1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Code Security
    5. Scan and Monitor
    6. Monitor and Fix Issues in Your Scans

    Monitor and Fix Issues in Your Scans

    Prisma Cloud performs periodic scans on each integrated repository of the Version Control Systems (VCS) and event driven scans for CI/CD pipelines to find infrastructure misconfigurations, open source vulnerabilities, license compliance violations, and exposed secrets.
    Projects
     provides a consolidated view of scan results across your repositories and CI/CD pipelines wherein categorization of issues are at resource or policy level giving you a better understanding on your security posture.
    • VCS main branch scans
      : Periodic scans performed on all main branches across repositories.
    • VCS Pull Requests
      : Event driven scans using Enforcement parameters are run on all open Pull Requests (PR) for your integrated repositories.
    • CLI and CI/CD runs
      : Event driven scans performed on runs as configured by the you using the Enforcement parameters.
    All three types of scans are run on code categories of IaC misconfiguration, Vulnerabilities, Secrets, Licenses and Build Integrity.
    Projects Code Category View
    Description
    Overview
    A summary view of all your scan results across all code categories. The Overview lists errors by prioritizing build issues across the integrations.
    IaC Misconfiguration
    The view lists security issues after scanning integrated repositories, wherein the default branch of a repository lists all code security violations in the resource block with code tags, resource dependencies and resource history.
    Vulnerabilities
    The error list in Vulnerabilities are open source dependency errors found in scanned open source packages and container image dependencies.
    Secrets
    A Secret is a programmatic access key that provides systems access to information, services, or assets. Secrets like API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases are often explicitly stored in local or feature branches before being pushed to a main branch. In this view, see issues identified in your source code with remediation to perform a Manual Fix or Suppress the issue within the file where the issue originates. Scans also run on Git history to identify secrets that are removed from code but are present in Git history.
    Licenses
    Most open source software includes a license governing its use. License scanning identifies packages that violate open source usage policies. In this view, see the listing of licensing issues through periodic scans.
    Build Integrity
    Misconfigured repositories and CI/CD pipelines can lead to Supply Chain attacks such as data exfiltration and code injection. Use this view to spot VCS and CI/CD misconfigurations.
    VCS Pull Requests
    After configuring Enforcement, view issues for scans run on all open Pull Requests (PR) for your integrated repositories. On the Prisma Cloud console, you can access the scan result from the console or choose to access the VCS console and view the specific commit within PR for a manual fix.
    CI/CD Runs
    View issues for scans performing on runs of your integrated CI/CD pipelines.
    You can also find relevant non-conformant scan results using filters or search using keywords or tags (if they are already a part of the code). For each misconfiguration on
    Projects
    , you can either Suppress the issue, Fix it from the Prisma Cloud console, or access the repository in the Version Control System (VCS) to perform a manual fix. Currently, this view of
    Projects
     is accessible on
    Code Security > Projects > Enhanced
    .

    Resource Blocks

    All issues are viewable as a resource on
    Projects
     across code category views.
    • Resource Block
      After periodic scans on resources, Prisma Cloud generates contextualized scanned results of each resource as a resource block. Scan results are vulnerabilities in the code or code errors found within the resource. Each resource block displays only five issues by default.
      Show More
       helps you display more issues within the resource.

