* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Dynamically Analyze Conta...

# Dynamically Analyze Container Images Before Deploying to Production

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimage-analysis-sandbox%2F)  
[](https://twitter.com/share?text=Dynamically+Analyze+Container+Images+Before+Deploying+to+Production&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimage-analysis-sandbox%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fimage-analysis-sandbox%2F&title=Dynamically+Analyze+Container+Images+Before+Deploying+to+Production&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/image-analysis-sandbox/&ts=markdown)  
\[\](mailto:?subject=Dynamically Analyze Container Images Before Deploying to Production)  
Link copied  
By [Gal Revach](https://www.paloaltonetworks.com/blog/author/gal-revach/?ts=markdown "Posts by Gal Revach")  
Sep 08, 2021  
5 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)  
[Sandboxing](https://www.paloaltonetworks.com/blog/tag/sandboxing/?ts=markdown)

Container images workflows are simple. Any developer or DevOps engineer can easily pull and run images from external repositories, such as Docker Hub. As a result, many organizations increasingly depend on external code, open-source images, and packages that are pulled from different sources.

These images are built by various, sometimes malicious, individuals who might exploit them to embed malware in innocent-looking images for example.

Prisma Cloud's image scanning identifies vulnerabilities and compliance issues in container images during the development process and prior to their deployment to production. While image static scanning is essential for container security, some malicious behaviors can only be observed when an image runs as a container. In order to effectively defend cloud native applications, security and DevOps teams must assess the behavior of a container in runtime, before starting to use the image and deploy it to live environments.

We are happy to announce the Prisma Cloud Image Analysis Sandbox. With this newest enhancement, Prisma Cloud can dynamically run and scan container images in a [sandbox](https://www.paloaltonetworks.com/cyberpedia/sandboxing) virtual machine (VM). This allows you to see suspicious findings detected when the container is running, such as malware, cryptominers or port scanning, as well as a full profile of the runtime behavior of the container.

## Assess the Risk of an Image

Once the sandbox analysis is initiated, the image analysis sandbox mechanism runs the image for a defined amount of time, and traces all the events occurring on the running container. Using advanced heuristics on the collected events, Prisma Cloud detects suspicious behavior of the container.

Possible suspicious findings could be a detection of malware, found by [an integration with Palo Alto Networks WildFire](https://www.paloaltonetworks.com/blog/prisma-cloud/prisma-cloud-and-wildfire-integration/) which is one of the leading and most advanced malware detection tools. Other findings are cryptocurrency miners, port scanning, suspicious ELF headers of a binary, unusual execution of files, and additional threats.
![Image analysis sandbox dashboard to analysis results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-10.png)
Image analysis sandbox dashboard to analysis results

A suspicious finding is displayed to you with the appropriate severity and all its relevant details. Prisma Cloud determines the verdict of the image according to the findings to help you understand the potential risk level the image presents and decide if it is allowed to run in an open, networked environment.
![Detailed view of analysis for container image alpine:wf-base](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-11.png)
Detailed view of analysis for container image alpine:wf-base

## Get a Comprehensive Runtime Behavior Profile of the Image

When analyzing an image using the Image Analysis Sandbox, you get the full picture of the container behavior. Prisma Cloud monitors and captures processes, network, and file system events that occurred while the container was running in the sandbox and shows them to you in a detailed overview.

Users can dive into the processes that were running on the container, displayed either by the type as a processes profile of the container, or by time, with each one of the process execution instances. Furthermore, you can explore the container networking activity, including its listening ports, DNS queries and the outbound connections performed. The outbound connections are also displayed on a world map to allow you to easily understand if the container was trying to reach an unusual location.
![Overview of container behavior in Prisma Cloud’s image analysis sandbox](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-12.png)
Overview of container behavior in Prisma Cloud's image analysis sandbox

## Incorporate Dynamic Analysis in Your Workflow

The image analysis sandbox is triggered as a command in twistcli, the CLI tool for Prisma Cloud Compute. This allows you to simply perform an analysis on-demand for an image you want to assess or incorporate it into your CI pipeline as a security gate in addition to static scanning for vulnerabilities and compliance.
![Command line output of analysis results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-13.png)
Command line output of analysis results

## Image Analysis Sandbox in Action with an Example Image

Let's see an example of an image analysis sandbox in action. In our demo environment, we have triggered an analysis on an example image that ran for two minutes.

When the analysis was finished, the analysis report indicated 13 suspicious findings, one of them for the creation of a new executable on the disk */bin/invoker\_prc.*
![View of 13 suspicious findings from container image analysis sandbox](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-14.png)
View of 13 suspicious findings from container image analysis sandbox

As we continue to review the results, we see a Dropper finding for the same process. Process */bin/invoker\_prc*, that didn't exist in the original image, was also being executed.
![Detailed information on processes identified](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-15.png)
Detailed information on processes identified

This alone lets us understand that this might be a malicious image. Further investigation into the container behavior section shows indications that the suspicious process tried to reach out to several outbound IPs and touched multiple files on the disk.
![Detailed view of image analysis network connectivity map](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-16.png)
Detailed view of image analysis network connectivity map

Reviewing the results for our example image leads us to understand that this is a malicious image that should not be used. Discovering it on the sandbox machine helped secure the environment by preventing us from running this image in production.
![File system analysis](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-17.png)
File system analysis

## Get Started with the Image Analysis Sandbox

The Image Analysis Sandbox discovers hidden malware and suspicious behaviours in container images that would otherwise be discovered only if the image was already running in the environment. It also creates and displays a full profile of the container behavior at runtime. Understanding how an image will operate in runtime helps security teams decide whether the image is safe to use in live environments and shifts-left your organization's security in the cloud.

## Learn More About Containers

Whether you're new to containers or a cloud-native veteran,[The 2024 Definitive Guide to Container Security](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide) is your essential resource for understanding, implementing and mastering security in a containerized environment. This book-length guide lays out in-depth insights and practical advice to empower developers, DevOps, cloud teams and security professionals to effectively protect their cloud-native applications.

*** ** * ** ***

## Related Blogs

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Vulnerability Exposed](https://www.paloaltonetworks.com/blog/category/vulnerability-exposed/?ts=markdown)

[#### New Vulnerability in Kubernetes CVE-2022-3172](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/new_vulnerability_in_kubernetes_cve-2022-3172/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Unit 42 Cloud Research Coming Up in Vegas: Must-see talks at Black Hat, DEF CON and Cloud Village](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village-2/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Supports Arm Workloads on Google Cloud and GKE](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/supports-arm-workloads-on-google-cloud-and-gke/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Integrators](https://www.paloaltonetworks.com/blog/category/integrators/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Secures Containers with ServiceNow Vulnerability Response](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/prisma-cloud-secures-containers-with-servicenow-vulnerability-response/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Prisma Cloud Delivers Advanced Web Application Security Insights to Secure Hosts, Containers, and Serverless Applications](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-workload-protection/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language