Pivotal Cloud Foundry blobstore scanning

Prisma Cloud for Pivotal Cloud Foundry (PCF) scans the droplets in your blobstores for vulnerabilities.
PCF is a Platform as a Service (PaaS) that runs applications on your infrastructure. Applications in PCF are deployed, scaled, and monitored by BOSH, which is PCF’s infrastructure lifecycle management tool. PCF stores large binary files in blobstores. Blobstores are roughly equivalent to registries. One type of file stored in the blobstore is the droplet.
Droplets are archives that contain ready to run applications. They are roughly equivalent to container images. Droplets contain the OS stack, a buildpack (which contains the languages, libraries, and services used by the app), and custom app code. Before running an app on your infrastructure, the Cloud Controller stages it for delivery by combining the OS stack, buildpack, and source code into a droplet, then storing the droplet in a blobstore.
Prisma Cloud is packaged as tile. When the tile is installed, it runs Defender as a PCF service in a dedicated VM on your infrastructure. Like all Defenders, the PCF Defender must be able to connect over the network to Prisma Cloud Console.
The
twistcli
command line tool also lets you scan droplet files directly. You can integrate
twistcli
into your CLI to pass or fail builds based on vulnerability thresholds.

Install the PCF Defender

The PCF Defender is delivered as a tile. Go to the PCF Ops Manager Installation Dashboard to install the tile.
External blobstores that require a custom authentication flow, such as those offered by cloud providers, are not supported.
  1. In Prisma Cloud Console, go to
    Manage > System > Downloads
    , and download the PCF tile.
  2. In the Ops Manager Installation Dashboard, click
    Import a Product
    , and select the tile you downloaded.
  3. Retrieve the install command from Prisma Cloud Console. It’s used to configure the tile.
    1. Go to
      Manage > Defenders > Deploy
      .
    2. Choose the DNS name or IP address the PCF Defender will use to connect to Console. If a suitable option is not available, go to
      Manage > Defenders > Names
      , and add a DNS name or IP address to the SAN table.
    3. Set the Defender type to
      PCF
      .
    4. Leave the Defender listener type set to
      None
      .
    5. Copy the install command and set it aside.
  4. Go to the PCF Ops Manager Installation Dashboard.
  5. Add the Prisma Cloud tile to your staging area. Click the
    +
    button next to the version of the tile you want to install.
    pcf_blobstore_add_tile_to_staging.png
  6. Click the newly added
    Prisma Cloud for PCF
    tile.
    pcf_blobstore_tile.png
  7. Configure the tile.
    pcf_blobstore_configure_tile.png
    1. In
      Assign AZs and Network Assignments
      , specify where Prisma Cloud Defender should run, then click
      Save
      .
      Prisma Cloud for PCF runs as a service. If you have a dedicated subnet for services, run it there.
      By default Prisma Cloud performs strict validation of your Cloud Controller’s (CC) TLS certificate. If you’re using self-signed certificates, this check will failure. To add your custom certificates to trusted cert list, you need to add the custom CA’s cert on the VM where the Prisma Cloud tile runs. For more details about how to do this, refer to Pivotal’s trusted certificates article.
      To skip strict validation of your Cloud Controller’s (CC) TLS certificate, enable
      Skip Cloud Controller TLS validation
      . Strict validation verifies the name, signer, and validity date of the CC’s certificate. Even with strict validation disabled, the sesssion is still encrypted. Skip strict validation when:
      • You’re using self-signed certificates
      • You’re using certificates signed by a CA that isn’t in your cert store
      • When there’s a mismatch between the address you’re using to connect to the CC and the common name (CN) or subject alternative name (SAN) in the CC’s certificate.
    2. In
      Prisma Cloud Component Configuration
      , enter the install command you copied from Prisma Cloud Console, then click
      Save
      .
    3. In
      Credentials
      , enter your Prisma Cloud Console credentials, then click
      Save
      . Your role must be Defender Manager or higher.
      Certificate-based authentication is not supported with Prisma Cloud Enterprise.
  8. Install the Prisma Cloud tile. Return to the Ops Manager Installation Dashboard, click
    Review Pending Changes
    , select
    Prisma Cloud for PCF
    , then click
    Apply changes
    .
  9. After the changes are applied, validate that Prisma Cloud Defender is running. Log into Prisma Cloud Console, then navigate to
    Manage > Defenders > Manage
    . In the table of deployed Defenders, you should see a Defender of type
    PCF
    .
    pcf_blobstore_defender_installed.png

Configure Prisma Cloud to scan a blobstore

Prisma Cloud can scan internal and external blobstores, and blobstores configured to use the Fog Ruby gem or WebDAV protocol.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Vulnerabilities > PCF Blobstore
    .
  3. Click
    Add PCF Blobstore settings
    .
  4. Specify the cloud controller.
  5. Specify the droplets to scan. To scan all droplets, enter a wildcard (*).
  6. Specify the maximum number of droplets to scan. To scan all droplets, enter 0.
  7. Click
    Add
    .
  8. Click
    Save
    .

Review scan reports

Scan reports show all vulnerabilities found in the droplets in blobstores. By default, droplets are rescanned every 24 hours.
  1. Log into Prisma Cloud Console.
  2. Go to
    Monitor > Vulnerabilities > PCF Blobstore
    to see a list of summary reports for each droplet.
  3. To drill into a specific scan report, click on a row in the table.

Recommended For You