Prisma Cloud Compute: Information on Base images digests

• When an image is added at Defend > Vulnerabilities > Base images, the "Digest" mentioned on the base image entry is different from the image Id or Digest present at Monitor > Vulnerabilities > Images > Registry images.

• Prisma Cloud Compute Edition
• Docker

• Using Docker inspect on the relevant image shows the following:

• Scrolling to the bottom half of the output, we see that the last layer of the image is: "sha256:9b212e0433ce151ccf0256279782b0aadae38779a991e99f6acc53b34067b383", this matches the base image digest that we saw in the screenshot pasted above in the Symptom section

• The reason for this behavior is, that Prisma refers to the last layer of the image as the end of the base image, thus marking boundaries between base images and the images built on top of base images
• Prisma Cloud stores a maximum of the 50 latest digests per base image. When the limit is reached, the oldest digests are overwritten as new digests are discovered
• If you add another layer below the last layer while keeping the name of the image unchanged, you will notice that adding the base images on the Prisma Console will update the "Digest" to reflect the digest or sha value of the last added layer to include it as a part of the base image
• The same helps the Console identify the layers that belong to the base image as shown below:

• Please note that if additional layers are added in between the base image layers for the new image built using the base image, then this feature will not be be able to identify the base image given the chain of layers was broken by additional layers in between
• Please make sure to add the additional layers after the base image layers to help Prisma correctly identify the base image layers and utilize the "Exclude base image vulnerabilities" feature

Documentation links:

• Base images
• Per-layer vulnerability analysis