Fix and Suppress Issues in a Scan Result
Table of Contents
Fix and Suppress Issues in a Scan Result
On
Projects
, you can remediate scan results across all code categories by adding issues to the fix cart to create a PR with a suggested fix. For every issue found on Prisma Cloud console, you can view information like origin of the issue in a file or repository, policy violation, and suggestions to remediate the issue.- Access scan results onProjects.
- Select a code category with an issue.
- Select an issue from the resource block to view more information and suggested fixes in the resource explorer.
- Create a PR from the fix recommendation.
- Select an issue to see a fix recommendation in the resource explorer.You can fix one more issues at once by selecting issues across multiple resources or policy blocks and adding it to the fix cart.
- SelectFIXto add the issue to the fix cart.
- SelectSubmitto create a PR with an issue fix.In this example, you see one or more issues added to the fix cart to from IaC Misconfiguration google_container_cluster.workload_cluster resource block.
To completely resolve the issue, you need to access the PR on the VCS console and merge the fix with the default branch.For issues with no fix recommendation, you can remediate it by aManual FixorSuppress.
Manual Fix an issue
You can perform a manual fix for all issues. A manual fix enables you to access a specific commit to review the code to then resolve the issue manually using the policy guidelines on the Prisma Cloud console.
Suppress issues in a scan result
On
Code Security > Projects
, add a suppression rule to suppress issues across views to mitigate scan results.- Access a code category then select the issue in the resource block to view more information and suggested fixes in the resource explorer.
- SelectSuppressand then enter relevant information asJustification.
You can optionally add anExpiration Timefor the suppression. - SelectSuppress byto suppress issues based on the suppression types.
- Resource: This enables you to suppress the issues by resources and at your next scan these resources will not be scanned. You can also view the number of resources that will be affected to make an informed decision.
- Tags: This enables you to selectively suppress the violation to a tag.
- Policy: This enables you to suppress the violation by policy and at your next scan the policy will not be scanned.
- Repositories: This enables you to selectively suppress the issues across repositories. You are required to select the repositories from the list on the console.In this example, you see the repositories list for the suppression rule.
- SelectSave.You can also view the suppressed result using theIssue Statusfilter.
Fix Vulnerability Issues
On
Projects
Vulnerabilities
view you see CVE issues that have an automatic fix on the console. You can choose to remediate a single CVE issue or choose to fix all issues in the issue block. When fixing the issue, the CVE Root version
gets bumped to the latest version from a Pull Request that you need to submit from the Fix cart
. The issue block will continue to be seen till the Pull Request with the fix is not merged.- SelectCode Security > Projectsand then selectVulnerabilitiesview.
- Access any issue block and then selectFixcorresponding to the issue.
Optionally, you can selectFix All.When fixing the issue, you can verify all CVE’s getting fixed by a verification status corresponding to the CVE.In this example you see fixing CVE-2021-33194 automatically fixes CVE-2022-30322 with the current remediation.
- SelectSubmiton theFix Cartto create a Pull Request (PR) with the fixes.
