Serverless function scanning
Table of Contents
Self.Hosted 22.06 (EoL)
Expand all | Collapse all
-
- Getting started
- System Requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift v4
- Console on Fargate
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
-
- Install a single Container Defender
- Automatically Install Container Defender in a Cluster
- App-Embedded Defender
- App-Embedded Defender for Fargate
- Default setting for App-Embedded Defender file system protection
- VMware Tanzu Application Service (TAS) Defender
- Serverless Defender
- Serverless Defender as a Lambda layer
- Auto-defend serverless functions
- Install a single Host Defender
- Auto-defend hosts
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Decommission Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Agentless Scanning Modes
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
-
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
-
- Scan Images in Sonatype Nexus Registry
- Scan images in Alibaba Cloud Container Registry
- Scan images in Amazon EC2 Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan images in Docker Registry v2 (including Docker Hub)
- Scan images in Google Artifact Registry
- Scan images in Google Container Registry (GCR)
- Scan images in Harbor Registry
- Scan images in IBM Cloud Container Registry
- Scan images in Artifactory Docker Registry
- Scan images in OpenShift integrated Docker registry
- Trigger registry scans with Webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Vulnerabilities Detection
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
- API
End-of-Life (EoL)
Serverless function scanning
Prisma Cloud can scan serverless functions for vulnerabilities.
Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users.
Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack.
The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app.
Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.
Capabilities
For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages.
For a list of supported runtimes see system requirements.
Prisma Cloud scans are triggered by the following events:
- When the settings change, including when new functions are added for scanning.
- When you explicitly click theScanbutton in theMonitor > Vulnerabilities > Functions > Scanned Functionspage.
- Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval inManage > System > Scan.
Scanning a serverless function
Configure Prisma Cloud to periodically scan your serverless functions.
Unlike image scanning, all function scanning is handled by Console.
- Open Console.
- Go toDefend > Vulnerabilities > Functions > Functions.
- Click onAdd scope. In the dialog, enter the following settings:
- (AWS only) SelectScan only latest versionsto only scan the latest version of each function. Otherwise, the scanning will cover all versions of each function up to the specifiedLimitvalue.
- (AWS only) SelectScan Lambda Layersto enable scanning function layers as well.
- (AWS only) Specify which regions to scan inAWS Scanning scope. By default, the scope is applied toRegular regions. Other options includeChina regionsorGovernment regions.
- Specify aLimitfor the number of functions to scan.Prisma Cloud scans the X most recent functions, where X is the limit value. Set this value to '0' to scan all functions.For scanning Google Cloud Functions with GCP organization level credentials, the limit value is for the entire organization. Increase the limit as needed to cover all the projects within your GCP organization.
- Select the accounts to scan by credential. If you wish to add an account, click onAdd credential.For Azure: if you create a credential in the credentials store (Manage > Authentication > Credentials store), your service principal authenticates with a password. To authenticate with a certificate, create a cloud account.
- ClickAdd.
- Click the green save button.
- View the scan report.Go toMonitor > Vulnerabilities > Functions > Scanned functions.All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by clicking on the CSV button in the top right of the table.
View AWS Lambda Layers scan report
Prisma Cloud can scan the AWS Lambda Layers code as part of the Lambda function’s code scanning.
This capability can help you determine whether the vulnerability issues are associated with the function or function Layers.
Follow the steps below to view the Lambda Layers scan results:
- Open Console.
- Make sure you selected theScan Lambda layersin the Defend > Vulnerabilities > Functions > Functions > Serverless Accounts >Function scan scope
- Go toMonitor > Vulnerabilities > Functions > Scanned functions.
- Filter the table to include functions with the desired Layer by adding theLayersfilter.You can also filter the results by a specific layer name or postfix wildcards. Example: Layers:* OR Layers:arn:aws:lambda:*
- Open theFunction detailsdialog to view the details about the Layers and the vulnerabilities associated with them:
- Click on a specific function
- See the Function’s vulnerabilities, compliance issues and package info in the related tabs. Use theFound incolumn to determine if the component is associated with the Function or with the Function’s Layers.
- Use theLayers infotab to see the full list of the Function’s Layers, and aggregated information about the Layers vulnerabilities. In case that there are vulnerabilities associated with the layer you will be able to expand the layer raw to list all the vulnerabilities.
Authenticating with AWS
The serverless scanner is implemented as part of Console.