    Types of Resource Blocks

    Each code category can generate either a resource or a policy block. For understanding the types of blocks corresponding to the code category see the table.
    Resource Type/ Code Category
    IaC Misconfiguration
    Vulnerabilities
    Licenses
    Secrets
    Build Integrity
    IaC Resource
    ✔️
    ✔️
    ✔️
    Package
    ✔️
    ✔️
    File
    ✔️
    Git Repository
    ✔️
    Git Organization
    ✔️
    CI/CD pipeline
    ✔️
    • IaC Misconfiguration Resource Block
      For each IaC misconfiguration issue, there is an extensive information in the resource block.
      1. Resource Name and Path
        : Displays the resource name and it’s code path.
      2. Total number of Issues
        : Displays the total number of issues identified in the resource.
      3. Additional Information
        : Displays columns of the information regarding the issue.
    • Repository
      : See the repository path.
    • Policy
      : See details on the non-conformant policy with the severity level.
    • Labels
      : Each issue has a corresponding label.
      • Has Fix
        : The issue will display this label if it has an automated fix provided by Prisma Cloud.
      • Custom Policy
        : The issue will display this label if it originated from a custom policy.
    • Git User
      : The name of last contributing Git user before identifying the issue.
    • First Detected
      : The timestamp of the issue when found.
    • Vulnerabilities Resource Block
      As a vulnerabilities issue, there is an extensive information in the resource block on vulnerable package.
      1. Package Name and Path
        : Displays the package name and it’s code path.
      2. Total number of Issues
        : Displays the total number of issues identified in the package.
      3. Additional Information
        : Displays columns of the information regarding the issue.
    • CVE
      : Displays the CVE name and the severity level of the violation.
    • Package
      : View the violated package while identifying if the package is a Root or a dependent package. If the CVE exposed by a dependent package, you can see the name of the dependent package.
    • Root fix version
      : Displays the recommended fix version for the root package to update.
    • CVSS
      : Displays the Common Vulnerability Scoring System (CVSS).
    • Risk Factors
      : Displays the risk factor of the CVE using Prisma Cloud defined values. The values range is Has Fix, Attach Complexity, DoS, Attack Vector, and Remote Execution.
    • First Detected
      : The timestamp of the issue when found.
    • Secrets Resource Block
      As a secrets issue scans are run on files than a repository. Therefore, you will see information on issues with the file in the resource block.
      1. Secret Name and Path
        : Displays the repository name and it’s code path.
      2. Total number of Issues
        : Displays the total number of issues identified in the file.
      3. Additional Information
        : Displays columns of the information regarding the issue.
    • Secret type
      : Displays the severity level of the exposed secret in the code.
    • Risk Factors
      : For Secrets there are three types of risk factors.
      • Private or Public
        : Identifies if the repository storing the secret is publicly accessible or is private.
      • Last Modified By
        : The name of last contributing user before identifying the issue.
      • Modified On
        : The last modification date of the relevant code.
    • First Detected
      : The timestamp of the issue when found.
    • Licensing Resource Block
      As a licensing issue, there is an extensive information in the resource block for a packages using the open source licensing.
      1. Package Name and Path
        : Displays the package name and it’s code path.
      2. Total number of Issues
        : Displays the total number of issues identified in the package.
      3. Additional Information
        : Displays columns of the information regarding the issue.
    • Repository
      : See the repository path.
    • Policy
      : Displays severity of the policy violation when using an open source licensing package.
    • License Type
      : Displays the origin of license if it is originating from the root package or the a dependent package.
    • Package
      : The name of package.
    • First Detected
      : The timestamp of the issue when found.
    • Build Integrity Resource Block
      As a Build Integrity issue, there is an extensive information in the resource block.
      1. Branch Name and Path
        : Displays the branch name and it’s code path.
      2. Total number of Issues
        : Displays the total number of issues identified in the repository.
      3. Additional Information
        : Displays columns of the information regarding the issue.
    • Policy
      : Displays the severity level of non-conformant policy in the code.
    • First Detected
      : The timestamp of the issue when found.

    Resource Explorer and Fix Cart

    In helping you make educated decision, Prisma Cloud provides you with granular information on each issue within Resource Explorer. Later each of the issues are remediated on Fix Cart.

    Resource Explorer

    The information on Resource Explorer enables you to make an educated decision on the security violation and understand if the violation has any connection as a dependency on other resources within the repository while exploring the change log of the resource. You can view this contextualized information across four tabs.
    • Details
      : Helps you understand the connection between resources while enabling you to make informed decisions if the connection is at risk or if it is necessary.
    • Issues
      : Enables you to review security issues across all resource types with the package severity threshold and utilize the information to either fix, suppress or manually add a fix to the issue.
    • History
      : Explore detailed information about a resource, including suppression, change logs and fixes.
    • Traceability
      : Explore and monitor connections between build-time and runtime resources.
      The support for History and Traceability is currently only IaC resources, and the support for Errors is currently only available for packages.

