We introduce an operational approach that integrates a GitHub Action with the Prisma Cloud Console to detect vulnerabilities and enforce compliance early in the pipeline.
Our workflow wraps the official twistcli engine and links to the Console for policy and metadata. For example, builds set IMAGE_NAME to the repo SHA, run a docker build, then invoke the Palo Alto Networks action to evaluate images against Console thresholds.
Results are visible in workflow logs, in the Console Monitor area, and (when SARIF is uploaded) in the repository Security tab. We design gates so the pipeline can block noncompliant builds (for example, High or Critical findings) while keeping delivery predictable.
Our goal is a clear, auditable path from prerequisites and scanning to reporting and governance. This page outlines that journey and sets expectations for the sections that follow.
Key Takeaways
- We connect GitHub Actions to the Console policy engine to surface risks early.
- Workflows use a twistcli-based wrapper and can upload SARIF for triage.
- Thresholds in the Console enforce gates and support audit-ready compliance.
- Findings appear in workflow logs, the Monitor section, and the Security tab.
- This section previews an end-to-end example and the expected business outcome.
- We partner with engineering and security leadership to maintain effective controls.
Why prisma container scanning matters now for cloud-native security
We believe early security checks are essential for cloud-native applications. Catching misconfigurations and known CVEs during development reduces time-to-detect and limits impact.
Centralized policy in the prisma cloud console creates a single source of truth. Thresholds defined in the cloud console drive build blocking centrally, so pipelines stay consistent without hardcoding rules.
The official palo alto GitHub Action routes each scan to the Console and surfaces results in both the Console and GitHub. This alignment ensures findings meet enterprise standards for vulnerabilities compliance and auditability.
Embedding scans in CI gives developers immediate feedback. That fast loop shortens remediation time and encourages secure-by-default practices while preserving delivery speed.
- Operational view: dashboards tie risk to developer workflows.
- Executive value: governance, audit trails, and measurable policy adherence.
- Standard gates: prevent drift across teams while allowing project-level flexibility.
Prerequisites and environment setup in Prisma Cloud Console
A reliable CI setup begins with validating Console endpoints and provisioning least-privileged credentials for automation. We access Compute from the console URL to confirm reachability and API responsiveness.
Accessing Prisma Cloud Compute and Console URL
Locate your prisma cloud console address in the admin UI and validate network egress from runners. Verify the URL responds and that required ports are open to avoid failed jobs.
Creating CI user credentials and tokens
Create a scoped CI user in Compute with minimal roles. Store pcc_console_url, pcc_user, and pcc_pass as GitHub secrets. In your github workflow, set env IMAGE_NAME: ${{ github.repository }}:${{ github.sha }} to ensure traceability to a commit SHA.
Configuring Docker daemon connectivity variables
For hosted runners, set DOCKER_ADDRESS (preferred) or DOCKER_HOST when needed. Provide TLS certs using docker_tlscacert, docker_tlscert, and docker_tlskey for secured sockets.
- Include a connectivity test stage to verify Console reach and Docker socket availability.
- Rotate CI secrets and scope the name and permissions per enterprise policy.
Using the official GitHub Action wrapper around twistcli
The action-based wrapper lets us invoke twistcli from a github workflow and publish structured results.
We show a simple, repeatable pattern that triggers on push and manual dispatch. The workflow sets env IMAGE_NAME: ${{ github.repository }}:${{ github.sha }}, checks out code, builds the image, and calls the Palo Alto Networks action to run an image scan.
Mandatory inputs—pcc_console_url, pcc_user, pcc_pass, and image_name—should be stored as GitHub secrets. Pin the action version (for example @v1.5) to keep behavior stable while tracking upstream fixes.
Optional inputs and published outputs
Optional parameters let teams adapt connectivity and artifacts. Use results_file and sarif_file to save JSON and SARIF outputs. Provide docker_* variables when a custom daemon or TLS certs are required.
- Outputs: JSON results and SARIF path for uploads or archiving.
- Publish: twistcli_publish toggles whether results are forwarded to the Console.
- Traceability: consistent image naming keeps scans reproducible across runs.
