Environment Variables¶
All environment variables Prisma AIRS CLI recognizes, grouped by category. Copy .env.example as a starting template.
LLM Provider¶
| Variable | Needed for | What it does |
|---|---|---|
LLM_PROVIDER |
All | Provider selection (claude-api, claude-vertex, claude-bedrock, gemini-api, gemini-vertex, gemini-bedrock) |
LLM_MODEL |
-- | Override the default model for any provider |
ANTHROPIC_API_KEY |
claude-api |
Anthropic API key (sk-ant-...) |
GOOGLE_API_KEY |
gemini-api |
Google AI API key |
GOOGLE_CLOUD_PROJECT |
claude-vertex, gemini-vertex |
GCP project ID |
GOOGLE_CLOUD_LOCATION |
claude-vertex, gemini-vertex |
GCP region (default: us-central1; claude-vertex uses global) |
AWS_REGION |
claude-bedrock, gemini-bedrock |
AWS region (default: us-east-1) |
AWS_ACCESS_KEY_ID |
claude-bedrock, gemini-bedrock |
IAM access key |
AWS_SECRET_ACCESS_KEY |
claude-bedrock, gemini-bedrock |
IAM secret key |
Note
*AWS key variables are not required if using the default credential chain (instance roles, SSO, ~/.aws/credentials, etc.).
AIRS Scan API¶
| Variable | Required | What it does |
|---|---|---|
PANW_AI_SEC_API_KEY |
Yes* | AI Security scan API key |
PANW_AI_SEC_API_TOKEN |
Yes* | Pre-obtained bearer token (alternative to the API key) |
PANW_AI_SEC_API_ENDPOINT |
-- | Custom scan API endpoint (default: service.api.aisecurity.paloaltonetworks.com) |
PANW_AI_SEC_NUM_RETRIES |
-- | Max retry attempts, 0--5 (default: 5) |
Note
*Provide either PANW_AI_SEC_API_KEY or PANW_AI_SEC_API_TOKEN.
AIRS Management API¶
| Variable | Required | What it does |
|---|---|---|
PANW_MGMT_CLIENT_ID |
Yes | OAuth2 client ID |
PANW_MGMT_CLIENT_SECRET |
Yes | OAuth2 client secret |
PANW_MGMT_TSG_ID |
Yes | Tenant Service Group ID |
PANW_MGMT_ENDPOINT |
-- | Custom management endpoint |
PANW_MGMT_TOKEN_ENDPOINT |
-- | Custom token endpoint |
PANW_DLP_ENDPOINT |
-- | Custom DLP API base URL (default: api.dlp.paloaltonetworks.com) — used by airs runtime dlp |
AIRS Red Team API¶
| Variable | Required | What it does |
|---|---|---|
PANW_RED_TEAM_DATA_ENDPOINT |
-- | Custom Red Team data-plane endpoint |
PANW_RED_TEAM_MGMT_ENDPOINT |
-- | Custom Red Team management-plane endpoint |
PANW_RED_TEAM_TOKEN_ENDPOINT |
-- | Custom Red Team OAuth2 token endpoint |
Note
Red Team commands reuse PANW_MGMT_CLIENT_ID, PANW_MGMT_CLIENT_SECRET, and PANW_MGMT_TSG_ID from the Management API section. The variables above are optional overrides for dedicated Red Team endpoints.
AIRS Model Security API¶
| Variable | Required | What it does |
|---|---|---|
PANW_MODEL_SEC_DATA_ENDPOINT |
-- | Custom Model Security data-plane endpoint |
PANW_MODEL_SEC_MGMT_ENDPOINT |
-- | Custom Model Security management-plane endpoint |
PANW_MODEL_SEC_TOKEN_ENDPOINT |
-- | Custom Model Security OAuth2 token endpoint |
Note
Model Security commands also reuse the PANW_MGMT_* credentials. All endpoint overrides above (and their Red Team counterparts) can equally be set in ~/.prisma-airs/config.json via the matching config keys (airsApiToken, airsApiEndpoint, airsNumRetries, redTeamDataEndpoint, redTeamMgmtEndpoint, redTeamTokenEndpoint, modelSecDataEndpoint, modelSecMgmtEndpoint, modelSecTokenEndpoint). Precedence: CLI > environment > config file.
Tuning¶
| Variable | Default | Range | What it controls |
|---|---|---|---|
SCAN_CONCURRENCY |
5 |
1--20 | Parallel scan requests per batch |
Warning
SCAN_CONCURRENCY above 5 may trigger AIRS rate limits. Increase cautiously.
Paths¶
| Variable | Default | What it does |
|---|---|---|
DATA_DIR |
~/.prisma-airs/runs |
Data directory |
Tip
The ~ prefix is expanded to $HOME automatically.