Create Custom Policies for Build-Time Checks
Prisma Cloud includes out-of-the-box policies that enable you to detect misconfigurations and provide automated fixes for security issues seen across your integrated code repositories and pipelines. You can review this list of Configuration policies with a filter for subtype
Build
on the Prisma Cloud administrative console Policies
.You can create custom build policies for the following formats:
- Terraform- Policies written using Terraform attributes will apply for Terraform (.tf and plan files).
- CloudFormation- Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK).
In addition, Prisma Cloud also supports identification of custom secrets that you can define using regular expression patterns.
While defining the regular expression patterns consider the following parameters:
Add a New Custom Policy for Build-Time Checks
If you have custom requirements or want to define guardrails for your specific security or compliance needs, you have the flexibility to add new custom policies for your already existing repositories. As soon as you Connect Your Repositories to Code Security both the out-of-the-box policies and custom policies are used to scan for potential issues.
- Create a custom Configuration policy for build-time checks.
- SelectPolicies > Add Policy > Config.
- AddPolicy Name.
You can choose to add aDescriptionfor the policy.
Policy description can include an overview of the error, prevention information and fix information in case of a policy error. - SelectBuild.
You can choose to only selectBuildor continue with the bothRunandBuildsubtypes. However, the following steps are only for Build runtime checks. - SelectSeverityfor the policy.
Prisma Cloud supports three levels of policy severity-High, Medium and Low.A policy severity helps define the impact of policy configuration on your environment, while helping you filter the misconfigurations after a scan onCode Security > Projects.You can choose to addLabelsto the policy.
- SelectNextto create a rule for the custom policy.
In this example, you create a custom build policy for S3 Bucket ACL where log delivery is not recommended with the relevant policy details.
- Create a rule for custom configuration policy.In a custom configuration policy rule, you can define criteria to check the configuration for both run-time and build-time, that is for Run and Build policy subtypes; in the following steps you will create a policy rule for only build rule. To create a custom build policy rule you can choose between Code Editor and Visual Editor.
- You can choose this editor to create a custom policy rule using YAML policy templates. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console.
- You can choose this editor to create a quick custom policy rule that supports creation of attribute checks without a Connection State and a support of AND/OR logic. You will use the existing fields on the console that are mostly auto-populated based on your selection.
- Add Compliance Standards for the Build policy.
- SelectStandard, RequirementandSections.
- Standardis the default compliance standard that is listed on the Prisma Cloud console.
- Requirementis influenced by the selection of the compliance standard.
- Sectionof may or may not be influenced by the compliance standard.
- SelectNext.
- Add remediation to the Build policy.
You can choose to add CLI Command and Validate to know if the specified command can be used for the new policy. - Submit your custom policy.
After you save the custom build policy, on the next scan, the onboarded resources are scanned against the new policy. The scan results display on theCode Security > Projectswhere you can identify the resources that failed the check and triggered a policy violation.For custom secrets, policies are automatically disabled if the findings are above 75 per repository. OnCode Security > Projectsyou can access the policy to edit.
