Prisma Cloud Code Security supports Drift Detection for your repositories. Drifts are inconsistencies in configuration that occur when resources are modified locally or manually using the CLI or console, and these divergences from the code are not recorded or tracked. The inconsistencies in code configuration can either be an addition or deletion of values from the template configuration in source code. Code Security periodically scans your repositories to identify drifts that may occur between the build and deploy phase and enables you with corrective solutions to handle traceable configuration changes.
Drift detection is currently available only for resources that are deployed on AWS using Terraform. Support for resources deployed on Azure or Google Cloud Platform (GCP) or deployment using CloudFormation templates is not yet available.
After you take a corrective solution for the drift on the Prisma Cloud console, you can view the before and after configuration changes made to the code.
For each drift detection scan, you can view the following details for a resource block.
- Resource Block and Resource NameThe drift detection scan identifies the resource block and name. The resource block is the grouping of configuration or settings associated with a given resource.
- Before DriftThe original or unchanged configuration changes of the resource.
- After DriftThe modified configuration changes you made either locally or manually to the resource block. with the changes that include adding or deleting a value within code appear on the console. The configuration changes include any modification to add or delete values within code.
Set up Drift Detection
For a drift detection scan to run on your repository you need to connect your AWS cloud account and code repository to Prisma Cloud. After you connect the repository setup Yor on your repository and enable trace and tag management.
- Onboard your AWS cloud account and repositories to Prisma Cloud.If you have previously onboarded your AWS cloud account on Prisma Cloud, you must enable the additional permissions required for a drift detection scan. See update an onboarded AWS account for redeploying the stack with the required permissions that are included in the AWSCloudFormationReadOnlyAccess policy.lambda:GetLayerVersion lambda:GetEventSourceMapping lambda:GetFunction s3:ListBucket sns:GetSubscriptionAttributesAdd the Prisma Cloud IP addresses and hostname for Code Security to an allow list, to enable access to the Prisma Cloud Console.Set up YorYor is an open-source tool that helps you manage tags consistently across infrastructure as code frameworks on your CI/CD. To set up Yor for your repository you need to install and run Yor and then enable Yor to scan your repository for a drift detection scan.Install and Run Yor.You can choose to install Yor either through a GitHub or CI.
You can manage drift detection scan results for your repository either through Suppress or Fix Drift.
- Review drift detection scan results for your repository.
- SelectCode Security > Projects.
- Select a repository.
- SelectCategory > Driftto view the drift detection scan results within your repository.
- Take action to manage drift detection scan results.You can either Suppress or Fix Drift.
- SuppressEnables you to revert a resource block to its previous configuration change before any local or manual modifications. With suppression, you can enforce the configuration as defined in the IaC template and revert any changes to the running resource.Suppressing a drift will continue to display the drift detection result until the next scan where the running resource is compliant and the drift is fixed.
- Fix DriftEnables you to apply the configuration change that includes the manual changes made to the resource block, within the template. Fix Drift creates a PR (Pull Request) directly from your code to implement configuration changes on the template. When you fix drift, you correct the template configuration to match the running configuration of the resource.
Recommended For You
Recommended videos not found.