Prisma Cloud Application Security Administrator's Guide
    : Code Repositories and Policy Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Application Security Administrator's Guide
    5. Get Started with Prisma Cloud Application Security
    6. Code Repositories and Policy Management
    Download PDF

    Prisma Cloud Application Security Administrator's Guide

    Code Repositories and Policy Management

    Table of Contents

    Code Repositories and Policy Management

    Prisma Cloud includes out-of-the-box policies that enable you to detect misconfigurations and provide automated fixes for security issues seen across your integrated code repositories and pipelines. On
    Policies
     you can review the list of configuration policies including custom policies using the subtype filter of
    Build
    .
    You can create custom build policies for the following formats:
    • Terraform
       - Policies written using Terraform attributes will apply for Terraform (.tf and plan files).
    • CloudFormation
       - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK).
    In addition, Prisma Cloud also supports identification of custom secrets that you can define using regular expression patterns. While defining the regular expression patterns consider the following parameters:
    • You must ensure the RegEx pattern meets standard regular expression formatting standards.
    • Criteria to consider when defining RegEx pattern.
    • You can define up to 5 RegEx patterns per policy.

    Add a New Custom Policy for Build-Time Checks

    If you have custom requirements or want to define guardrails for your specific security or compliance needs, you have the flexibility to add new custom policies for your already existing repositories. As soon as you add Code & Build Providers both the out-of-the-box policies and custom policies are used to scan for potential issues.
    1. Create a custom configuration policy for build-time checks.
      1. Select
        Policies > Add Policy > Config
        .
      2. Add
        Policy Name
        .
        Optionally, you can add a
        Description
        . The description can include an overview of the error, prevention information and fix information in case of a policy error.
      3. Select
        Build
        .
        You can choose to only select
        Build
         or continue with the both
        Run
         and
        Build
         subtypes. However, the following steps are only for Build subtype.
        To create a customize Run policies see Create a Custom Policy on Prisma Cloud
      4. Select
        Severity
         for the policy.
        Prisma Cloud supports five levels of policy severity-
        Critical, High, Medium, Low and Informational
        .
        A policy severity helps define the impact of policy configuration on your environment, while helping you filter the misconfigurations after a scan on
        Application Security > Projects
        .
        Optionally, you can add
        Labels
         to the policy.
        In this example, you see a custom build policy for S3 Bucket ACL where log delivery is not recommended with the relevant policy details.
      5. Select
        Next
        .
    2. Create a rule for custom configuration policy.
      In a custom configuration policy rule, you can define criteria to check the configuration for both run-time and build-time, that is for Run and Build policy subtypes; in the following steps you will create a policy rule for only build rule. To create a custom build policy rule you can choose between Code Editor and Visual Editor.
      • Code Editor is the default view for Build policy rule and as an example YAML policy template is always available with guidelines on the console. You can choose this editor to create a custom policy rule using YAML policy templates.
      • You can choose this editor to create a quick custom policy rule that supports creation of attribute checks without a Connection State and a support of AND/OR logic. You will use the existing fields on the console that are mostly auto-populated based on your selection.
    3. Add Compliance Standards for the Build policy.
      1. Select
        Standard, Requirement
         and
        Sections
        .
        • Standard
           is the default compliance standard that is listed on the Prisma Cloud console.
        • Requirement
           is influenced by the selection of the compliance standard.
        • Section
           of may or may not be influenced by the compliance standard.
      2. Select
        Next
        .
    4. Remediation for Build policy.
      Currently remediation recommendation for custom build policies is not available.
    5. Submit your custom policy.
      After you save the custom build policy, on the next scan, the onboarded resources are scanned against the new policy. The scan results display on the
      Application Security > Projects
       where you can identify the resources that failed the check and triggered a policy violation.
      For custom secrets, policies are automatically disabled if there are more than 150 findings per repository. You can edit the policy on
      Application Security > Projects
      .

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.