The scanner requires the following permissions policy:
+
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeServerlessScan", "Effect": "Allow", "Action": [ "lambda:ListFunctions", "lambda:GetFunction", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "lambda:GetLayerVersion", "kms:Decrypt" ], "Resource": "*" } ] }
IAM User
If authenticating with an IAM user, use the Security Token Service (STS) to temporarily issue security credentials to Prisma Cloud to scan your Lambda functions.
AWS STS is considered a best practice for IAM users per the AWS Well-Architected Framework.
For more on how to use AWS STS, see here.
When authenticating with an IAM user, Console can access and scan functions across multiple regions.
IAM Role
The Prisma Cloud serverless scanner can also authenticate with AWS using an IAM role.
If Console authenticates with AWS using an IAM role, it can assume roles using STS to assume roles in other regions.
Scanning Azure Functions
Azure Functions are architected differently than AWS Lambda and Google Cloud Functions.
Azure function apps can hold multiple functions.
The functions are not segregated from each other.
They share the same file system.
Rather than separately scanning each function in a function app, download the root directory of the function app, which contains all its functions, and scan them as a bundle.
Prisma Cloud supports scanning both Windows and Linux functions. For Linux functions, the support is only for functions that use
External package URL
as the deployment technology.
For more information, see Deployment technologies in Azure Functions.To do this, you must know the Region, Name (of the function), and Service Key.
To get the Service Key, download and install the Azure CLI, then:
- Within your Azure portal, create a custom role with the following permissions:{ "permissions": [ { "actions": [ "Microsoft.Web/sites/Read", "Microsoft.Web/sites/config/list/Action", "Microsoft.web/sites/functions/action", "Microsoft.web/sites/functions/read", "Microsoft.Web/sites/publishxml/Action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }Using the CLI, log into your account with a user that has the User Administrator role.$ az loginGet the service key.$ az ad sp create-for-rbac --sdk-auth --name twistlock-azure-serverless-scanning --role CUSTOM_ROLE_NAMESample output from the previous command:{ "clientId": "f8e9de2o-45bd-af94-ae11-b9r8c5tfy3b6", "clientSecret": "4dfds482-6sdd-4dsb-b5ff-56123043c4dc", "subscriptionId": "ea19322m-z2bd-501c-dd11-234m547a944e", "tenantId": "c189c61a-6c27-41c3-9949-ca5c8cc4a624", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" }Copy the JSON output, which is your secret key, and paste it into theService Keyfield for your Azure credentials in Prisma Cloud Console.Scanning Google Cloud FunctionsTo scan Google Cloud Functions, you must create an appropriate credential to authenticate with GCP. The service account should include the following custom permissions:cloudfunctions.functions.sourceCodeGet cloudfunctions.functions.get cloudfunctions.functions.list cloudfunctions.locations.get cloudfunctions.locations.list cloudfunctions.operations.get cloudfunctions.operations.list cloudfunctions.runtimes.listPrisma Cloud currently supports scanning functions that are packaged with local depenendencies.Scanning functions at build time with twistcliYou can also use the twistcli command line utility to scan your serverless functions. First download your serverless function as a ZIP file, then run:$ twistcli serverless scan <SERVERLESS_FUNCTION.ZIP>To view scan reports in Console, go toMonitor > Vulnerabilities > Functions > CIorMonitor > Compliance > Functions > CI.Twistcli Options
- Required. Complete URI for Console, including the protocol and port. Only the HTTPS protocol is supported. By default, Console listens to HTTPS on port 8083, although your administrator can configure Console to listen on a different port.Example: --address https://console.example.com:8083
- Username to access Console. If not provided, the TWISTLOCK_USER environment variable will be used if defined, or "admin" is used as the default.
- --Password for the user specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable will be used if defined, or otherwise will prompt for the user’s password before the scan runs.
- Interface with a specific supervisor Console to retrieve policy and publish results.Example: --project "Tenant Console"
- --Show all vulnerability details.
- --Path to Prisma Cloud CA certificate file. If no CA certificate is specified, the connection to Console is insecure.
- Include javascript package dependencies.
- Token to use for Prisma Cloud Console authentication. Tokens can be retrieved from the API endpoint api/v1/authenticate or from theManage > Authenticate > User Certificatespage in Console.
- Path to the CloudFormation template file in JSON or YAML format. Prisma Cloud scans the function source code for AWS service APIs being used, compares the APIs being used to the function permissions, and reports when functions have permissions for APIs they don’t need.
- --Function name to be used in policy detection and Console results. When creating policy rules in Console, you can target specific rules to specific functions by function name. If this field is left unspecified, the function zip file name is used.
- Report APIs used by the function
- --Publish the scan result to the Console. True by default.