Monitor and Fix Issues in Your Scans

Prisma Cloud performs periodic scans on each integrated repository of Version Control System (VCS) and CI/CD to find infrastructure misconfigurations. The access to
Code Security > Projects
gives you a consolidated view of scan results across repositories and helps you understand your security posture.
Projects display errors in your repositories similar to a developer workflow, wherein the master branch of a repository lists all code security violations in the resource block with code tags, resource dependencies and resource history. You can also find relevant non-conformant scan results using filters or search using keywords or tags (if they are already a part of the code). In addition, you can filter the violations based on the developer commits to the code, using code block modifiers similar to Git blame.
For each misconfiguration on Projects, you can either Suppress the violation or Fix it from the Prisma Cloud console or access the repository in the Version Control System (VCS) from the console.

Projects

Familiarize yourself with Projects to help you to view all your infrastructure misconfigurations across accounts.

Browse Scan Results

Each time you access
Code Security > Projects
, you view the latest scan results of a repository. To view a specific repository scan result, you can browse through the list of integrated repositories or search for the repository.
  • Browse across repositories and resources.
    You can browse across multiple integrated repositories and use the icons associated with each repository for an easy find to select a specific repository. In this example, you see multiple repositories integrated on Code Security.
  • Search specific repositories.
    Using the search option, search for repositories using keywords.
    In this example, you see a search for a repository with the keyword terragoat.
  • Search for resources using developer commits.
    As scan results in
    Code Security > Projects
    are similar to developer workflow, using the code block modifiers similar to Git blame, you can browse through a repository based on developer commits.
    If there multiple developers contributing to the repository, you can select a specific code block to view the developer associated commits. In this example, you see code block selection of NK with associated resources changes.

Filter Scan Results

Prisma Cloud enables you to filter your scan results within a repository. You can filter your scan results across five filters.

Status

Status for each scanned repository is created based on the non-conformance to a policy. The repository status can be further filtered as Errors, Suppressed and Passed.
Status
Description
Errors
A resource appears with an error status when it is non-conformant to a policy.
Suppressed
A resource previously appeared with a non-conformant policy but is suppressed with a Suppress action. To suppress a non-conformant policy in a resource is when you absolve the scanned result with a definitive explanation indicating the non-conformance to be not problematic.
Passed
A resource that has conformant policies or may have a history of fixed errors.
Your scanned resources appear on
Code Security > Projects
with an active Error filter by default. You can choose to add more filters or remove the Error filter.

Category

A Category filters resources according to Build Integrity, Compute, Drift, General, IAM, Kubernetes, Licenses, Monitoring, Networking, Public, Secrets, Storage, and Vulnerabilities. During the time of repositories integration on Prisma Cloud Code Security, your defined Categories associated with the repositories also help with filters.

Severity

A Severity indicates an impact on a non-conformant resource in your repository. Resources can be filtered as High, Medium and Low in severity.

Tags

A Tag helps you filter resources as defined individual tagged key value pairs.

Code Status

A Code Status enables you to filter resources according to the Automated Fix implemented on a resource.

Monitor Scan Results

Each time you access
Code Security > Projects
, you view the scan result of the latest scanned repository. You see a non-conformant scan result corresponding to a resource within a scanned repository. The non-conformant contextualized scan results appear with resource path information, the severity of the error, code block with the error, and actions to Suppress or Fix the error within a Resource Block. In addition, on Resource Explorer you see resource details that help you get context on the non-conformance to make an educated decision. The scan results include the latest PR (Pull request) in the repository, thus giving you the latest non-conformance scan result in real-time.

