Enforcement

Enforcement enables you to configure code review scan parameters in your repositories and customize violation failures and comments. On the Prisma Cloud console there are default parameters, based on best practices, for each code category scanned in your repositories. Using enforcement you can configure these default parameters and receive violation notifications only for critical issues, helping you reduce unnecessary noise and optimizing secure productivity.
Enforcement configurations scan every commit into your repository and suggest fix remedies, if any violation is detected, this is in addition to the scan that Prisma Cloud periodically performs on your repositories, the results for which are accessible on Projects. The periodic scans have a predefined severity threshold which are run across code categories that result in three run rules.
  • Hard Fail
    A repository scan result fails when Prisma Cloud detects a violation or a vulnerability.
  • Soft Fail
    A repository scan result is a pass and a notification appears on the console when Prisma Cloud detects a violation or a vulnerability.
  • Comment bot
    A repository scan result displays issues with fix suggestions as comments with Pull requests accessible on VCS (Version Control System).
Prisma Cloud scans multiple code categories to identify vulnerabilities and violations unique to the category. See the table for more details.
Code Category
Description
Open Source (SCA)
Where Prisma Cloud scans any SCA vulnerabilities and license issues found on open source dependencies.
Infrastructure as Code (IaC)
Where you provision and manage your infrastructure through code. Prisma Cloud scans Infrastructure as code files for misconfiguration issues.
Secrets
A Secret is a programmatic access key that provides systems with access to information, services or assets. Prisma Cloud scans secret leaks issues across code files.
Container Images
Where your repositories packages and binaries in a selected container image are scanned for SCA vulnerabilities and license issues by Prisma Cloud.
Build Integrity
Where Prisma Cloud scans your CI/CD pipelines and VCS that are integrated on the console for misconfiguration issues found in branch or pipeline configuration files.
To understand the default scan parameter on Prisma Cloud with the enforcement run result see the table.
Code Category
Severity
Low
Medium
High
Critical
Open Source (SCA)
Soft Fail
Comment Bot
Hard Fail
Infrastructure as Code (IaC)
Hard Fail
Soft Fail
Comment Bot
Secrets
Hard Fail
Soft Fail
Comment Bot
Images
Soft Fail
Comment Bot
Hard Fail
Build Integrity
Hard Fail
Soft Fail
Comment Bot
You can manage Enforcement configuration scan results by modifying the default configurations, adding an exception configuration, turning run rule off for a code category configurations, and reviewing either fail scans or suggestions to a vulnerability on your VCS (Version Control System).
See Prisma Cloud Administrator Permissions and know more about user roles and permissions to configure enforcement.
  • You can modify the default parameters for each code category and set up a new default parameter. However, each time a default configuration is modified, the parameters are applicable across all repositories on the Prisma Cloud console.
    Soft Fail configuration for any code category must be lower than Hard Fail.
  • You can add an exception configuration for each code category that is applicable only for select repositories that you have access to. The exception configuration runs in addition to the default enforcement configurations.
  • You can choose to prevent an enforcement configuration from running a scan for one or more run rules for a code category. The parameter to turn off a scan for a code category can be an addition to either a default configuration or to an exception configuration. Turning the scan off for a run rule in a code category results in no code review scan.
  • For every failed scan result you can view the latest Pull Request (PR) of your repository within the Prisma Cloud console. Currently the ability to review violation fix suggestions and view the Pull Request (PR) scans that failed is supported only for Github repositories. From the Prisma Cloud console you can directly access your repositories in Github and remediate solutions through a Pull Request (PR).

Access Enforcement

  1. Access Enforcement on Prisma Cloud Code Security console.
    1. Select
      Code Security > Development Pipelines > More Actions
      .
    2. Select
      Enforcement
      .
      If you are unsure which repository may contain critical issues or if you are receiving unnecessary noise from select repositories, you can optionally access Enforcement from
      Code Security > Projects > More Actions > Enforcement
      .

Modify Default Enforcement

You can modify default enforcement configuration, however a modified configuration is applicable across all repositories on the console.
You cannot delete a default enforcement configuration.
  1. Access default enforcement configuration.
  2. Modify the default configuration.
    1. Select a code category.
    2. Select the severity threshold corresponding to the code category.
      You can choose to continue modifying other code categories or conclude with a single modification.
      You can also choose to turn off the severity threshold of a code category.
    3. Select
      Save
      the modified enforcement configuration.

Add an Exception to Enforcement

To ensure your focus is only on critical issues and you receive violation notifications on important repositories, you can add an exception to the Enforcement.
  1. Access enforcement.
  2. Add an exception to enforcement.
    1. Select
      Add exception
      .
  3. Configure exception parameters.
    1. Add
      Description
      to the new exception.
    2. Select the repositories you want to add the exception.
      You can only view repositories that you own.
    3. Select a code category.
    4. Select the severity threshold corresponding to the code category.
      You can choose to continue modifying other code categories or conclude with a single modification.
    5. Select
      Save
      to save the exception with the parameters.
      All exception configurations are listed on Enforcements.
      You can optionally choose to edit or delete an existing exception.
      • To edit an exception select
        Edit
        to configure the parameters and then select
        Save
        to save the modification to the exception.
      • To delete an exception select
        Edit
        and then select
        Delete
        this exception.

Turn off run rule scan for a code category

You can choose to turn off one or more run rules for code categories, if your enforcement strategy is aligned with it.
+ NOTE: Turning the scan off for a run rule in a code category results in no code review scan.
  1. Access Enforcement.
  2. Select a code category.
  3. Select
    Off
    corresponding to the code category.
    Hover over OFF to identify the run rule before the selection.
  4. Select
    Save
    to save the configuration.
    You can set a run rule off for a code category in either a default configuration or to an exception configuration.

Review fail scans and suggestions on VCS (Version Control System)

After a scan result that fails the enforcement configuration, to find remediation you can directly access your the latest Pull Request (PR) from the Enforcement scan result.
  1. Access
    Code Security > Development Pipelines
    .
  2. Select
    More Actions
    corresponding to the fail scan result.
  3. Select
    Open latest PR
    to access the latest Pull Request (PR) in your repository.
    You will view the repository with the Pull Request (PR) on
    Code Security > Projects
    .
    • In addition currently available only for Github repositories, see the instructions here.
  4. Select
    Review Fix PRs in VCS
    to review the fix suggestions from Prisma Cloud for the violation identified in your repository on Github.
    You can choose to accept or reject the suggestion on Github.
    Ensure you have access to the repository on Github.
  5. Select
    Open failed PRs scans
    to view a list of Pull Request (PR) that have failed with your repository on Github.
    You can choose to remediate the repository on Github.
    Ensure you have access to the repository on Github.

Recommended For You