Create Custom Policies for Build-Time Checks

Prisma Cloud includes out-of-the-box policies that enable you to detect misconfigurations and provide automated fixes for security issues seen across your integrated code repositories and pipelines. You can review this list of Configuration policies with a filter for subtype
on the Prisma Cloud administrative console
You can create custom build policies for the following formats:
  • Terraform
    - Policies written using Terraform attributes will apply for Terraform (.tf and plan files).
  • CloudFormation
    - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK).
In addition, Prisma Cloud also supports identification of custom secrets that you can define using regular expression patterns. While defining the regular expression patterns consider the following parameters:
  • You must ensure the RegEx pattern meets standard regular expression formatting standards.
  • Criteria to consider when defining RegEx pattern.
  • You can define up to 5 RegEx patterns per policy.

Add a New Custom Policy for Build-Time Checks

If you have custom requirements or want to define guardrails for your specific security or compliance needs, you have the flexibility to add new custom policies for your already existing repositories. As soon as you Connect Your Repositories to Code Security both the out-of-the-box policies and custom policies are used to scan for potential issues.
  1. Create a custom Configuration policy for build-time checks.
    1. Select
      Policies > Add Policy > Config
    2. Add
      Policy Name
      You can choose to add a
      for the policy.
      Policy description can include an overview of the error, prevention information and fix information in case of a policy error.
    3. Select
      You can choose to only select
      or continue with the both
      subtypes. However, the following steps are only for Build runtime checks.
    4. Select
      for the policy.
      Prisma Cloud supports three levels of policy severity-
      High, Medium and Low
      A policy severity helps define the impact of policy configuration on your environment, while helping you filter the misconfigurations after a scan on
      Code Security > Projects
      You can choose to add
      to the policy.
    5. Select
      to create a rule for the custom policy.
      In this example, you create a custom build policy for S3 Bucket ACL where log delivery is not recommended with the relevant policy details.
  2. Create a rule for custom configuration policy.
    In a custom configuration policy rule, you can define criteria to check the configuration for both run-time and build-time, that is for Run and Build policy subtypes; in the following steps you will create a policy rule for only build rule. To create a custom build policy rule you can choose between Code Editor and Visual Editor.
    • You can choose this editor to create a custom policy rule using YAML policy templates. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console.
    • You can choose this editor to create a quick custom policy rule that supports creation of attribute checks without a Connection State and a support of AND/OR logic. You will use the existing fields on the console that are mostly auto-populated based on your selection.
  3. Add Compliance Standards for the Build policy.
    1. Select
      Standard, Requirement
      • Standard
        is the default compliance standard that is listed on the Prisma Cloud console.
      • Requirement
        is influenced by the selection of the compliance standard.
      • Section
        of may or may not be influenced by the compliance standard.
    2. Select
  4. Add remediation to the Build policy.
    You can choose to add CLI Command and Validate to know if the specified command can be used for the new policy.
  5. Submit your custom policy.
    After you save the custom build policy, on the next scan, the onboarded resources are scanned against the new policy. The scan results display on the
    Code Security > Projects
    where you can identify the resources that failed the check and triggered a policy violation.
    For custom secrets, policies are automatically disabled if the findings are above 75 per repository. On
    Code Security > Projects
    you can access the policy to edit.

Recommended For You