To migrate from Prisma Cloud to Cortex Cloud, transition your workflows from your commercial version of Checkov CLI, which is used for SCA, Secrets, and IaC scanning in local or build environments, and the TwistCLI, which is used for container image scanning, to the Cortex CLI. The Cortex CLI provides a single, consistent command-line interface for scanning across Cloud Workload Protection (CWP), API Security, and Cortex Cloud Application Security.
Prerequisites
Before you begin, ensure you have the following:
Cortex Cloud API key: An active API key for your Cortex Cloud tenant with associated CLI role permissions. Refer to Manage API keys for more information
Install the Cortex CLI. You can find the installation instructions here
Authentication
The Cortex CLI offers a consistent authentication method across all its supported modules (CWP, Application Security, and API Security). You can authenticate using one of two methods: environment variables or command-line flags.
Authenticate via environment variables
Setting environment variables is the recommended method for authentication as it prevents your API credentials from being exposed in your command history and codebase:
Create an environment configuration file named
cortex.env.→ .
The Cortex CLI uses the following environment variables:
CORTEX_API_KEY_ID: Your unique API key IDCORTEX_API_KEY: Your API keyCORTEX_API_URL: Your tenant URL (for example https://api-tenantname.paloaltonetworks.com/)
Authenticate via command-line flags
You can also authenticate by providing your API credentials and base URL directly in the command.
cortexcli code scan --api-base-url <CORTEX_API_BASE_URL> --api-key-id <YOUR_API_KEY_ID> --api-key <YOUR_API_KEY> --directory ./my-app
Replace these placeholders:
--api-key-id: Your unique API key ID--api-key: Your API key--api-base-url: Your API base URL
Key changes: commands and functionality
The main change is the command you use to initiate a scan. Instead of the checkov or twistcli commands, you now use the cortexcli command with its subcommands.
Prisma Cloud command | Cortex CLI command | Description |
|---|---|---|
|
| The base command for all code scanning operations |
|
| The base command for all container image scanning operations |
Migrate Checkov to the Cortex CLI
Migrate your existing Checkov workflows using the following resources to map your essential commands and flags.
Flag references
For Cortex CLI flags applicable to all supported Cortex Cloud modules, refer to the Cortex CLI common command line reference guide documentation
For specific Cortex Cloud Application Security flags, refer to Cortex CLI Cortex Cloud Application Security command line reference
For
checkovflags, refer to the CLI Command Reference
Cortex Cloud Application Security-specific flags
Here are some common Application Security flags to get you started:
--directory: Specifies the directory path to be scanned. This is a required argument for most Application Security scan commands--repo-id: Identifies the repository being scanned. This command links the scan results to the correct repository within Cortex Cloud--branch: Specifies the branch of the repository being scanned-upload-mode: Determines the method for uploading data, with options for upload, no-upload, and no-code
Scan output and reporting
The output of a scan can be saved in various formats. The following table maps the output formats and commands.
Checkov | Cortex CLI | |
|---|---|---|
Output formats |
|
|
Output command |
|
|
Use cases: migrate Checkov to Cortex CLI
Here are some common Checkov workflows and their equivalents using the Cortex CLI tool.
Case #1: Basic directory scan
To perform a basic scan on a local directory:
Checkov:
checkov --directoryCortex CLI:
cortexcli code scan --directory
Case #2: Scan and upload to your tenant
Checkov: By default, scan results are uploaded to your tenant if you have an API token. For example,
checkov -d . --repo-id my-org/my-repowill upload scan resultsCortex CLI:
cortexcli appsec scan [scan type] --directory . --repo-id my-org/my-repo --branch main --upload-mode upload
Case #3: Scan without uploading output
Get scan results in your terminal without uploading them to your tenant.
Checkov:
checkov -d --skip-results-uploadCortex CLI: cortexcli appsec scan --directory . --upload-mode no-upload
Advanced use case: CI/CD Pipeline Integration
You can integrate the Cortex CLI directly into your CI/CD pipelines to enable automated code scans by adding code snippets to your build script or pipeline configuration, such as a YAML file (See here for Cortex CLI snippets (such as GitHub Actions, Jenkins and more)).
When updating your CI/CD pipeline, replace the legacy checkov step with the new cortex scan command.
Docker image limitation: The Cortex CLI does not support SCA scans. You must update your pipelines to download the corteccli binary directly if your workflow relies on this functionality.
These examples demonstrate a GitHub Actions workflow in both legacy and the new Cortex CLI environments.
Checkov YAML step
This example shows a typical step using
checkov-action.- name: Run Checkov scan uses: bridgecrewio/checkov-action@v12 with: directory: ./terraform framework: terraform quiet: true # Don't output results to stdoutCortex CLI YAML step
This new step calls the Cortex CLI directly. It uses GitHub secrets to securely provide API credentials. Note the prerequisites in the YAML (such as
Node.js v22). For a list of requirements, refer to both the general requirements (Connect Cortex CLI) and Application Security specific requirements (Cortex CLI for Code Security).name: Cortex CLI Code Scan on: push: branches: - main workflow_dispatch: env: CORTEX_API_KEY: ${{secrets.CORTEX_API_KEY}} CORTEX_API_KEY_ID: ${{secrets.CORTEX_API_KEY_ID}} CORTEX_API_URL: https://api-viso-cq3sdpg7uyd6vqk66ccjyv.xdr-qa2-uat.us.paloaltonetworks.com jobs: cortex-code-scan: runs-on: ubuntu-latest steps: - name: Checkout Repository uses: actions/checkout@v2 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: 22 - name: Verify Node.js Version run: node -v - name: Download cortexcli run: | set -x crtx_resp=$(curl "${CORTEX_API_URL}/public_api/v1/unified-cli/releases/download-link?os=linux&architecture=amd64" \ -H "x-xdr-auth-id: ${CORTEX_API_KEY_ID}" \ -H "Authorization: ${CORTEX_API_KEY}") crtx_url=$(echo $crtx_resp | jq -r ".signed_url") curl -o cortexcli $crtx_url chmod +x cortexcli ./cortexcli --version - name: Run Cortex CLI Code Scan run: | ./cortexcli \ --api-base-url "${CORTEX_API_URL}" \ --api-key "${CORTEX_API_KEY}" \ --api-key-id "${CORTEX_API_KEY_ID}" \ code scan \ --directory "${{github.workspace}}" \ --repo-id "${{github.repository}}" \ --branch "${{github.ref_name}}" \ --source "GITHUB_ACTIONS" \ --create-repo-if-missing
Migrate TwistCLI to the Cortex CLI
To help you transition your TwistCLI workflows, this section provides both the necessary flag references and a practical example to guide you in implementing your most common use cases. You can use the following references to map your existing TwistCLI workflows to their Cortex CLI equivalents.
For TwistCLI flags, refer to Scan Images with twistcli
For
cortexcliflags common to all supported Cortex Cloud modules, refer to Cortex CLI common command line reference guideFor specific Cloud Workload Protection (CWP) flags, refer to Cloud Workload Protection command line reference
Use case: Scan a container image
Here is how you can map your TwistCLI image scan command to the Cortex CLI.
Legacy Twistcli command
./twistcli images scan \ --address "your Prisma Cloud Console URL" \ --user "your_access_key_id" \ --password "your_secret_key" \ ubuntu:latest
Cortex CLI command
cortexcli image scan <container image path>