Prisma Cloud Compute: How to add a feature flag to remove stale assets vulnerabilities result

To remove the vulnerability scan results for stale hosts and images.

• Prisma Cloud Compute Edition

For Docker Container:

1. SSH into the host where the console container is running.
2. Edit the twistlock.cfg file. It is available on the following default path: /var/lib/twistlock/sripts.
3. Open the twistlock.cfg file by using the following command: nano twistlock.cfg.
4. Add the following environment variable:
   1. CORE_DELETE_STALE_ASSETS_ENABLED=true 
   2. CORE_DELETE_STALE_IMAGES_ENABLED=true
5. Save the file and exit.
6.  Restart the console container.
   • If onebox installation:
     • sudo ./twistlock.sh -syj onebox
   • If standalone console:
     • sudo ./twistlock.sh -syj console
   • If Kubernetes environment
     • kubectl apply -f twistlock_console.yaml

Example of twistlock.cfg file with the environment variable

For Kubernetes Console:

1. Edit the console yaml file as follows:

spec: 
  ...
  containers:
    ... 
    env: 
    - name: CORE_DELETE_STALE_ASSETS_ENABLED 
      value: "true"
    - name: CORE_DELETE_STALE_IMAGES_ENABLED 
      value: "true"

2. Run the following to apply the updated yaml file:

• kubectl apply -f twistlock_console.yaml

3. Verify that the change took place by running:

• kubectl get pod <console-pod-name> -o yaml -n <twistlock-namespace>

Once these F.Fs are enabled the cleanup tasks will run periodically (for hosts cleanup once every 1 hour and for images cleanup once every day). But basically after the first run (of the hosts/images cleanup task) the cleanup should be completed (so in the next run if no more stale hosts/images were added during this time the tasks won’t do anything).