Skip to main content

Overview

Manage container image security, registry integrations, vulnerability assessments, and security policies for Falcon Container Security. These cmdlets enable comprehensive container lifecycle security including image scanning, policy enforcement, registry management, and runtime protection.

Prerequisites

  • Falcon Container Image: Read - Required for retrieval operations
  • Falcon Container Image: Write - Required for provisioning and modifications

Container Images

Get-FalconContainerImage

Search for Falcon Cloud Security container images.
Get-FalconContainerImage
Get-FalconContainerImage [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-WithConfig <boolean>] [-Offset <int32>] [-All] [-Total]

Parameters

Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request
WithConfig
boolean
Include container image configuration detail
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all container images
Get-FalconContainerImage -All

# Get images with configuration
Get-FalconContainerImage -WithConfig $true -Limit 100

# Filter by registry
Get-FalconContainerImage -Filter "registry:'docker.io'" -All

New-FalconContainerImage

Create a Falcon Cloud Security base container image.
New-FalconContainerImage
New-FalconContainerImage -ImageId <string> -ImageDigest <string> -Registry <string> -Repository <string> -Tag <string>

Parameters

ImageId
string
required
Container image identifier
ImageDigest
string
required
Container image digest
Registry
string
required
Container registry
Repository
string
required
Container repository
Tag
string
required
Container tag

Example

# Create base image
New-FalconContainerImage -ImageId abc123 -ImageDigest sha256:def456 -Registry docker.io -Repository myorg/myapp -Tag latest

Remove-FalconContainerImage

Remove a Falcon Cloud Security base container image.
Remove-FalconContainerImage
Remove-FalconContainerImage -Id <string[]>

Parameters

Id
string[]
required
Container image identifier

Example

# Remove base image
Remove-FalconContainerImage -Id abc123

Container Registries

Get-FalconContainerRegistry

List Falcon Cloud Security registries.
Get-FalconContainerRegistry
Get-FalconContainerRegistry [-Id <string>] [-Sort <string>] [-Limit <int>] [-Offset <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string
Container registry identifier (GUID format)
Sort
string
Property and direction to sort results
Limit
int
Maximum number of results per request (default: 100, max: 5000)
Offset
int
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all registries
Get-FalconContainerRegistry -All

# Get specific registry with details
Get-FalconContainerRegistry -Id 12345678-1234-1234-1234-123456789012 -Detailed

New-FalconContainerRegistry

Create a registry within Falcon Cloud Security.
New-FalconContainerRegistry
New-FalconContainerRegistry -Name <string> -Type <string> -Url <string> -Credential <hashtable> [-UrlUniquenessKey <string>]

Parameters

Name
string
required
Desired registry name within Falcon Cloud Security
Type
string
required
Registry type. Valid values: acr, artifactory, docker, dockerhub, ecr, gar, gcr, github, gitlab, harbor, icr, mirantis, nexus, openshift, oracle, quay.io
Url
string
required
URL used to log in to the registry
Credential
hashtable
required
Hashtable containing username and password used to access the registry
UrlUniquenessKey
string
Registry URL alias

Example

# Create Docker Hub registry
$Creds = @{ username = 'myuser'; password = 'mypass' }
New-FalconContainerRegistry -Name 'My Docker Hub' -Type dockerhub -Url https://index.docker.io/v1/ -Credential $Creds

# Create ECR registry
$AwsCreds = @{ username = 'AWS'; password = '<token>' }
New-FalconContainerRegistry -Name 'My ECR' -Type ecr -Url 123456789012.dkr.ecr.us-east-1.amazonaws.com -Credential $AwsCreds

Edit-FalconContainerRegistry

Modify a registry within Falcon Cloud Security.
Edit-FalconContainerRegistry
Edit-FalconContainerRegistry -Id <string> [-Name <string>] [-State <string>] [-Credential <hashtable>]

Parameters

Id
string
required
Container registry identifier (GUID format)
Name
string
Falcon Cloud Security registry name
State
string
Registry connection state. Valid values: pause, resume
Credential
hashtable
Hashtable containing credentials to access the registry

Example

# Pause registry scanning
Edit-FalconContainerRegistry -Id 12345678-1234-1234-1234-123456789012 -State pause

# Update credentials
$NewCreds = @{ username = 'newuser'; password = 'newpass' }
Edit-FalconContainerRegistry -Id 12345678-1234-1234-1234-123456789012 -Credential $NewCreds

