Table of Contents

CI/CD Risks

CI/CD Risks
are a set of predefined rules that aim to identify vulnerabilities in the CI/CD pipeline by analyzing the security settings and configurations of various systems, as well as their inter-connectivity. The risks are classified based on different security categories, including attack vectors, misconfigurations, and bad practices found throughout the CI/CD pipeline.
To access CI/CD Risks, select
Application Security
CI/CD Risks
The CI/CD Risks page includes the following components:
  • Filters
    : Narrow a search for a CI/CD risk by using filters
  • Dashboard
    : Displays charts representing a visual display of CI/CD risks by system and category
  • CI/CD risk inventory
    : A list of all risks detected in your CI/CD pipelines


The following filters allow you to narrow a search:
  • Severity
    : Filter CI/CD risks by severity. Values: 'Critical', 'High', 'Medium', 'Low', 'Informative'
  • Risk
    : Filter by CI/CD risk detected in the organization pipelines
  • System
    : Filter CI/CD risks by the type of technologies found in the system, such as SCMs, CI, container registry and so on.
    The System filter only displays technologies where CI/CD risks have been detected.
  • Category
    : Filter pipeline risks by system-based categories detected in the organization
    By default, Prisma Cloud assigns a category to a risk. The category cannot be modified.
  • Status
    : Filter CI/CD risks by status. Values: 'Open', 'Suppressed'' and 'Fixed' '.
    The 'Fixed' or 'Suppressed' filters only display CI/CD risks when
    instances of the risk are fixed or suppressed.


The Dashboard provides a visual display of CI/CD risks by system and category. When you select a data value on a graph, such as a system in the 'Risks by System' chart, both the graphs and the risk inventory will be filtered to show the relevant results.

CI/CD Risk Inventory Details

The CI/CD risk inventory includes the following details.
  • Risk Name
    : The name of the CI/CD risk
  • Severity
    : The severity of the CI/CD risk indicated by a color. Values: 'Critical', 'High', 'Medium', 'Low' and 'Informative'.
    CI/CD risk severity levels are set by Prisma Cloud.
  • System
    : The system (such as GitHub, Jenkins and so on) containing the CI/CD risk
  • CI/CD Category
    : The risk category that the CI/CD risk is assigned to, allowing organizations to focus efforts to secure their CI/CD ecosystem. Includes a link to the Top 10 Security Risks.
    For more on CI/CD risk categories refer to OWASP Top 10 CI/CD Security Risks.
  • Open Events
    : The number of open events detected in the CI/CD pipeline out of the total amount of events. See below for more on open events.
    An 'event' is a particular instance of a CI/CD risk.
EXAMPLE: If the CI/CD risk: 'Possible command injection attack using crafted Issue user event on [REPO_NAME] by [USER]' (details protected by confidentiality) is detected in your GitLab account, it is considered a single event or instance of the 'Possible command injection detected in user event' risk.
  • Last Event
    : The latest instance of the CI/CD risk detected in your environment
Selecting a CI/CD risk in the inventory opens the resource explorer, displaying additional information about the selected risk.
  • The
    tab opens as the default view, displaying metadata about the CI/CD risk, including an image view of the location of the risk in the delivery chain, the severity and status of the CI/CD risk events (the number of open, closed or suppressed instances of the risk with a link for more information), the system and category in which they were detected, when last calculated, a detailed description, SuggestedFix and additional data
  • The
    Open Events
    tab provides additional information about open events, including the name and description of the event, when detected, and the kill chain graph, which is displayed when selecting on the icon under
    . See Kill Chain Graph below for more.
  • The
    Suppressed Events
    tab provides additional information about suppressed events, including an option to unsuppress an event. See Suppress Events below for more on suppressing events
Fixed Events
tab provides additional information about fixed events

Kill Chain Graph

The Kill Chain graph visualizes the stages of a cyber attack on the CI/CD pipeline, from the initial reconnaissance phase to the final objective of the attack, resulting from multiple misconfigurations across various systems. The graph is used to illustrate the various steps that an attacker takes to penetrate the pipeline, and can help to identify potential vulnerabilities in the pipeline.
The Kill Chain Graph currently supports the "Direct Poisoned Pipeline Execution" and "Direct Poisoned Pipeline Execution by external collaborators'' CI/CD security risk category. For more on CI/CD security risks categories, see
To view the kill chain graph for a risk, select
CI/CD Risks
> click the relevant risk from the inventory table >
Open Events
> select the graph icon under
The Kill Chain graph for the selected event or instance of the risk is displayed.
The Kill Chain graph includes nodes and edges, which describes the connections between them. Clicking on a node or edge opens the context explorer, providing further details.
For more actions that you can take on the graph refer to Application Graph.

Suggested Fixes for CI/CD Risks

Prisma Cloud provides suggested solutions to fix instances of CI/CD risks detected in your system: Select a risk from the inventory > scroll down to
Steps to Solve
in the

Suppress Events

An 'event' represents a particular instance of a CI/CD risk. By suppressing an event, you intentionally choose not to actively address the event. This can be useful if the error is known and does not require immediate attention or if the error is expected and does not impact the functionality or stability of the system in which it was detected.
To suppress events, select a risk from the inventory table > choose the required events under the
Open Events
tab of the resource explorer >
. The selected events will be removed and displayed under the
Suppressed Events
Risks that have all events suppressed can be located by filtering using the
option in the

Unsuppress Risk Events

Unsuppress an event or multiple events in order to take action on it when the event requires attentions.
To unsuppress an event, select the risk from the inventory table > choose the required events under the
Suppressed Events
tab >
. The status of the selected events will be restored as 'Open', and will be displayed under the
Open Events

Disable Policies

Disable policies to exclude calculating policies (risks) during a scan in order to reduce overall scan time, to prevent unnecessary policies being scanned, and to help reduce false positives.
In the Prisma Cloud console, select
Add Filter
Policy subtype
. Select a policy from
under Policy Type in the inventory table > toggle the
For more on disabling policies, see Prisma Cloud documentation.

Export CI/CD Risk Data

You can export all CI/CD risk data or the data relating to an open, suppressed or fixed event, as a CSV file:
  • To export all CI/CD risk data: select the
    icon found on the top right of the CI/CD risk inventory
  • To export open, suppressed or fixed event data: select the
    icon found in a corresponding tab when selecting a risk in the inventory table
The generated data will include filtered data only when applying filters.

Recommended For You