Twistcli Scan Results Don't Match Deployed Scan Results and Show Packages without a Path

Twistcli Scan Results Don't Match Deployed Scan Results and Show Packages without a Path

403
Created On 10/31/22 20:50 PM - Last Modified 10/06/25 16:23 PM


Symptom


  • The scanning of an image via "twistcli" yields different results compared to the scanning of the same image as "Deployed images" scan
  • The packages detected might differ when using the "--include-js-dependencies" flag to scan an image via the "twistcli" utility
  • Nodejs packages are listed in the scan report without a path
  • Depending on the configured rules, the detection of certain packages via a CI scan might cause your build to fail

Environment


  • Linux machine (Debian/Ubuntu/RHEL)
  • Docker (or any other container runtime)
  • Red Hat images (rhel8 and similar)
  • Twistcli
  • Prisma Cloud compute - SaaS
  • Prisma Cloud Compute - Self_hosted

Cause


  • The results of the "Deployed images" scan and a CI (twistcli) scan can be different in case of the use of different "twistcli" versions
  • When we use the “--include-js-dependecies” flag, the scan evaluates JavaScript packages listed in manifests, while by default Prisma Cloud only evaluates packages actually present on disk. This is one significant difference between scans completed with and without the use of the mentioned flag

 

Resolution


  • Ideally, the "twistcli" version should match the Compute Console version (found by clicking on the bell icon present on the top right corner of the page)
  • Remove the “--include-js-dependecies” flag unless you would like to see packages which are only listed in manifests. 
  • The use of the "--include-js-dependencies" flag might produce a lot of false positives, while without the use of the flag, the scanner only looks at "js" files actually on the file system, which is believed to yield accurate results.

Additional Information


  • The use of "--include-js-dependencies" flag enables the scanner to look at the package.json and bower.json files to find dependencies at scan, and that shall also scan development dependencies.
  • The requirements constraints allowed in package.json (such as ~ and ^) is the cause of the potential false positives that might appear in the results.
  • A traditional CI scan (without the use of the flag) enables the scanner to find data present only on the disk
  • Related documentation: Scan images with twistcli
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZo4CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail