Package: Invicti AppSec Enterprise (on-premise, on-demand)
Prisma Cloud Compute CS
Prisma Cloud Compute (formerly Twistlock) provides container image vulnerability scanning and runtime protection for cloud-native workloads. In Invicti AppSec, the integration connects to your Prisma Cloud Compute instance to import container image vulnerability findings. Multiple named instances are supported for organizations managing multiple Prisma Cloud environments.
Prerequisites
| Field | Description |
|---|---|
| Username | Prisma Cloud Compute username |
| Password | Prisma Cloud Compute password |
| URL | The base URL of your Prisma Cloud Compute console (e.g., https://console.prismacloud.example.com) |
How to Get Credentials (on Prisma Cloud Side)
- Use your existing Prisma Cloud Compute console credentials.
- Ensure the account has access to the Container Security module and the Compute section.
- For the API URL, navigate to Compute > System > Utilities > Path to Console in the Prisma Cloud console.
If your organization uses multiple Prisma Cloud environments (e.g., separate consoles for production and staging), you can configure multiple instances in the Invicti AppSec integration settings.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CS Tab
On the Integrations > Scanners page, click on the CS tab.
Step 3: Find and Activate Prisma Cloud Compute
Scroll through the list of CS scanners to find Prisma Cloud Compute.
- If Prisma Cloud Compute is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Prisma Cloud Compute card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Instance | Select Default or a named instance to configure. Select Add New Instance to add an additional environment. | Yes |
| Instance Name | A label for this instance (shown when a non-default instance is selected) | Yes (non-default only) |
| Username | Prisma Cloud Compute console username | Yes |
| Password | Prisma Cloud Compute console password | Yes |
| URL | Base URL of your Prisma Cloud Compute console | Yes |
| Supported API Version | Select the Prisma Cloud API version to use: v30.03, v31.02, or v32.02 (optional — leave blank to use the default) | No |
| Insecure | Skip TLS certificate verification (use only for self-signed certificates) | No |
Multiple Instances: Use the Instance selector to manage separate credentials for different Prisma Cloud Compute consoles (e.g., production vs. staging). Each instance has its own URL, credentials, and optional API version.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Prisma Cloud Compute API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CS tab |
| 3 | Activate Prisma Cloud Compute |
| 4 | Select instance, enter Username, Password, and URL |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Prisma Cloud Compute Scanner
- Select CS as the scanner type.
- Choose Prisma Cloud Compute from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | The deployment environment (e.g., feature, production) | No |
| Instance | Select which Prisma Cloud Compute instance to use for this scan (Default or a named instance) | Yes |
| Project | Select the Prisma Cloud Compute project to scope the image search | Yes |
| Bind to | Select the container image from the chosen project to associate with this scan (enabled after selecting a project) | Yes |
| Branch | Source code branch for this scan | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Fork Default Branch / Fork Source Branch | Enable to fork scan results from the default or source branch | No |
Project and Bind to work together: first select the Prisma Cloud Compute project, then select the specific container image within that project. The Bind to field is disabled until a project is selected.
Scheduler
Enable the Scheduler toggle to automatically run Prisma Cloud Compute scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t prismacloud -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid username or password | Verify the credentials against your Prisma Cloud Compute console. Reset the password if needed. |
| URL unreachable | Confirm the Prisma Cloud Compute console URL is reachable from the Invicti AppSec server. Check firewall and network rules. |
| TLS certificate error | If using a self-signed certificate, enable the Insecure option in the connection settings. |
| API version mismatch | If the connection fails after selecting an API version, try leaving Supported API Version blank to use the default, or try a different version. |
| Wrong instance selected | Confirm that the instance selected in the settings panel corresponds to the intended Prisma Cloud Compute environment. |
Scan Issues
| Issue | Resolution |
|---|---|
| No projects available | Ensure the configured user has access to at least one project in the Prisma Cloud Compute console. |
| No images available in Bind to dropdown | Select a project first. The Bind to field only lists images within the selected project. Ensure images have been scanned in Prisma Cloud Compute. |
| Scan shows no findings | The image may have no known vulnerabilities, or the Prisma Cloud Compute scan may not have completed yet. Check the Compute console. |
| Scan not starting | Verify the scanner is activated and the connection test passes for the instance being used. |
Best Practices
- Use a dedicated Prisma Cloud Compute service account for Invicti AppSec with the minimum required permissions (read-only access to vulnerability data).
- Use named instances to manage separate Prisma Cloud Compute consoles per environment (production, staging) rather than switching credentials manually.
- Always specify Supported API Version if your organization's Prisma Cloud Compute console uses a specific version to ensure API compatibility.
- Associate each Invicti AppSec project with the specific container image that represents its production artifact for accurate vulnerability tracking.
- Use the Scheduler to align scans with your container image rebuild cadence so findings always reflect the latest image state.
Limitations
- Prisma Cloud Compute CS in Invicti AppSec imports vulnerability data from existing Prisma Cloud Compute image scans — it does not trigger new scans.
- Only images already scanned within Prisma Cloud Compute and accessible via the configured credentials are available for binding.
- Runtime defense alerts and behavioral signals from Prisma Cloud Compute are not surfaced in Invicti AppSec findings; only vulnerability data is imported.
- The Supported API Version field accepts only
v30.03,v31.02, andv32.02; other versions are not supported.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center