Prisma Cloud Administrator’s Guide (Compute)
    : CI plugin policy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Continuous integration
    6. CI plugin policy
    Download PDF

    Prisma Cloud Administrator’s Guide (Compute)

    CI plugin policy

    Table of Contents

    CI plugin policy

    Prisma Cloud lets you centrally define your CI policy in Console. These policies establish security gates at build-time. Use policies to pass or fail builds, and surface security issues early during the development process.
    There are two types of policies you can use to target your CI tool: vulnerability policies and compliance policies. CI rules have the same parameters as the rules for registries and deployed components, letting you evenly enforce policy in all phases of the app lifecycle.
    Prisma Cloud offers the following components for integrating with CI tools:
    • A native Jenkins plugin.
    • A stand-alone, statically compiled binary, called twistcli, that can be integrated with any CI tool.

    Vulnerability policy

    For more information about the parameters in vulnerability management rules, see here.
    Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting the effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.
    Rules take effect as soon as they are saved.

    Create CI Policy for Vulnerabilities

    Vulnerability CI policies let you raise alerts or fail builds when images/functions scanned in the CI process have vulnerabilities.
    1. Open Console.
    2. Go to
      Defend > Vulnerabilities > {Images | Functions} > CI
      .
    3. Select
      Add rule
      .
    4. Enter a
      Rule name
       and configure the rule.
    5. Select
      Save
      .
    6. View the scan report under
      Monitor > Vulnerabilities > {Images | Functions} > CI
      .

    Compliance policy

    The compliance checks in Prisma Cloud are based on the Center for Internet Security (CIS) Docker Benchmarks. We also provide numerous checks from our lab. You can also implement your own checks using custom checks.
    Compliance rules that target the CI tool can permit specific compliance issues by setting the action to 'ignore'.
    Rules take effect as soon as they are saved.

    Create CI Policy for Compliance

    Compliance CI policies let you monitor, audit, and enforce security and configuration settings for your CI images and functions.
    1. Open Console.
    2. Go to
      Defend > Compliance > {Containers and images | Functions} > CI
      .
    3. Select
      Add rule
      .
    4. Enter a
      Rule name
       and configure the rule to enforce compliance checks.
    5. Select
      Save
      .
    6. View the scan report under
      Monitor > Compliance > {Images | Functions} > CI
      .

    Alert Profiles

    To surface critical compliance and vulnerabilities events, you can create alert profiles for forwarding the alerts to various integrations.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.