Table of Contents
CI/CD Risks
CI/CD Risks
are a set of predefined rules that aim to identify vulnerabilities in the CI/CD pipeline by analyzing the security settings and configurations of various systems, as well as their inter-connectivity. The risks are classified based on different security categories, including attack vectors, misconfigurations, and bad practices found throughout the CI/CD pipeline.To access CI/CD Risks, select
Application Security
> CI/CD Risks
.
The CI/CD Risks page includes the following components:
- Filters: Narrow a search for a CI/CD risk by using filters
- Dashboard: Displays charts representing a visual display of CI/CD risks by system and category
- CI/CD risk inventory: A list of all risks detected in your CI/CD pipelines
Filters
The following filters allow you to narrow a search:
- Severity: Filter CI/CD risks by severity. Values: 'Critical', 'High', 'Medium', 'Low', 'Informative'
- Risk: Filter by CI/CD risk detected in the organization pipelines
- System: Filter CI/CD risks by the type of technologies found in the system, such as SCMs, CI, container registry and so on.The System filter only displays technologies where CI/CD risks have been detected.
- Category: Filter pipeline risks by system-based categories detected in the organizationBy default, Prisma Cloud assigns a category to a risk. The category cannot be modified.
- Status: Filter CI/CD risks by status. Values: 'Open', 'Suppressed'' and 'Fixed' '.The 'Fixed' or 'Suppressed' filters only display CI/CD risks whenALLinstances of the risk are fixed or suppressed.
Dashboard
The Dashboard provides a visual display of CI/CD risks by system and category. When you select a data value on a graph, such as a system in the 'Risks by System' chart, both the graphs and the risk inventory will be filtered to show the relevant results.
CI/CD Risk Inventory Details
The CI/CD risk inventory includes the following details.
- Risk Name: The name of the CI/CD risk
- Severity: The severity of the CI/CD risk indicated by a color. Values: 'Critical', 'High', 'Medium', 'Low' and 'Informative'.CI/CD risk severity levels are set by Prisma Cloud.
- System: The system (such as GitHub, Jenkins and so on) containing the CI/CD risk
- CI/CD Category: The risk category that the CI/CD risk is assigned to, allowing organizations to focus efforts to secure their CI/CD ecosystem. Includes a link to the Top 10 Security Risks.For more on CI/CD risk categories refer to OWASP Top 10 CI/CD Security Risks.
- Open Events: The number of open events detected in the CI/CD pipeline out of the total amount of events. See below for more on open events.An 'event' is a particular instance of a CI/CD risk.
EXAMPLE: If the CI/CD risk: 'Possible command injection attack using crafted Issue user event on [REPO_NAME] by [USER]' (details protected by confidentiality) is detected in your GitLab account, it is considered a single event or instance of the 'Possible command injection detected in user event' risk.
- Last Event: The latest instance of the CI/CD risk detected in your environment
Selecting a CI/CD risk in the inventory opens the resource explorer, displaying additional information about the selected risk.
- TheDetailstab opens as the default view, displaying metadata about the CI/CD risk, including an image view of the location of the risk in the delivery chain, the severity and status of the CI/CD risk events (the number of open, closed or suppressed instances of the risk with a link for more information), the system and category in which they were detected, when last calculated, a detailed description, SuggestedFix and additional data
- TheOpen Eventstab provides additional information about open events, including the name and description of the event, when detected, and the kill chain graph, which is displayed when selecting on the icon underActions. See Kill Chain Graph below for more.
- TheSuppressed Eventstab provides additional information about suppressed events, including an option to unsuppress an event. See Suppress Events below for more on suppressing events
The
Fixed Events
tab provides additional information about fixed events
Kill Chain Graph
The Kill Chain graph visualizes the stages of a cyber attack on the CI/CD pipeline, from the initial reconnaissance phase to the final objective of the attack, resulting from multiple misconfigurations across various systems. The graph is used to illustrate the various steps that an attacker takes to penetrate the pipeline, and can help to identify potential vulnerabilities in the pipeline.
The Kill Chain Graph currently supports the "Direct Poisoned Pipeline Execution" and "Direct Poisoned Pipeline Execution by external collaborators'' CI/CD security risk category. For more on CI/CD security risks categories, see https://owasp.org/www-project-top-10-ci-cd-security-risks/.
To view the kill chain graph for a risk, select
CI/CD Risks
> click the relevant risk from the inventory table > Open Events
> select the graph icon under Actions
.
The Kill Chain graph for the selected event or instance of the risk is displayed.
The Kill Chain graph includes nodes and edges, which describes the connections between them. Clicking on a node or edge opens the context explorer, providing further details.
For more actions that you can take on the graph refer to Application Graph.
Suggested Fixes for CI/CD Risks
Prisma Cloud provides suggested solutions to fix instances of CI/CD risks detected in your system: Select a risk from the inventory > scroll down to
Steps to Solve
in the Details
tab.
Suppress Events
An 'event' represents a particular instance of a CI/CD risk. By suppressing an event, you intentionally choose not to actively address the event. This can be useful if the error is known and does not require immediate attention or if the error is expected and does not impact the functionality or stability of the system in which it was detected.
To suppress events, select a risk from the inventory table > choose the required events under the
Open Events
tab of the resource explorer > Suppress
. The selected events will be removed and displayed under the Suppressed Events
tab.
Risks that have all events suppressed can be located by filtering using the
Suppressed
option in the Status
filter.Unsuppress Risk Events
Unsuppress an event or multiple events in order to take action on it when the event requires attentions.
To unsuppress an event, select the risk from the inventory table > choose the required events under the
Suppressed Events
tab > Unsuppress
. The status of the selected events will be restored as 'Open', and will be displayed under the Open Events
tab.Disable Policies
Disable policies to exclude calculating policies (risks) during a scan in order to reduce overall scan time, to prevent unnecessary policies being scanned, and to help reduce false positives.
In the Prisma Cloud console, select
Policies
> Add Filter
> Policy subtype
> Build
.
Select a policy from Config
under Policy Type in the inventory table > toggle the Status
button OFF
.For more on disabling policies, see Prisma Cloud documentation.
Export CI/CD Risk Data
You can export all CI/CD risk data or the data relating to an open, suppressed or fixed event, as a CSV file:
- To export all CI/CD risk data: select theDownloadicon found on the top right of the CI/CD risk inventory
- To export open, suppressed or fixed event data: select theDownloadicon found in a corresponding tab when selecting a risk in the inventory table
The generated data will include filtered data only when applying filters.