1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Continuous integration
    6. CI plugin policy
    End-of-Life (EoL)

    CI plugin policy

    You can set up rules in Console that target your build tool to whitelist specific CVEs or compliance issues. These types of rules let you differentiate how Prisma Cloud responds at build-time (e.g. incremental build) and runtime (e.g. deployment into production).

    Set a CI plugin compliance policy

    Create a compliance rule that targets Prisma Cloud’s build tools (Jenkins plugin, twistcli).
    Prisma Cloud’s compliance checks are based on the Center for Internet Security (CIS) Docker Benchmarks. We also provide numerous Prisma Cloud Labs compliance checks. And you can implement your own checks using Prisma Cloud custom checks or XCCDF.
    Compliance rules that target the build tool can whitelist specific compliance checks by setting the action to 'ignore'. They cannot 'block' a build. Passing or failing a build is determined by the threshold set in the Prisma Cloud Jenkins plugin configuration or by the twistcli scan command-line options.
    1. Open Console.
    2. Go to
      Defend > Compliance
      .
    3. Click
      Add rule
      .
    4. Fill in the new rule dialog.
      For a given check, select an action, where:
      • Ignore
         — Bypasses the check.
      • Alert
         — Reports the compliance issue in the scan results if the compliance threshold is set to 'warn'.
      • Block
         — Does not apply to rules targeting the build. Select the threshold in the Jenkins plugin or with twistcli’s command-line options.
    5. In the
      Hosts
       field, specify the magic string
      twistlock-ciplugin
      . This string targets the Jenkins plugin and twistcli.
    6. Click
      Save
      .
      The rule takes effect as soon as it is saved.

    Set a CI plugin vulnerability policy

    Create a vulnerability rule that targets Prisma Cloud’s build tools (Jenkins plugin, twistcli):
    Vulnerability rules that target the build tool can whitelist specific vulnerabilities by setting the action to 'ignore'. They cannot 'block' a build. For example, you could create a vulnerability rule that explicitly whitelists CVE-2018-1234 to suppress it from the scan results.
    Passing or failing a build is determined by the threshold set in the Prisma Cloud Jenkins plugin configuration or by the twistcli scan command-line options. Thresholds fail builds based on the severity of the vulnerability (low, medium, high, or critical), where severity is determined by normalizing CVSS scores and vendor ratings.
    1. Open Console.
    2. Go to
      Defend > Vulnerabilities
      .
    3. Click
      Add rule
      .
    4. Fill in the new rule dialog.
      Under
      Specific CVE actions
      , type the CVE-ID(s) and select an action (
      Ignore
      ,
      Alert
      ) where:
      • Ignore
         — Suppresses the vulnerability from being reported in the plugin.
      • Alert
         — Reports the vulnerability in the plugin’s scan results, but does not fail the build.
      • Block
         — Does not apply to rules targeting build. Select the threshold in the Jenkins plugin or with twistcli’s command-line options.
    5. In the
      Hosts
       field, specify the magic string
      twistlock-ciplugin
      . This string targets the Jenkins plugin and twistcli.
      Any vulnerability rules other than the CI Plugin rules should have its
      Hosts
       field set to an empty value (i.e. remove the default * value from the host).
    6. Click
      Save
      .
      The rule takes effect as soon as it is saved.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo