IAC Security Scanning by Prisma Cloud

IAC Security Scanning by Prisma Cloud

Prisma Cloud has a lot of policies for the Azure Infrastructure Security scanning.

Prisma Cloud offers several ways to scan an IaC code. We analyzed two of them: GitHub integration and GitHub actions.

Benefits of the GitHub integration:

  • Exclude the ability for developers to comment out workflow files and avoid Prisma Cloud scanning
  • Comments from the Prisma Cloud into PRs on GitHub
  • Control on the Prisma Cloud server side by the administrator and not in the repositories.

GitHub Integration.

Integrating Github.com allows Prisma Cloud to:

  • Include your Infrastructure-as-Code files in daily scans.
  • Scan changed resources in Infrastructure-as-Code files for every new build generated (before the branch is merged into the main branch) and provide an actionable view of the results via GitHub checks.
  • Open Pull Requests to Fix build-time issues detected in your branch.

Step 1. Access GitHub on Prisma Cloud Code Security.

  1. Select Settings > Repositories > Add Repository

2. Select GitHub

Step 2. Add your GitHub repository to Code Security.

  1. Configure your GitHub account on Prisma Cloud Code Security and then select Next.
  2. Review the permissions and authorize Prisma Cloud to access your GitHub organization.
  3. Select the repositories to scan and then select Next.
  4. A New account successfully configured message appears after you have set up the configurations and then select Done.
  5. Your configured GitHub repositories will appear on the Repositories page. The results of your next GitHub scan will include the newly configured repositories. Access Code Security to view the scanned results.

GitHub Actions.

A GitHub Action checks for security issues using the Prisma Cloud Infrastructure as Code Scan on the IaC files in the repository. This action can give you results as an issue, pull request comment, and pull request check, or it can be viewed as pipeline annotations.

Setup

Step 1: Acquire Prisma Cloud API credentials

The action needs a Prisma Cloud Access Key and Secret Key to run the scan.

If you do not have a key, refer to Create and Manage Access Keys to acquire one.

Step 2: Create GitHub secrets from the API credentials

Create a GitHub Secret called BC_API_KEY with the value

PRISMA_ACCESS_KEY::PRISMA_SECRET_KEY acquired in Step 1.

Refer to Encrypted secrets for more details on how to set up secrets.

Step 3: Configure Workflow

Configure your workflow based on the following example.

Note: the actions/checkout step is required to run before the scan action, otherwise the action does not have access to the IaC files to be scanned.

---
name: Prisma Cloud IaC Scan 
on:
  push:
    branches:
      - master
  pull_request:
    types:
    - "opened"
    - "reopened"
    - "synchronize"

jobs:
  prisma_cloud_iac_scan:
    runs-on: ubuntu-latest
    name: Run Prisma Cloud IaC Scan to check 
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: get epository name
        run: echo "REPOSITORY_NAME=$(echo ${{ github.repository }} | awk -F "/" 'END {print $2}')" >> $GITHUB_ENV  
      - name: Run Bridgecrew 
        id: Bridgecrew
        uses: bridgecrewio/bridgecrew-action@master 
        env:
          PRISMA_API_URL: https://api2.prismacloud.io
        with:
          api-key: ${{ secrets.BC_API_KEY }}
          framework: terraform
vovando Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *