Update VM Image Scan Settings
Updates the list of VM image scan scopes. The list of scopes are updated in a single shot.
To invoke this endpoint in the Console UI:
Navigate to Defend > Vulnerabilities > Hosts > VM images.
Under the VM images scope table, add a registry item using + Add scope.
Note: If the + Add scope button is not present, use the Add the first item link.
Click the Save button.
General Set up and Scan Process
This endpoint works hand-in-hand with the
Prisma Cloud auto-discovers the VM images in your cloud account according to the scan scopes specified in
The list of auto-discovered VM images is passed to the scanner for evaluation.
The scanner uses the corresponding
/policies/vulnerability/vms endpoint to assess each VM image.
Each VM image scan scope is specified as an element in the endpoint's payload array.
The critical fields for this endpoint are:
version- Cloud provider. Currently, only Amazon AWS is supported.
region- Region to scan.
credentialID- Credential ID from the credentials store so Prisma Cloud can authenticate with the cloud provider to access the VM images.
collections- Filter for refining the scope of VM images to scan. You can scope by VM image name and AWS tag.
consoleAddr- Address for Console that Defender (the scanner) can reach over the network to publish scan results.
Refer to the following example cURL command that overwrites all current scan scopes with single scan scope:
$ curl 'https://<CONSOLE>/api/v<VERSION>/settings/vm' \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
Note: No response will be returned upon successful execution.
- Array [
Specifies the maximum number of images to fetch and scan, ordered by most recently modified.
Network-accessible address that Defender can use to publish scan results to Console.
ID of the credentials in the credentials store to use for authenticating with the cloud provider.
EnableSecureBoot indicates secure boot should be enabled for the instance launched for scanning (currently only supported with GCP).
Images to exclude from scanning.
GCP project ID to use for listing VM images instead of the default associated with the GCP credential (optional).
ImageType is the type of a VM image. For example, in the case of Azure this is one of marketplace/managed/gallery.
The names of images to scan.
InstanceType is the instance type to use for the instance launched for scanning. For example, the default instance type for AWS is "m4.large".
The labels to use to target images to scan.
Cloud provider region.
Number of Defenders that can be utilized for each scan job.
SubnetID is the network subnet ID to use for the instance launched for scanning. Default value is empty string, which represents the default subnet in the VPC.
VPCID is the network VPC ID to use for the instance launched for scanning. Default value is empty string, which represents the default VPC in the region.
Cloud provider zone (part of a region). On GCP, designates in which zone to deploy the VM scan instance.