Prisma Cloud Application Security Administrator's Guide
    : Add Checkov to Prisma Cloud Application Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Application Security Administrator's Guide
    5. Get Started with Prisma Cloud Application Security
    6. Connect Code & Build Providers
    7. CI/CD Runs
    8. Add Checkov to Prisma Cloud Application Security
    Download PDF

    Prisma Cloud Application Security Administrator's Guide

    Add Checkov to Prisma Cloud Application Security

    Table of Contents

    Add Checkov to Prisma Cloud Application Security

    Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Application Security to scan your infrastructure as code files like Terraform and CloudFormation, display errors on the console while causing the build to fail in case of any identified misconfigurations. To know more see Checkov. As a prerequisite, ensure Prisma Cloud IP addresses are on the allow list for Application Security. For more details see enable access to the Prisma Cloud IP addresses and hosts.
    1. Install Checkov using CLI that Prima Cloud console provides.
      1. Select
        Settings > Repositories > Add repository
         and then select
        Checkov
        .
      2. Select a program to install Checkov and then copy the command to your Command Line to run a Checkov installation.
        You can choose between Python (pip), Python3 (pip3) and Homebrew (if you are on Mac OS). For additional alternatives to install Checkov, see here.
        Checkov requires Python version 3.8 - 3.10.
      3. Select
        Next
        .
    2. Configure directory and repository for scan.
      1. Add
        Directory
         and
        Repository ID
         to scan and then select
        Next
        .
        Optionally, you can choose to add a specific
        Branch
         of a repository that hosts the directory. If a branch is not specified, then Application Security scans the master branch of the repository.
    3. Trigger a Checkov run from the CLI.
      1. Copy and paste the command to your command line and trigger a Checkov run, and then select
        Done
        .
        Your configured Checkov repositories will appear on the
        Repositories
         in
        CI/CD Systems
         view.
        On your next Checkov scan, view the scan results on
        Application Security > Projects
         in
        CI/CD Runs
         view.

    General Patterns for Using Checkov

    When using Checkov in a pipeline or locally, here are some useful commands to get started.
    Command
    Description
    Specifies the directory or files to be scanned.
    An environment variable to indicate the API URL for your stack. See here for the URL or in the Checkov wizard.
    An environment variable for your Prisma Cloud credentials.
    For more Checkov CLI commands, see CLI reference.
    In this example you see the Checkov configuration to scan the root directory, synchronize results with the tenant in the App2 stack, repository ID org/repo --repo-id org/repo using Enforcement to set the thresholds.
    export PRISMA_API_URL=https://api2.prismacloud.io
export BC_API_KEY=prismaaccesskey::prismasecretkey
checkov -d . --repo-id org/repo --use-enforcement-rules
    For Windows, use:
    set PRISMA_API_URL=https://api2.prismacloud.io
set BC_API_KEY=prismaaccesskey::prismasecretkey
checkov -d . --repo-id org/repo --use-enforcement-rules

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.