Author: Runtime Platform Team | Last Updated: 2026-04-07 | Status: Draft Reviewers: Security Engineering, Runtime Platform v2
EKS node AMIs built by the infrastructure-platform-ami pipeline are currently distributed to target AWS accounts without any pre-distribution vulnerability scanning. This PRD defines a Prisma Cloud VM Image Scanning gate that runs as an Image Builder test component, scanning every AMI for known vulnerabilities before it can be distributed. Images with Critical/High vendor-severity or CVSS v3 ≥ 7.0 findings are blocked, and the team is alerted via Slack and Jira. This closes a gap in the platform's security posture and provides automated compliance evidence.