Create Custom Policies for Build-Time Checks

Prisma Cloud includes out-of-the-box policies that enable you to detect misconfigurations and provide automated fixes for security issues seen across your integrated code repositories and pipelines. You can review this list of Configuration policies with a filter for subtype
Build
on the Prisma Cloud administrative console
Policies
.

Add a New Custom Policy for Build-Time Checks

If you have custom requirements or want to define guardrails for your specific security or compliance needs, you have the flexibility to add new custom policies for your already existing repositories. As soon as you Connect Your Repositories to Code Security both the out-of-the-box policies and custom policies are used to scan for potential issues.
  1. Create a custom Configuration policy for build-time checks.
    1. Select
      Policies > Add Policy > Config
      .
    2. Add
      Policy Name
      .
      You can choose to add a
      Description
      for the policy.
      Policy description can include an overview of the error, prevention information and fix information in case of a policy error.
    3. Select
      Build
      .
      You can choose to only select
      Build
      or continue with the both
      Run
      and
      Build
      subtypes. However, the following steps are only for Build runtime checks.
    4. Select
      Severity
      for the policy.
      Prisma Cloud supports three levels of policy severity-
      High, Medium and Low
      .
      A policy severity helps define the impact of policy configuration on your environment, while helping you filter the misconfigurations after a scan on
      Code Security > Projects
      .
      You can choose to add
      Labels
      to the policy.
    5. Select
      Next
      to create a rule for the custom policy.
      In this example, you create a custom build policy for S3 Bucket ACL where log delivery is not recommended with the relevant policy details.
  2. Create a rule for custom configuration policy.
    In a custom configuration policy rule, you can define criteria to check the configuration for both run-time and build-time, that is for Run and Build policy subtypes; in the following steps you will create a policy rule for only build rule. To create a custom build policy rule you can choose between Code Editor and Visual Editor.
    • You can choose this editor to create a custom policy rule using YAML policy templates. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console.
    • You can choose this editor to create a quick custom policy rule that supports creation of attribute checks without a Connection State and a support of AND/OR logic. You will use the existing fields on the console that are mostly auto-populated based on your selection.
  3. Add Compliance Standards for the Build policy.
    1. Select
      Standard, Requirement
      and
      Sections
      .
      • Standard
        is the default compliance standard that is listed on the Prisma Cloud console.
      • Requirement
        is influenced by the selection of the compliance standard.
      • Section
        of may or may not be influenced by the compliance standard.
    2. Select
      Next
      .
  4. Add remediation to the Build policy.
    You can choose to add CLI Command and Validate to know if the specified command can be used for the new policy.
  5. Submit your custom policy.
    After you save the custom build policy, on the next scan, the onboarded resources are scanned against the new policy. The scan results display on the
    Code Security > Projects
    where you can identify the resources that failed the check and triggered a policy violation.

Recommended For You