Resource Block

Prisma Cloud monitors each security violation of a resource within a repository and generates contextualized scanned results of each resource as a resource block.
Each scan result in a resource block gives you extensive information on:
  1. Resource Name
    Name of the resource scanned.
  2. Commit history and Commit ID
    For each change made in the resource, Git generates a commit ID. Prisma Cloud also displays the timeline of the resource committed to the default (master) branch.
  3. User Name
    Name of the user who made the last commit with changes for the resource.
  4. Non-conformance
    Displays the code security violation identified in the resource with the severity.
    Similar to a developer workflow, you can also view changes made in the resource.
  5. Suppress and Fix
    Prisma Cloud provides the option to either Suppress or Fix the violation for each resource block. Suppressing a violation when you absolve the scanned result with a definitive explanation indicating the non-conformance to be not problematic.

Resource Explorer

The information on Resource Explorer enables you to make an educated decision on the security violation and understand if the violation has any connection as a dependency on other resources within the repository while exploring the change log of the resource. You can view this contextualized information across four tabs.
  • Details
    : Helps you understand the connection between resources while enabling you to make informed decisions if the connection is at risk or if it is necessary.
  • Errors
    : Enables you to review security violations with the package severity threshold and utilize the information to either suppress or prioritize it.
  • History
    : Explore detailed information about a resource, including suppression, change logs and fixes.
  • Traceability
    : Explore and monitor connections between build-time and runtime resources.
    The support for History and Traceability is currently only IaC resources, and the support for Errors is currently only available for packages.

Fix Scan Results

Each scanned result for a resource gives you actions you can use to mitigate each resource with Suppress and Fix.
  • Suppress
    : Suppress is an action when you absolve the scanned result with a definitive explanation indicating the non-conformance to be not problematic.
  • Fix
    : Fix is an action when you access the source code and fix the non-conformant error within the code.

Fix a scanned result

On
Code Security > Projects
, you can fix scan results for IaC resources, Drift and Vulnerabilities.
  1. Access a scanned result of a repository in
    Code Security > Projects
    .
    You can fix more than one scanned result at a time.
  2. Select
    Fix
    .
  3. Select
    Submit
    . This will create a PR in the repository.
    Make edits within the source code and commit your changes. Your changes will be marked as
    Fixed
    on
    Code Security > Projects
    .

Suppress a scanned result

On
Code Security > Projects
, you can suppress scan results for IaC resources, Drift, Packages and Vulnerabilities.
  1. Access a scanned result of a repository in
    Code Security > Projects
    .
  2. Select
    Suppress
    and enter relevant information as
    Justification
    .
    You can optionally add an
    Expiration Date
    for the suppression.
  3. Select
    More Options
    to view more configurations.
  4. Select
    Suppression Type
    .
    You can choose between the suppression types.
    • Disable policy
      : This enables you to suppress the violation by policy and at your next scan the policy will not be scanned.
    • Suppress by tags
      : This enables you to selectively suppress the violation to a tag.
    • Suppress by accounts
      : This enables you to selectively suppress the violation across accounts.
      For each suppression type you can also view the number of resources that will be affected to make an informed decision.
  5. Select
    Save
    and then select
    Submit
    to save and implement the suppression.
    You can also view the suppressed result using the
    Status
    filter.

Other Actions on Scan Results

On
Code Security > Projects > More Actions
, you can perform additional actions to enable you to view richer scan results of your repositories.
  • Scan Now
    You can always initiate a manual scan across your repositories to view the latest scan results. On Prisma Cloud, when you access
    Code Security > Projects
    , you will see the latest scan results that are periodically performed. A manual scan is recommended when you have integrated a new repository and would like to see the scan results immediately. Alternatively, you can perform a manual scan when implementing a violation fix.
  • After your code repositories are integrated, you can modify the configuration to specify how Prisma Cloud scans your code.
  • Enforcement enables you to configure code review scan parameters in your repositories and customize violation failures and comments. Enforcement configurations scan every commit into your repository and suggest fixes if any violation is detected. This is in addition to the scan that Prisma Cloud periodically performs on your repositories.
  • You can manage tags and tag rules for all resources with assigned repositories integrated on Prisma Cloud for governance and monitoring or enforcing policies for provisioned resources. You can enable, disable, and edit tags for any cloud resource, except auto-generated trace tags (yor_trace) on the Prisma Cloud console.

Recommended For You