Table of Contents
Enforcement
Enforcement enables you to configure code review scan parameters in your repositories and customize violation failures and comments. On the Prisma Cloud console there are default parameters, based on best practices, for each code category scanned in your repositories. Using enforcement you can configure these default parameters and receive violation notifications only for critical issues, helping you reduce unnecessary noise and optimizing secure productivity.
Enforcement configurations scan every commit into your repository and suggest fix remedies, if any violation is detected, this is in addition to the scan that Prisma Cloud periodically performs on your repositories, the results for which are accessible on Projects.
The periodic scans have a predefined severity threshold which are run across code categories that result in three run rules.
- Hard FailA repository scan result fails when Prisma Cloud detects a violation or a vulnerability.
- Soft FailA repository scan result is a pass and a notification appears on the console when Prisma Cloud detects a violation or a vulnerability.
- Comment botA repository scan result displays issues with fix suggestions as comments with Pull requests accessible on VCS (Version Control System).
Prisma Cloud scans multiple code categories to identify vulnerabilities and violations unique to the category. See the table for more details.
Code Category | Description |
|---|---|
Vulnerabilities | Vulnerabilities found in open source packages. |
Licenses | License compliance issues found in open source packages and container images. |
Infrastructure as Code (IaC) | Misconfiguration issues found in IaC files (relevant for users who provision and manage their infrastructure via code). |
Build Integrity | Misconfigurations in pipelines and VCS platforms integrated with Prisma Cloud, found in branch and CI/CD pipelines configuration files. |
Secrets | Secret leaks across code files that might hinder access to information, services or assets. |
To understand the default scan parameter on Prisma Cloud with the enforcement run result see the table.
Code Category | Severity | ||||
|---|---|---|---|---|---|
Info | Low | Medium | High | Critical | |
Vulnerabilities | Hard Fail | ||||
Soft Fail | |||||
Comments Bot | |||||
Licenses | Hard Fail | ||||
Soft Fail | |||||
Comments Bot | |||||
IaC | Hard Fail | ||||
Soft Fail | |||||
Comments Bot | |||||
Build Integrity | Hard Fail | ||||
Soft Fail | |||||
Comments Bot | |||||
Secrets | Hard Fail | ||||
Soft Fail | |||||
Comments Bot | |||||
You can manage Enforcement configuration scan results by modifying the default configurations, adding an exception configuration, turning run rule off for a code category configurations, and reviewing either fail scans or suggestions to a vulnerability on your VCS (Version Control System).
See Prisma Cloud Administrator Permissions and know more about user roles and permissions to configure enforcement.
- You can modify the default parameters for each code category and set up a new default parameter. However, each time a default configuration is modified, the parameters are applicable across all repositories on the Prisma Cloud console.Soft Fail configuration for any code category must be lower than Hard Fail.
- You can add an exception configuration for each code category that is applicable only for select repositories that you have access to. The exception configuration runs in addition to the default enforcement configurations.
- You can choose to prevent an enforcement configuration from running a scan for one or more run rules for a code category. The parameter to turn off a scan for a code category can be an addition to either a default configuration or to an exception configuration. Turning the scan off for a run rule in a code category results in no code review scan.
- For every failed scan result you can view the latest Pull Request (PR) of your repository within the Prisma Cloud console. Currently the ability to review violation fix suggestions and view the Pull Request (PR) scans that failed is supported only for Github repositories. From the Prisma Cloud console you can directly access your repositories in Github and remediate solutions through a Pull Request (PR).
Access Enforcement
- Access Enforcement on Prisma Cloud Application Security console.
- SelectApplication Security > Development Pipelines > More Actions.
- SelectEnforcement.
If you are unsure which repository may contain critical issues or if you are receiving unnecessary noise from select repositories, you can optionally access Enforcement fromApplication Security > Projects > More Actions > Enforcement.
Modify Default Enforcement
You can modify default enforcement configuration, however a modified configuration is applicable across all repositories on the console.
You cannot delete a default enforcement configuration.
- Access default enforcement configuration.
- Modify the default configuration.
- Select a code category.
- Select the severity threshold corresponding to the code category.
You can choose to continue modifying other code categories or conclude with a single modification.You can also choose to turn off the severity threshold of a code category. - SelectSavethe modified enforcement configuration.
Add an Exception to Enforcement
To ensure your focus is only on critical issues and you receive violation notifications on important repositories, you can add an exception to the Enforcement.
- Access enforcement.
- Add an exception to enforcement.
- SelectAdd exception.
- Configure exception parameters.
- AddDescriptionto the new exception.
- Select the repositories you want to add the exception.
You can only view repositories that you own. - Select a code category.
- Select the severity threshold corresponding to the code category.You can choose to continue modifying other code categories or conclude with a single modification.
- SelectSaveto save the exception with the parameters.
All exception configurations are listed onEnforcement.
You can optionally choose to edit or delete an existing exception.- To edit an exception, hover over the Exception and then selectEditto configure the parameters. SelectSaveto save the modification to the exception.
- To delete an exception selectEditand then selectDelete this exception.
Turn off run rule scan for a code category
You can choose to turn off one or more run rules for code categories, if your enforcement strategy is aligned with it.
Turning the scan off for a run rule in a code category results in no code review scan.
- Access Enforcement.
- Select a code category.
- SelectOffcorresponding to the code category.
Hover over OFF to identify the run rule before the selection. - SelectSaveto save the configuration.You can set a run rule off for a code category in either a default configuration or to an exception.
Review fail scans and suggestions on VCS (Version Control System)
After a scan result that fails the enforcement configuration, to find remediation you can directly access your the latest Pull Request (PR) from the Enforcement scan result.
- AccessApplication Security > Development Pipelines.
- SelectActionscorresponding to the fail scan result.
- SelectOpen latest PRto access the latest Pull Request (PR) in your repository.
You will view the repository with the Pull Request (PR) onApplication Security > Projects.- In addition currently available only for Github repositories, see the instructions here.
- SelectReview Fix PRs in VCSto review the fix suggestions from Prisma Cloud for the violation identified in your repository on Github.
You can choose to accept or reject the suggestion on Github.Ensure you have access to the repository on Github. - SelectOpen failed PRs scansto view a list of Pull Request (PR) that have failed with your repository on Github.
You can choose to remediate the repository on Github.Ensure you have access to the repository on Github.