    Fix Cart

    A Fix Cart displays the issues you choose to fix before creating a Pull Request.
    See Fix Issues in Scan to know more on how to add issues to a fix cart.

    Filter Scan Results

    Prisma Cloud enables you to filter your scan results across all code categories. You can filter your scan results across five default filters.

    Repositories

    A list of integrated repositories.

    Branch

    A list of the supported branches of a VCS branch scan. Currently, the repository’s default branch is selected by default and cannot be configured. This configuration is applicable for views - Overview, IaC Misconfiguration, Vulnerabilities, Secrets, Licenses, and Build Integrity.

    Code Categories

    A Category filters resources according to Build Integrity, Compute, Drift, General, IAM, Kubernetes, Licenses, Monitoring, Networking, Public, Secrets, Storage, and Vulnerabilities. During the time of repositories integration on Prisma Cloud Code Security, your defined Categories associated with the repositories also help with filters.

    Issue Status

    Status for each scanned repository is created based on the non-conformance to a policy. The repository status can be further filtered as Errors, Suppressed and Passed.
    Status
    Description
    Error
    A resource appears with an error status when it is non-conformant to a policy.
    Passed
    A resource that has conformant policies or may have a history of fixed errors.
    Suppressed
    A resource previously appeared with a non-conformant policy but is suppressed with a Suppress action. To suppress a non-conformant policy in a resource is when you absolve the scanned result with a definitive explanation indicating the non-conformance to be not problematic.
    Fix Pending
    A fix awaiting a PR merge in your VCS console.
    Your scanned resources appear on
    Code Security > Projects
     with an active Error filter by default. You can choose to add more filters or remove the Error filter.

    Severities

    A Severities indicates an impact on a non-conformant resource in your repository. Resources can be filtered as Critical,High, Medium, Low and Informational in severity.

    Add Filter

    You can add additional filters to the default views or create granular customization for your custom view using these filters.
    Filter
    Description
    Git Users
    A list of Git users who contribute to the code of the selected repositories.
    Vulnerability Risk Factors
    Filters issues as - Has Fix, Attack Complexity, DoS, Attack Vector, and Remote Execution.
    IaC Categories
    Filters resources according to General, Compute, Drift, IAM, Kubernetes, Monitoring, Networking, Public, and Storage. During the time of repositories integration on Prisma Cloud Code Security, your defined categories associated with the repositories also help with this filter.
    Secrets Risk Factor
    Filters secrets issues using the risk factors of Public or Private Repository. You can select a single or both risk factors at a time.
    File Types
    Filters issues using the list of supported file formats.
    IaC Labels
    Filters resources as - Has Fix or Custom Policy.
    IaC Tags
    Filters issues using the tags used in the resources.
    In this example, you see
    Git Users
     filter added to
    Overview
    .

    Other Actions on Scan Results

    On
    Code Security > Projects > More Actions
    , you can perform additional actions to enable you to view richer scan results of your repositories.
    • Scan Now
      You can always initiate a manual scan across your repositories to view the latest scan results. On Prisma Cloud, when you access
      Code Security > Projects
      , you will see the latest scan results that are periodically performed. A manual scan is recommended when you have integrated a new repository and would like to see the scan results immediately. Alternatively, you can perform a manual scan when implementing a violation fix.
    • After your code repositories are integrated, you can modify the configuration to specify how Prisma Cloud scans your code.
    • Enforcement enables you to configure code review scan parameters in your repositories and customize violation failures and comments. Enforcement configurations scan every commit into your repository and suggest fixes if any violation is detected. This is in addition to the scan that Prisma Cloud periodically performs on your repositories.
    • You can manage tags and tag rules for all resources with assigned repositories integrated on Prisma Cloud for governance and monitoring or enforcing policies for provisioned resources. You can enable, disable, and edit tags for any cloud resource, except auto-generated trace tags (yor_trace) on the Prisma Cloud console.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo