Skip to main content

Update VM Image Scan Settings



x-prisma-cloud-target-env: {"permission":"policyHosts","saas":true,"self-hosted":true}
x-public: true

Updates the list of VM image scan scopes. The list of scopes are updated in a single shot.

To invoke this endpoint in the Console UI:

  1. Navigate to Defend > Vulnerabilities > Hosts > VM images.

  2. Under the VM images scope table, add a registry item using + Add scope.

    Note: If the + Add scope button is not present, use the Add the first item link.

  3. Click the Save button.

General Set up and Scan Process

This endpoint works hand-in-hand with the /policies endpoints. Prisma Cloud auto-discovers the VM images in your cloud account according to the scan scopes specified in /settings/vm. The list of auto-discovered VM images is passed to the scanner for evaluation. The scanner uses the corresponding /policies/vulnerability/vms endpoint to assess each VM image.

cURL Request

Each VM image scan scope is specified as an element in the endpoint's payload array.

The critical fields for this endpoint are:

  • version - Cloud provider. Currently, only Amazon AWS is supported.
  • region - Region to scan.
  • credentialID - Credential ID from the credentials store so Prisma Cloud can authenticate with the cloud provider to access the VM images.
  • collections - Filter for refining the scope of VM images to scan. You can scope by VM image name and AWS tag.
  • consoleAddr - Address for Console that Defender (the scanner) can reach over the network to publish scan results.

Refer to the following example cURL command that overwrites all current scan scopes with single scan scope:

$ curl 'https://<CONSOLE>/api/v<VERSION>/settings/vm' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
"credentialID":"IAM Role",
"cap": 5,
"scanners": 1,

Note: No response will be returned upon successful execution.



  • Array [
  • cap integer

    Specifies the maximum number of images to fetch and scan, ordered by most recently modified.

    consoleAddr string

    Network-accessible address that Defender can use to publish scan results to Console.

    credentialID string

    ID of the credentials in the credentials store to use for authenticating with the cloud provider.

    enableSecureBoot boolean

    EnableSecureBoot indicates secure boot should be enabled for the instance launched for scanning (currently only supported with GCP).

    excludedImages string[]

    Images to exclude from scanning.

    gcpProjectID string

    GCP project ID to use for listing VM images instead of the default associated with the GCP credential (optional).

    imageType common.ImageType

    ImageType is the type of a VM image. For example, in the case of Azure this is one of marketplace/managed/gallery.

    images string[]

    The names of images to scan.

    instanceType string

    InstanceType is the instance type to use for the instance launched for scanning. For example, the default instance type for AWS is "m4.large".

    labels string[]

    The labels to use to target images to scan.

    region string

    Cloud provider region.

    scanners integer

    Number of Defenders that can be utilized for each scan job.

    subnetID string

    SubnetID is the network subnet ID to use for the instance launched for scanning. Default value is empty string, which represents the default subnet in the VPC.

    vpcID string

    VPCID is the network VPC ID to use for the instance launched for scanning. Default value is empty string, which represents the default VPC in the region.

    zone string

    Cloud provider zone (part of a region). On GCP, designates in which zone to deploy the VM scan instance.

  • ]