Information about Cortex XSIAM Docker image security practices.
The project that contains the source Dockerfiles used to build the images and the accompanying files is fully open source and available for review. Cortex XSOAR uses the secure Docker Hub registry for its Docker images. However, when using Cortex XSOAR on-prem, or in an Engine environment, you can also use the PANW registry . You can view the Docker trust information for each image at the image info branch.
We automatically update our open source Docker images and their accompanying dependencies (OS and Python). Examples of automatic updates can be viewed on GitHub.
We maintain Docker image information which includes information on Python packages, OS packages and image metadata for all our Docker images. Data image information is updated nightly.
All of our images are continuously scanned using Prisma Cloud for known and newly published vulnerabilities, in two scenarios:
Every new image, and every new version of an image, are scanned before publishing to our public registries, as part of our CI/CD process.
All existing images are continuously scanned to check whether new vulnerabilities were published and now exist in those images.
We evaluate all critical/high findings and actively work to prevent and mitigate security vulnerabilities.
Cortex XSIAM ensures container images are fully patched and do not contain unnecessary packages. Patches and dependencies are applied automatically via our open source docker files build project.
Response Prioritization
We remediate any critical and high level vulnerabilities, irrespective of who found them. Issues may be discovered by external researchers, found during internal testing, encountered by customers or reported by other organizations and vendors.
Any vulnerability with a possible exploitation against our images would be responded to with utmost urgency. If we conclude that there is a risk for our customers we will issue an advisory with recommended actions and mitigations. Advisories are published at: https://security.paloaltonetworks.com/.
In each version release (every 3 months,) we publish a new version of our content, that will use the latest and secure versions of our images.
Troubleshooting
Purge old and unused images periodically.
If you scanned the Docker images locally, and found some critical CVE’s - Make sure you use the latest version of the pack, as it should have the latest version of the image. In addition, purge the old and unused image with vulnerabilities.