 
															| Parameter | Type | Description | 
|---|---|---|
| pcc_console_url | required | Console endpoint (use secret for CI access) | 
| image_name | required | Name:tag (use repo:${‘{‘}{ github.sha }}) for traceability | 
| results_file / sarif_file | optional | Paths for JSON and SARIF outputs (defaults provided) | 
| docker_* / twistcli_publish | optional | Daemon TLS, address, and publish toggle for forwarding results | 
Severity thresholds that *alert* or *fail* builds are enforced from the Console policy. That allows governance teams to adjust thresholds without changing pipeline code.
Integrating scan results with GitHub code scanning alerts
We publish SARIF output so security findings appear where developers work. Uploading a sarif file makes results visible in the repository tab and enables automated lifecycle management for alerts.
Use the official action to upload SARIF:
- uses: github/codeql-action/upload-sarif@v2
- with: sarif_file: ${{ steps.scan.outputs.sarif_file }}
- Include if: ${{ always() }}so the upload runs even when a fail threshold stops the job.
We recommend a consistent step id (for example id: scan) and predictable name patterns so subsequent steps find the SARIF path reliably. Before upload, normalize paths (for example, use sed) so links in GitHub resolve to the correct files.
The table below summarizes where findings appear and how they behave.
| Location | Content | Behavior | 
|---|---|---|
| Workflow log | Vulnerability list and compliance violations | Immediate visibility during CI runs | 
| Prisma Cloud Monitor | Aggregated image results and policy flags | SecOps dashboarding and audit trails | 
| GitHub Security tab | Code scanning alerts from SARIF | Alerts open on new findings and auto-close when fixes run | 
We unify quality and security by surfacing scan results in both systems. This dual visibility preserves developer feedback loops and ensures compliance violations are tracked and remediated.
Hardening the GitHub workflow with practical improvements
We harden CI by adding practical steps that make workflow runs predictable and resilient. These changes reduce false positives and make developer feedback actionable.
Handling SARIF conversion and path rewrites
Normalize SARIF paths before upload so links resolve on the repository page. For example, run a sed rewrite: sed -i ‘s/${{ env.IMAGE_NAME }}:/file:/g’ ${{ github.workspace }}/pcc_scan_results.sarif_parse.json.
Validate the results file schema and fail fast if fields are missing. This prevents noisy alerts and preserves signal for triage.
Referencing a central policy repository and scripts
Centralize reusable parsers and policy logic in a shared repository. Check it out in the job with uses: actions/checkout@v3 (repo, ref, token, path) to keep governance code versioned.
We recommend running a PowerShell or Python parser (from the central repo) to map JSON to SARIF and annotate names, branch, and image digest to aid audits.
- Implement step timeouts and retries for network phases.
- Tag builds with consistent name conventions and metadata.
- Align repository-level scripts with Console-enforced policy to preserve predictable behavior.
| Enhancement | Benefit | Example | 
|---|---|---|
| SARIF rewrite | Clickable links | sed path rewrite | 
| Central repo | Versioned parsers | actions/checkout@v3 | 
| Schema validation | Fail fast | Validate JSON | 
twistcli quickstart: installing, authenticating, and running image scans
We walk through a concise, practical setup to get the twistcli tool on a runner, authenticate it, and produce durable scan results.
Obtain the twistcli binary from the Console utilities
Sign into the Console and navigate to Compute > Manage > System > Utilities to download the OS-specific binary. Select the correct operating system and set executable permissions:
 
															Authenticate via API token or credentials
For automated retrieval, use a bearer token and curl to fetch the latest compatible binary:
curl --progress-bar -L --header "authorization: Bearer <YOUR_API_TOKEN>" https://<CONSOLE_URL>/api/v1/util/osx/twistcli > twistcli
Then make it executable as shown above. We recommend storing tokens in secrets and rotating them regularly.
Run an image scan and persist results
Scan a local image with credentials and your Console address so the tool pulls policy and metadata:
./twistcli images scan -u <USERNAME> -p <PASSWORD> --address <CONSOLE_URL> <IMAGE_NAME>
For richer output and persistence enable details and write a JSON file:
./twistcli images scan -u <USERNAME> -p <PASSWORD> --address <CONSOLE_URL> --details --output-file scan_results.json <IMAGE_NAME>
Example:
./twistcli images scan -u anshu -p An$hum@@N_2000 --address https://asia-south1.cloud.twistlock.com/india-1131963775 --details --output-file scan_results.json eclipse-temurin:17-jre-alpine
- Name the target image consistently (repo:sha) and ensure it exists on the host or is reachable by the daemon.
