This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Add labels to twistcli scan results

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add labels to twistcli scan results

EGould-Marian
L0 Member

‎11-19-2024 08:48 AM

We're currently running scans on our containers in our Jenkins CI/CD pipelines, running twistcli on the command line.  When we view the scan results for these images on the Prisma Cloud site (Monitor > Vulnerabilities > Images > CI or Monitor > Compliance > Images > CI.), the "Labels" tab of the scan result shows things like JOB_NAME and NODE_NAME, which it appears to be getting from the Jenkins pipeline that ran twistcli.

Is there any way to add additional labels?  For example, we'd like to be able to add some metadata like the git commit hash or the Jenkins job number as well.

I did see there was a "--custom-labels" option for twistcli, but can't see any examples or explanation that would indicate if this is what I'm looking for.  Thanks.

1 person had this problem.
0 Likes Likes
6 REPLIES 6

CGWeatherall
L1 Bithead

‎02-21-2025 11:22 AM

@EGould-Marian did you ever get any traction on this?  I am looking into the same thing right now.

0 Likes Likes

pjha1
L1 Bithead

‎02-24-2025 12:41 PM

Yes, you can add additional labels to your container scan results using the --custom-labels option in twistcli. This allows you to include metadata such as the git commit hash or Jenkins job number in the scan results.

Here is a step-by-step guide on how to use the --custom-labels option with twistcli:

  1. Determine the Metadata to Include: Decide on the metadata you want to add as labels. For example, GIT_COMMIT and BUILD_NUMBER.

  2. Modify your Jenkins Pipeline: Update your Jenkins pipeline script to include these labels. Below is an example of how you might modify your twistcli scan command to include the --custom-labels option:

  3. Run the Pipeline: Execute your Jenkins pipeline. The twistcli command will include the custom labels in the scan results, and they will be visible in the Prisma Cloud Console under the "Labels" tab.

  4. Verify Labels in Prisma Cloud Console: After the scan is completed, navigate to the Prisma Cloud Console (Monitor > Vulnerabilities > Images > CI or Monitor > Compliance > Images > CI) and check the "Labels" tab for the scan results. You should see the additional labels (e.g., GIT_COMMIT and BUILD_NUMBER) you included.

By following these steps, you can add custom metadata labels to your container scan results, making it easier to track and manage your scans based on specific criteria like git commit hashes and Jenkins job numbers.

0 Likes Likes

pjha1
L1 Bithead
In response to pjha1

‎02-24-2025 12:43 PM

pipeline { agent any environment { GIT_COMMIT = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() BUILD_NUMBER = env.BUILD_NUMBER } stages { stage('Scan with twistcli') { steps { script { sh """ twistcli images scan --address <PRISMA_CLOUD_CONSOLE_ADDRESS> --user <PRISMA_CLOUD_USER> --password <PRISMA_CLOUD_PASSWORD> --custom-labels GIT_COMMIT=${GIT_COMMIT},BUILD_NUMBER=${BUILD_NUMBER} <IMAGE_NAME> """ } } } } }

 

In this example:

  • GIT_COMMIT is set to the current git commit hash.
  • BUILD_NUMBER is set to the Jenkins build number.
  • These values are then passed to the twistcli images scan command using the --custom-labels option.
0 Likes Likes

pjha1
L1 Bithead
In response to CGWeatherall

‎02-24-2025 12:52 PM

Please let me know if that helps or not.

0 Likes Likes

CGWeatherall
L1 Bithead
In response to pjha1

‎02-24-2025 04:59 PM

Excellent, I will pass this along to my build team and let you know, thanks!.

0 Likes Likes

CGWeatherall
L1 Bithead
In response to pjha1

‎03-06-2025 11:17 AM

We have not been able to run this successfully..

pipeline { agent any environment { GIT_COMMIT = sh(script: 'git rev-parse HEAD', returnStdout: true).trim() BUILD_NUMBER = env.BUILD_NUMBER } stages { stage('Scan with twistcli') { steps { script { sh """ twistcli images scan --address <PRISMA_CLOUD_CONSOLE_ADDRESS> --user <PRISMA_CLOUD_USER> --password <PRISMA_CLOUD_PASSWORD> --custom-labels GIT_COMMIT=${GIT_COMMIT},BUILD_NUMBER=${BUILD_NUMBER} <IMAGE_NAME> """ } } } } }

We're getting an error that it "failed to find image" then it points to GIT_COMMIT" as if it is the image, rather than the actual image name.  The variation here being that we are trying to directly define the GIT_COMMIT=author-name rather than defining in the environment variables

Should the <IMAGE_NAME> be directly after --custom-labels or are the custom labels not being seen, because they aren't being defined in the environment variables of the pipeline?

0 Likes Likes
  • 731 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks