Configure code repository scanning
Prisma Cloud can scan GitHub repositories and identify vulnerabilities in your software’s dependencies. Modern apps are increasingly composed of external, open source dependencies, so it’s important to give developers tools to assess those components early in the development lifecycle. Repository scanning gives you early insight into the software as it’s being developed, and long before apps are packaged (e.g. as a container) and deployed by CI/CD pipelines.
Prisma Cloud authenticates with the GitHub API using user-generated API tokens. The following scopes are required for scanning private repos. Prisma Cloud doesn’t modify or write to your repos.
- repo — Full control of private repositories
- repo:status — Access commit status
- repo_deployment — Access deployment status
- public_repo — Access public repositories
- repo:invite — Access repository invitations
- security_events — Read and write security events
If you’re scanning public repos only, select just the public_repo scope. The benefit of creating an access token for scanning public repos is that GitHub grants you a higher rate limit to their API, which Prisma Cloud utilizes for scanning.
Prisma Cloud selects the repositories to scan according to a user-defined scope. For example, you might want to scan all repositories in your organization or just a subset of them. For each repo in scope, Prisma Cloud searches for well-known package manifest files, and enumerates the dependencies listed in them. Those dependencies are assessed against the latest threat data in the Intelligence Stream.
Code repository scans is handled by Console.
The following table lists the manifest files known to the scanner.
build.gradle, build.gradle.kts, gradle.properties
package.json, package-lock.json, npm-shrinkwrap.json, bower.json
Finally, Prisma Cloud can continuously monitor your code repositories for vulnerabilities by rescanning on every push event. Prisma Cloud integrates with GitHub using webooks, which notify the scanner when there are changes in the repository.
Prisma Cloud uses the GitHub API. The GitHub API is rate-limited. For unauthenticated requests, which can be used to scan public repositories, the cap is very low (60 requests/hour). Here the rate limit is guaged by IP address. For authenticated requests, which can scan either public or private repositories, the cap is 5000 requests/hour. Here the rate limit is