- Validate exit codes and parse the JSON file to implement custom gates or dashboards when you do not use the GitHub Action wrapper.
- Persisting the file supports artifact retention, analytics, and ingestion into other tools.
| Step | Command | Purpose | 
|---|---|---|
| Download | Console UI or curl with Bearer token | Get OS-specific twistcli binary | 
| Make executable | chmod a+x twistcli | Allow the tool to run on the host | 
| Authenticate & run | ./twistcli images scan -u USER -p PASS –address URL IMAGE | Perform an image scan that returns policy-based results | 
| Detailed output | –details –output-file scan_results.json | Persist scan results for analysis and automation | 
Prisma Cloud policy and thresholds for vulnerabilities and compliance
Policy controls in the cloud console govern how image findings affect CI outcomes. Navigate to Compute > Defend > Vulnerabilities > Images > CI to create or edit CI rules. Use Add Rule or modify the Default Rule to define when alerts and fails fire.
Set separate alert and fail thresholds for Low, Medium, High, and Critical severities. Alert thresholds create warnings; fail thresholds stop the build. For example, choosing Medium for alerts omits Low findings from notifications.
We recommend starting with conservative fail thresholds (High and Critical) and tightening them as remediation improves. These central rules change pipeline outcomes immediately without editing workflow files.
Where results appear and how teams use them
Violations surface in workflow logs during runs and in the Console Monitor section for aggregated evidence. Teams cross-reference logs and Monitor entries to speed triage and verify fixes.
- Governance: central policy enforces consistent vulnerabilities compliance across projects.
- Developer experience: threshold changes affect future workflow runs without code changes.
- Tool parity: twistcli and the GitHub Action both honor the same rules for consistent outcomes.
| Setting | Effect | Recommended start | 
|---|---|---|
| Alert threshold | Warnings appear in logs and Monitor; does not fail build | Medium | 
| Fail threshold | Stops the workflow when exceeded; enforces remediation | High / Critical | 
| Rule scope | Apply to specific repositories, images, or global defaults | Start global, narrow by collection | 
Understanding scan results: vulnerabilities, compliance, and severity
We convert raw outputs into clear evidence so teams can triage fast and measure risk. The Prisma Cloud action emits two default artifacts: pcc_scan_results.json and pcc_scan_results.sarif.json. Storing both gives structured data for automation and a human-friendly view for audits.
Reading JSON and SARIF outputs for triage
The JSON file contains fields for severity, package, CVE identifiers, and remediation details. Use it to filter by severity for dashboards and to feed analytics pipelines.
The SARIF file maps issues to rules, results, and locations. Uploading the sarif file populates the repository tab so developers see issues where they work. This view helps rapid triage and links findings to the Dockerfile or build metadata.
Mapping image scan issues to code scanning alerts
Image context and source code context differ. Expect approximated file locations and tags when the tool maps packages to code. Despite this, most vulnerability and compliance details are preserved for each item.
- Normalize image name, tags, and repository identifiers to correlate a finding to its commit.
- Use JSON fields to build analytics on recurring vulnerabilities and package hotspots.
- Retain both JSON and SARIF artifacts with retention policies for audits and regression detection.
| Artifact | Primary Use | Key Fields | 
|---|---|---|
| pcc_scan_results.json | Automation, dashboards | severity, package, cve, fix | 
| pcc_scan_results.sarif.json | Developer triage in the Security tab | rules, results, locations | 
| Repository uploads | Code scanning alerts and lifecycle | alert status, auto-close on fix, trace metadata | 
Managing exceptions and tags for governance at scale
Scoped exceptions help teams accept short-term risk with documented justification and expiration. We recommend a formal process that ties each exception to an owner, a remediation plan, and a firm end date.
To create a CVE exception, open the relevant rule’s advanced settings. Add a new exception, enter the CVE identifier, set Effect to Ignore, record the rationale in the description, and assign an expiration date.
