Add Azure Pipelines to Prisma Cloud Code Security

Integrating Prisma Cloud with your Azure Pipeline allows you to scan your infrastructure as code (IaC) and code repositories as a part of your CI/CD workflows, and provides reporting and tracking on the Prisma Cloud administrative console. As a prerequisite, make sure you have your Prisma Access Key and Prisma Secret Key available.
  1. In Azure DevOps, create a new pipeline or select an existing pipeline and select edit. This will open an editor for the azure-pipelines.yml configuration file.
  2. Add the following steps to your pipeline jobs or stages (depending on your existing configuration)
    - task: UsePythonVersion@0 inputs: versionSpec: '3.8' displayName: 'Install Python 3.8' - script: pip install checkov displayName: 'Install Checkov' - script: checkov -d <directory> --bc-api-key <prisma_access_key>::<prisma_secret_key> --repo-id <org/repo> --branch <branch> displayName: 'Scan with Prisma Cloud' env: PRISMA_API_URL: <prisma_stack_api>
    This includes the following arguments:
    • <directory> - the directory of the repository you wish to scan.
    • <prisma_access_key>::<prisma_secret_key> - a combination of your Prisma Access Key and Prisma Secret Key. These are best stored in a vault.
    • <org/repo> - your VCS organization name and repository name.
    • <branch> - the branch you are scanning.
    • <prisma_stack_api> - the API URL for your Prisma Cloud stack. The list of URLs can be found here.
      Use the --soft-fail option to scan the build for errors without failing the job or stage.
      Additional settings are available to be added to the scan.
      Results are surfaced both in the pipeline logs and on the Prisma Cloud console.
      See the following example of a pipeline enabled for the Prisma Cloud Code Security scan.
      trigger: - main pr: - main pool: vmImage: ubuntu-latest steps: - task: AzureKeyVault@2 inputs: azureSubscription: 'pipeline-connection' keyVaultName: 'ts-pipeline-vault' secretsFilter: '*' runAsPreJob: false - task: UsePythonVersion@0 inputs: versionSpec: '3.8' displayName: 'Install Python 3.8' - script: pip install checkov displayName: 'Install Checkov' - script: checkov -d . --bc-api-key $(prisma-access-key)::$(prisma-secret-key) --repo-id prismaiac/bicepgoat --branch main displayName: 'Scan with Prisma Cloud' env: PRISMA_API_URL: https://api.prismacloud.io

Recommended For You