CI plugin policy

You can set up rules in Console that target your build tool to whitelist specific CVEs or compliance issues. These types of rules let you differentiate how Prisma Cloud responds at build-time (e.g. incremental build) and runtime (e.g. deployment into production).

Set a CI plugin compliance policy

Create a compliance rule that targets Prisma Cloud’s build tools (Jenkins plugin, twistcli).
Prisma Cloud’s compliance checks are based on the Center for Internet Security (CIS) Docker Benchmarks. We also provide numerous Prisma Cloud Labs compliance checks. And you can implement your own checks using Prisma Cloud custom checks or XCCDF.
Compliance rules that target the build tool can whitelist specific compliance checks by setting the action to 'ignore'. They cannot 'block' a build. Passing or failing a build is determined by the threshold set in the Prisma Cloud Jenkins plugin configuration or by the twistcli scan command-line options.
  1. Open Console.
  2. Go to
    Defend > Compliance
    .
  3. Click
    Add rule
    .
  4. Fill in the new rule dialog.
    For a given check, select an action, where:
    • Ignore
       — Bypasses the check.
    • Alert
       — Reports the compliance issue in the scan results if the compliance threshold is set to 'warn'.
    • Block
       — Does
      not
      apply to rules targeting the build. Select the threshold in the Jenkins plugin or with twistcli’s command-line options.
  5. In the
    Hosts
    field, specify the magic string
    twistlock-ciplugin
    . This string targets the Jenkins plugin and twistcli.
  6. Click
    Save
    .
    The rule takes effect as soon as it is saved.

Set a CI plugin vulnerability policy

Create a vulnerability rule that targets Prisma Cloud’s build tools (Jenkins plugin, twistcli):
Vulnerability rules that target the build tool can whitelist specific vulnerabilities by setting the action to 'ignore'. They cannot 'block' a build. For example, you could create a vulnerability rule that explicitly whitelists CVE-2018-1234 to suppress it from the scan results.
Passing or failing a build is determined by the threshold set in the Prisma Cloud Jenkins plugin configuration or by the twistcli scan command-line options. Thresholds fail builds based on the severity of the vulnerability (low, medium, high, or critical), where severity is determined by normalizing CVSS scores and vendor ratings.
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities
    .
  3. Click
    Add rule
    .
  4. Fill in the new rule dialog.
    Under
    Specific CVE actions
    , type the CVE-ID(s) and select an action (
    Ignore
    ,
    Alert
    ) where:
    • Ignore
       — Suppresses the vulnerability from being reported in the plugin.
    • Alert
       — Reports the vulnerability in the plugin’s scan results, but does not fail the build.
    • Block
       — Does
      not
      apply to rules targeting build. Select the threshold in the Jenkins plugin or with twistcli’s command-line options.
  5. In the
    Hosts
    field, specify the magic string
    twistlock-ciplugin
    . This string targets the Jenkins plugin and twistcli.
    Any vulnerability rules other than the CI Plugin rules should have its
    Hosts
    field set to an empty value (i.e. remove the default * value from the host).
  6. Click
    Save
    .
    The rule takes effect as soon as it is saved.

Recommended For You