Using Collections & Tags to scope exceptions
Scope exceptions by navigating to Compute > Manage > Collection & Tags. Create tags (for example, ignored/CVE-2024-xxxx) and map them to Resource Type = Images, specific package scopes, and repository name patterns (wildcards and :latest).
- Apply exceptions by Tag in the rule advanced settings to avoid global impact.
- Use a naming convention to make audits straightforward (for example, ignored/<CVE>).
- Review approaching expirations and notify owners to remediate or rejustifiy.
| Action | Field | Purpose | 
|---|---|---|
| Create exception | CVE ID, Effect=Ignore, Description, Expiration | Allow temporary, documented risk acceptance | 
| Tag scope | Collection & Tags, Resource Type = Images, repo patterns | Limit exception to specific assets | 
| Governance | Owner, Approval, Review cadence | Prevent indefinite exceptions and align with severity thresholds | 
Troubleshooting common issues in prisma container scanning pipelines
A predictable troubleshooting path helps teams resolve SARIF, daemon, and tool issues fast.
SARIF upload failures and always() conditions
Place the SARIF upload after the scan step and use if: ${{ always() }} on github/codeql-action/upload-sarif@v2. This ensures the Security tab receives the file even when severity gates fail the run.
Validate the SARIF before upload. Common faults include missing paths, malformed JSON, and schema mismatches. Run a quick JSON lint and schema check to avoid silent drops.
Docker daemon access and certificate variables
Check DOCKER_ADDRESS first; fallback to DOCKER_HOST if needed. For TLS-protected daemons, set docker_tlscacert, docker_tlscert, and docker_tlskey so runners can authenticate.
On hosted runners confirm socket permissions. On self-hosted hosts verify daemon reachability and restart the service before rerunning the workflow.
- Run twistcli --versionand a dry--helpor dry-run to confirm the tool is present and compatible.
- Pin the Palo Alto Networks action (for example @v1.5) and review SUPPORT.md for breaking changes.
- Enable verbose logs or twistcli_debug, add retries for network phases, and confirm repository token scopes for code scanning uploads.
| Symptom | Quick check | Action | 
|---|---|---|
| SARIF not in Security tab | Upload step ran? | Use if: ${{ always() }}and validate SARIF schema | 
| Daemon connection refused | DOCKER_ADDRESS/DOCKER_HOST set? | Set DOCKER_ADDRESS, add TLS cert vars, restart daemon | 
| Tool errors or version mismatch | twistcli --version | Download matching binary from Console and pin action version | 
Conclusion
To conclude, embedding a policy-driven image analysis into the CI workflow delivers reliable gates and clear audit trails.
We recommend using the Prisma Cloud GitHub Action to run a twistcli-based scan, publish JSON and SARIF artifacts, and honor Console thresholds so failures and alerts are consistent across the cloud estate.
SARIF uploads surface findings in the repository Security tab for developer triage, while JSON artifacts support analytics, audits, and remediation measurement.
Scope exceptions with tags and collections, apply expirations, and standardize naming across repositories and images. Start with critical controls, measure remediation, and raise the bar iteratively to balance velocity and security.
Next step: adopt consistent metadata, monitor remediation metrics, and use policy-driven enforcement to keep vulnerabilities compliance predictable and auditable.
FAQ
What is Prisma Container Scanning and why is it important for cloud-native security?
Prisma Container Scanning is a vulnerability and compliance solution for images and workloads that inspects software artifacts before deployment. We use it to detect CVEs, misconfigurations, and policy violations early in CI/CD so teams reduce production risk, meet compliance requirements, and enforce fail-build policies based on severity thresholds.
What prerequisites are required in the Prisma Cloud Console before running scans?
You must enable the Compute module, create a CI user with API tokens, and note the Console URL. For local or pipeline scans, configure Docker daemon connectivity (DAEMON_HOST and certificate variables) so the scan tool can pull and inspect images.
How do we create CI user credentials and tokens for automated workflows?
In the Cloud Console, create a service account with the least privilege needed for image inspection and CI actions. Generate an API token tied to that account and store credentials as secrets in your Git provider (for example, pcc_console_url, pcc_user, and pcc_pass) so workflows can authenticate securely.
