Add Azure Repos to Prisma Cloud Application Security
Table of Contents
Add Azure Repos to Prisma Cloud Application Security
Integrating Azure Repos enables Prisma Cloud to scan your Infrastructure-as-code files (such as Terraform and CloudFormation), open source packages, licenses and CI/CD systems for misconfigurations, vulnerabilities, exposed secrets, license non-compliance and CI/CD system issues.
The integration uses OAuth tokens to help you integrate multiple Azure Repos on the Prisma Cloud console. Enable OAuth tokens on Azure Repos to configure multiple organizations from either the same Azure Repos account or a different one.
As a prerequisite , add the Prisma Cloud IP addresses and hostname for Application Security to an allow list. For more instructions see enable access to the Prisma Cloud Console.
- Verify prerequisites.To integrate Azure Repos with Prisma Cloud Application Security, ensure access to the Azure DevOps console for authorization and third-party application access via OAuth.
- Authorization access.Access to the Azure DevOps console allows you to grant Prisma Cloud authorization access during integration, enabling it to access organizations and repositories associated with your user token.
- Third-party application access via OAuth.For configuring integration, either for a single organization or multiple organizations using a single user token, you need to enable third-party application access via OAuth in the Azure DevOps console.
The third-party application access via OAuth provides Prisma Cloud access to all organizations associated with your user token. - Do not limit authorization scopeTo ensure that Prisma Cloud has access to repositories, ensure theLimit job authorization scope to current project for non-release pipelinesis set toOFF. You can configure this setting onProject Settings > Settings > General.
- Access Azure Repos on Prisma Cloud Application Security.
- SelectSettings > Code & Build Providers > Add.
- SelectAzure ReposfromCode Repositories.
- Configure an Azure Repos account with Prisma Cloud console.
- SelectAuthorizeto configure an Azure Repos account for a Single Organization.
Optionally, you can selectMultiple Organizationand then selectAuthorizeto set up an Azure Repos account that covers Multiple Organizations.If you have an existing Azure Repos integration, you can continue with a new organization configuration or chooseSkipto select repositories for a security scan.To skip an authorization, you must already have an existing integration. - Access the Azure DevOps console and then selectAcceptto authorize the Prisma Cloud console to access your organization account and repositories.For an existing Azure Repos integration, you can also opt toReselect repositoriesto modify the existing configuration orRevoke OAuth User Tokento edit the user token and associated repositories from the Prisma Cloud console. These options are available for both single organization and multiple organization configurations.
Successful authorization on the Azure DevOps console will redirect you to the Prisma Cloud console.
- Enable the CI/CD Security Module (optional) to provide protection of the CI/CD systems in your Azure Repos environment.
- Provide yourUser Name.To retrieve your user name, access your Azure organization and then selectUser settings > Profile.
- In Azure, generate a Personal Access Token (PAT) and make a copy for safekeeping.When creating the new token use these values:
- Set anExpirationdate throughOrganization > all accessible organizations.
- Scope the authorization access for the token.
- Agent Pools (Read)
- Analytics (Read)
- Auditing (Read Audit Log)
- Member Entitlement Management (Read)
- Pull Request Threads (Read & write)
- Service Connections (Read)
- Tokens (Read & manage)
- Variable Groups (Read)
- In Prisma Cloud console, add the generated PAT underApp Passwordand then selectNext.
- Select repositories for scanning.
- Select a configuredOAuth user tokento view the associated repositories for a security scan.A user token is always enabled by default. You can also configure additional user tokens by selecting a specific one. Do not use personal access token generated for CI/CD security integration.Use the configured tokens displayed onConfigure Account.
- Define the repositories to be scanned from the available options:
- Permit all existing repositories: Enables Prisma Cloud to scan all existing repositories that are associated with the selected PAT
- Permit all existing and future repositories: Enables Prisma Cloud to scan all existing repositories and any new repositories that are subsequently associated with the PAT
- Choose from repository list: This option enables you to select specific repositories for scanA single repository may be shared across one or more user tokens. In this case, any change made to a shared repository scan applies to all associated user tokens.
- SelectNextto confirm the repository selection and save the changes.
- SelectDonein theNew integration successfully configuredscreen.
- Verify that the Azure Repos integration with Prisma Cloud is successful.
- SelectSettings>Code & Build Providers.
- Verify that theAzure Reposintegration is displayed from theVCS User Tokencolumn.You may have to wait for up to three minutes before the status of the integration is updated and displays.
OnCode & Build Providers, you can also manage the integration by reselection of repositories and deletion of the repository and the integration.- Reselect repositories: Enables you to access the list of repositories for a scan.
- Delete repository: Enables you to delete repositories for a scan from the account.
- Manage VCS user tokens: Enables you to integrate one or more Azure Repos accounts.You cannot delete the integration fromRepositoriesfor an account integration that supports multiple user tokens.After a application security scan, accessApplication Security>Projectsto view the latest integrated Azure Repos repositories scan results to Suppress or Fix the policy misconfigurations.