ("$TCLI_VERSION" != "$CONSOLE_VERSION") {
println "downloading twistcli"
sh 'curl -k -u $TL_USER:$TL_PASS --output ./twistcli https://$TL_CONSOLE/api/v1/util/twistcli'
sh 'sudo chmod a+x ./twistcli'
}
}
stage('Scan with Twistcli') {
sh './twistcli images scan --address https://$TL_CONSOLE -u $TL_USER -p $TL_PASS --details $IMAGE'
}
Using twistcli with Prisma Cloud Compute in Enterprise Edition
The following procedure is true even if IP whitelisting feature is enabled in Prisma Cloud.
You can use your username:password from PC or Access Key / Secret Key created by a user as username:password in twistcli calls.
Go to Settings > Access Keys page under Prisma CloudCreate an Access Key with desired expiration time. Make sure you keep this secure by downloading or copying for future use.Get Compute Console URL from Compute tab - Manage > System > Utilities.Use Access Key as username and Secret key as password for your twistcli calls
./twistcli images scan --address --username --password ubuntu:latest
Scan Image Tarballs
twistcli can scan image tarballs.
This capability is designed to support the following workflows:Integration with Kaniko.
Kaniko is a tool that builds images in a Kubernetes cluster from a Dockerfile without access to a Docker daemon.
Vendors deliver container images as tar files, not through a registry.
twistcli supports the Docker Image Specification v1.1 and later.
Currently, twistcli doesn’t support the Open Container Initiative (OCI) Image Format Specification.Both Kaniko and the docker save command output tarballs using the Docker Image Specification.To scan an image tarball, specify the --tarball option:twistcli images scan --tarball For example:docker pull vulnerables/web-dvwa:1.9
docker save vulnerables/web-dvwa:1.9 | gzip > vulnerables_web_dvwa19.tar.gz
twistcli images scan --tarball vulnerables_web_dvwa19.tar.gzNOTE:
To scan image tarballs in an unprivileged container, pass the following capabilities: CAP_SYS_CHROOT and CAP_MKNOD.
Scan Windows Images on Windows Hosts with containerd
You can use twistcli to scan Windows images on Windows hosts with containerd installed..\twistcli.exe images scan \
--address \
-u \
--containerd \
--containerd-namespace
The image ID passed to twistcli must be the full length image ID.
Short IDs aren’t supported.
Get full length image IDs using the following command.
ctr -n images ls
Download the ctr utility.
Windows requires the host OS version to match the container OS version.
If you want to run a container based on a newer Windows build, make sure you have an equivalent host build.
Otherwise, you can use Hyper-V isolation to run older containers on new host builds.
For more information, see Windows containers version compatibility.
Limitations
Due to a bug in Kaniko, twistcli can’t map vulnerabilities to layers when scanning image tarballs built by Kaniko.
Previous
twistcli
Next
Scan code repos with twistcli
Recommended For You
© 2023 Palo Alto Networks, Inc. All rights reserved.
|