How does the official GitHub Action wrapper around twistcli fit into pipelines?
The wrapper packages the scanner binary and steps to authenticate, run an image scan, and optionally publish results back to the Cloud Console. Typical workflows include checkout, setting IMAGE_NAME, supplying Console credentials, and invoking the action to produce JSON and SARIF outputs.
Which workflow inputs are required and which are optional when using the GitHub Action?
Required inputs usually include the Console URL, API user/token, and image_name. Optional inputs cover output paths, publish flags, and thresholds for blocking builds. We recommend documenting defaults and exposing only necessary options as workflow inputs.
Can the scan automatically block builds? How are severity thresholds configured?
Yes. You can set alert and fail thresholds in Cloud Defender (Defend > Vulnerabilities > Images > CI rule). Configure limits for Low, Medium, High, and Critical so the pipeline fails when a scan returns issues exceeding those thresholds.
How do we integrate scan results with GitHub code scanning alerts?
Convert scanner JSON output to SARIF and upload via actions/upload-sarif. That populates the Security tab, creates code scanning alerts, and enables auto-closing when fixes are merged. Ensure paths and repo mappings are correct so findings link back to code.
What are best practices for SARIF conversion and path rewrites?
Normalize file paths in the SARIF to match repository layout, remove absolute paths, and include repository-relative locations. Use consistent tool names and rule identifiers so the Security tab groups and deduplicates findings reliably.
How should we harden the GitHub workflow for reliability and governance?
Use always() steps for artifact uploads, reference a central policy repository for consistent rules, pin action versions, rotate credentials, and add retry logic for transient network calls. Centralized scripts and a shared policy bundle simplify maintenance.
How do we obtain and run the CLI scanner (twistcli) quickly?
Download the binary from Compute > Manage > System > Utilities in the Console, authenticate with an API token and Console address, then run a scan against an image. Save JSON output for automation and SARIF conversion for code scanning.
Where do scan results appear in the Cloud Console and logs?
Results surface in Defend > Vulnerabilities > Images and in Monitor and workflow logs. CI-specific runs are labeled, include metadata (image_name, tags, and repo), and provide per-issue details and remediation steps.
How are policies and thresholds structured for vulnerabilities and compliance?
Policies are defined within the Console under policy management. CI rules let you set alert and fail thresholds per severity and type (vulnerability vs. compliance). We recommend conservative fail criteria for high and critical issues and alerting for medium risks.
How do we read and triage JSON and SARIF outputs from scans?
JSON contains raw findings, package versions, and remediation pointers. SARIF formats issues for code scanning. Prioritize by severity and exploitability, map to affected packages or files, and assign remediation tickets with context and reproduction steps.
How can we map image scan issues back to repository code and alerts?
Ensure image build metadata includes commit SHAs and IMAGE_NAME labels. Convert findings to SARIF with proper file paths and rule IDs so GitHub code scanning correlates image issues with source files and produces actionable alerts.
What options exist for managing exceptions and governance at scale?
Create CVE exceptions with scope, effect, description, and expiration dates. Use Collections & Tags to target exceptions to specific repos, registries, or images. Audit exception usage regularly and enforce review cycles.
What common pipeline failures should teams watch for and how do we troubleshoot them?
Frequent issues include SARIF upload failures (mismatched paths), credential expiration, and Docker daemon access errors. Use always() for result uploads, validate token permissions, and check DAEMON_HOST and certificate variables when the scanner cannot pull images.
How do we ensure the Security tab auto-closes alerts when fixes are merged?
Populate SARIF with correct rule IDs and repo-relative paths. Link findings to commits by including the commit SHA in scan metadata. When a fix merges that removes the issue, GitHub will reconcile and auto-close the alert.
What metadata should we include with scans to improve traceability?
Include image_name, tag, build SHA, registry, and scan timestamp in published results. Also add tags for environment (dev/stage/prod) and team ownership so governance and incident response teams can act swiftly.
Are there recommendations for policy repositories and reusable scripts?
Maintain a central policy repo with CI rules, SARIF converters, and wrapper scripts. Version policies, run automated tests for SARIF generation, and share scripts across teams to reduce drift and ensure consistent enforcement.
 
								 
															 
															 
								 
								 
								