Connect VScode with Prisma Cloud Code Security
Integrating VScode (Visual Studio Code) with Prisma Cloud Code Security makes it possible for you to identify misconfigurations before you commit your code, and avoid pull requests that can potentially fail builds due to undetected misconfigurations. Using Checkov, a code analysis tool that scans Infrastructure-as-code (IaC) files from frameworks such as Terraform_plan, CloudFormation, Azure Resource Manager (ARM), Secrets, Serverless, Dockerfile (only code), and Kubernetes on VScode (Visual Studio Code) gives you immediate detection of misconfigurations and inline code fixes.
Apart from the scanning the default Prisma Cloud policies, Checkov also scans for policy violations in custom policies that you can configure during custom build-time checks.
As a prerequisite you are required to add the Prisma Cloud IP addresses and hostname for Code Security to an allow list, to enable access to the Prisma Cloud Console.
- Verify the pre-requisites.For VScode (Visual Studio Code), get the details for enabling authentication to Prisma Cloud.
- Access Key.The access key enables access to Prisma Cloud. If you do not have the access key, refer to generate access key.
- Secret Key.The secret key generates with your access key. Save your secret key when you generate it, as you cannot view it again on Prima Cloud.
- Python Installation.Checkov needs Python to run, install Python version 3.7 or above. If you have a versatile working environment of both pip and virtual environment install Pipenv or Docker.
- Prisma Cloud API URL.When you configure Checkov plugin to VScode (Visual Studio Code) you need Prisma Cloud API URL. The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. For Prisma Cloud API URL, replaceappin the URL withapi.
- Access VScode (Visual Studio Code) on Prisma Cloud Code Security.
- SelectSettings > Repositories > Add Repositories.
- SelectVScode.
You will be directed to Visual Studio Code Marketplace.
- Install and Enable Checkov on VScode.
- SelectInstall > Continue > Open Visual Studio Codeand then selectInstallto install Checkov Extension on VScode (Visual Studio Code).
You can optionally choose to access VScode (Visual Studio Code) directly from your system and access Checkov plugin fromExtensionsand then search for the Checkov plugin to install.
- Configure Checkov plugin on VScode (Visual Studio Code).
- SelectExtension > Extension Settings.
- Add your Prisma Cloud application API forCheckov:Prisma URLfor example .
- Add your Prisma Cloud access key and secret key as"Access Key::Secret Key"forCheckov:Token.
You can optionally choose to add a custom CA-Certificate and enter the certificate path to configure forCheckov:Certificate. Ensure your CA-Certificate is in ".pem" format.
A Checkov scan runs each time you access a file on VScode (Visual Studio Code).
- Fix scanned files for policy misconfiguration in build-time checks.
- Select a file. Checkov runs an immediate scan on the file.
- View the highlighted policy misconfiguration inline.
- SelectQuick Fixto fix the misconfiguration inline.You can optionally selectView Problemto know more about the misconfiguration.
Each misconfiguration has details on the policy violation and guidelines to fix the policy. See here to know more about each of misconfigurations in all supported environments. For custom policy and out-of-the-box misconfigurations you can access the Prisma Cloud Administrator console to know more.
Troubleshoot Logs
In case of a Checkov scan fail, you can access Checkov logs to know see more details.
- Access VScode (Visual Studio Code)Command Paletteor enterCtrl + Shift + Pfor Windows orCmd + Shift + Pfor Mac and then run commandDeveloper: Open Extensions Logs Folder.
- AccessBridgecrew.checkov > checkov.logto see the log details.