Container Policies

Get-FalconContainerPolicy

List Falcon Cloud Security container policies.
Get-FalconContainerPolicy
Get-FalconContainerPolicy

Example

# Get all container policies
Get-FalconContainerPolicy

New-FalconContainerPolicy

Create a Falcon Cloud Security container policy.
New-FalconContainerPolicy
New-FalconContainerPolicy -Name <string> -Description <string>

Parameters

Name
string
required
Policy name
Description
string
required
Policy description

Example

# Create new policy
New-FalconContainerPolicy -Name 'Production Image Policy' -Description 'Security policy for production container images'

Edit-FalconContainerPolicy

Modify a Falcon Cloud Security container policy.
Edit-FalconContainerPolicy
Edit-FalconContainerPolicy -Id <string> -Name <string> -Enabled <boolean> [-Description <string>] [-Rule <hashtable[]>]

Parameters

Id
string
required
Image assessment policy identifier (GUID format)
Name
string
required
Policy name
Enabled
boolean
required
Policy enablement status
Description
string
Policy description
Rule
hashtable[]
One or more hashtables containing rule “action” and “policy_rules_data”

Example

# Enable policy
Edit-FalconContainerPolicy -Id 12345678-1234-1234-1234-123456789012 -Name 'Production Policy' -Enabled $true

# Update with rules
$Rules = @(@{ action = 'BLOCK'; policy_rules_data = @{ severity = 'CRITICAL' }})
Edit-FalconContainerPolicy -Id 12345678-1234-1234-1234-123456789012 -Name 'Security Policy' -Enabled $true -Rule $Rules

Remove-FalconContainerPolicy

Delete Image Assessment Policy by policy UUID.
Remove-FalconContainerPolicy
Remove-FalconContainerPolicy -Id <string>

Parameters

Id
string
required
Image assessment policy identifier (GUID format)

Example

# Delete policy
Remove-FalconContainerPolicy -Id 12345678-1234-1234-1234-123456789012

Vulnerability & Assessment

Get-FalconContainerAssessment

Search for Falcon Container Security image assessment results.
Get-FalconContainerAssessment
Get-FalconContainerAssessment [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-All] [-Total]

Parameters

Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results. Valid values include: first_seen.asc, first_seen.desc, highest_detection_severity.asc, highest_detection_severity.desc, highest_vulnerability_severity.asc, highest_vulnerability_severity.desc, image_digest.asc, image_digest.desc, registry.asc, registry.desc, repository.asc, repository.desc, tag.asc, tag.desc
Limit
int32
Maximum number of results per request (1-100)
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all assessments
Get-FalconContainerAssessment -All

# Get assessments with critical vulnerabilities
Get-FalconContainerAssessment -Filter "highest_vulnerability_severity:'CRITICAL'" -All

Get-FalconContainerVulnerability

Search for Falcon Cloud Security container image vulnerabilities.
Get-FalconContainerVulnerability
Get-FalconContainerVulnerability [-Id <string>] [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-All] [-Total]

Parameters

Id
string
CVE identifier
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results. Valid values include: cps_current_rating.asc, cps_current_rating.desc, cve_id.asc, cve_id.desc, cvss_score.asc, cvss_score.desc, description.asc, description.desc, images_impacted.asc, images_impacted.desc, packages_impacted.asc, packages_impacted.desc, severity.asc, severity.desc
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all vulnerabilities
Get-FalconContainerVulnerability -All

# Get specific CVE
Get-FalconContainerVulnerability -Id CVE-2023-12345

# Get critical vulnerabilities
Get-FalconContainerVulnerability -Filter "severity:'CRITICAL'" -Sort cvss_score.desc

Container Runtime

Get-FalconContainer

Search for containers in Falcon Cloud Security.
Get-FalconContainer
Get-FalconContainer [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-All] [-Total]

Parameters

Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request
Offset
int32
Position to begin retrieving results
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

# Get all running containers
Get-FalconContainer -All

# Get containers by image
Get-FalconContainer -Filter "image_digest:'sha256:abc123'" -All

Get-FalconContainerSensor

Retrieve the most recent Falcon container sensor build tags.
Get-FalconContainerSensor
Get-FalconContainerSensor [-LatestUrl]

Parameters

LatestUrl
switch
Create a URL using the most recent build tag

Example

# Get sensor tags
Get-FalconContainerSensor

# Get latest sensor URL
Get-FalconContainerSensor -LatestUrl

Build docs developers (and LLMs) love

Get started for freeTalk to us