twistcli Flashcards
Where are the twistcli binaries located in Prisma Cloud Console for download?
Runtime Security > Manage > System > Utilities
How can twistcli be downloaded in case of automated workflows?
from the API
What has to be installed on the executing machine for image scanning?
Docker Engine
What does the variable COMPUTE_CONSOLE represent?
the address for the Console
What do most twistcli functions require?
connectivity to Console
What is the twistcli command for scanning container images for vulnerabilities and compliance issues?
twistcli images scan [OPTIONS] [IMAGE]
Where does the image need to reside when performing a scan?
On the system where twistcli runs
What does the twistcli images scan function do?
Collects information about the packages and binaries in the container image, and then sends it to Console for analysis.
What does the data collected by twistcli include? (3)
- Packages in the image
- Files installed by each package
- Hashes for each file in the image
What does twistcli do after Console analyzes the image for vulnerabilities? (2)
- Outputs a summary report.
- Exits with a pass or fail return value.
Scan results can be retrieved in which format from the Console using API calls?
JSON
What is used to specify an image to scan?
Either the image ID, or repository name and tag
If a repository is specified with a tag, twistcli looks for an image tagged with which tag?
latest
What is the return value if twistcli finds no vulnerabilities or compliance issues?
0, otherwise the code is 1
Describe the --address URI option. Is it required?
- Complete URI for Console, including the protocol and port
- Only the HTTPS protocol is supported
- By default, Console listens to HTTPS on port 8083, although your administrator can configure Console to listen on a different port.
Required
–address https://console.example.com:8083
Describe the -u option. Is it required?
- Username to access Console.
Required
Describe the -p option. Is it required?
- Password for the user specified with -u, –user
- If not specified on the command-line, you are prompted for the user’s password before the scan runs
Not Required
Describe the --details option.
Prints an itemized list of each vulnerability found by the scanner.
Describe the --containerized option.
Run the scan from inside the container.
Describe the --docker-tlscacert PATH option.
Path to Docker client CA certificate.
Describe the --docker-tlscert PATH option.
Path to Docker client Client certificate.
Describe the --docker-tlskey PATH option.
Path to Docker client Client private key.
Describe the --tlscacert PATH option.
Path to Prisma Cloud CA certificate file. If no CA certificate is specified, the connection to Console is insecure.
If building and deploying images on OpenShift Container Platform (OCP), and utilizing their Jenkins infrastructure, what command should be invoked to scan immages?
twistcli hosts scan command, not the twistcli images scan command
What are the shortcomings of scanning from inside a container?
- Automating the scan in your continuous integration pipeline is more difficult
- Image metadata, such as registry, repository, and tag aren’t available in the scan report. When twistcli is run from outside the container, this information is retrieved from the Docker API
- The image ID isn’t available in the scan report because it cannot be determined when the scan is run from inside a container
- The scan report won’t show a layer-by-layer analysis of the image
