Serverless function scanning
Prisma Cloud can scan serverless functions for vulnerabilities.
Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users.
Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack.
The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app.
Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.
Capabilities
For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages.
For a list of supported runtimes see system requirements.
Prisma Cloud scans are triggered by the following events:
- When the settings change, including when new functions are added for scanning.
- When you explicitly click theScanbutton in theMonitor > Vulnerabilities > Functions > Scanned Functionspage.
- Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval inManage > System > Scan.
Scanning a serverless function
Configure Prisma Cloud to periodically scan your serverless functions.
Unlike image scanning, all function scanning is handled by Console.
- Open Console.
- Go toDefend > Vulnerabilities > Functions > Functions.
- Click onAdd scope. In the dialog, enter the following settings:
- (AWS only) SelectScan only latest versionsto only scan the latest version of each function. Otherwise, the scanning will cover all versions of each function up to the specifiedLimitvalue.
- (AWS only) SelectScan Lambda Layersto enable scanning function layers as well.
- (AWS only) Specify which regions to scan inAWS Scanning scope. By default, the scope is applied toRegular regions. Other options includeChina regionsorGovernment regions.
- Specify aLimitfor the number of functions to scan.Prisma Cloud scans the X most recent functions, where X is the limit value. Set this value to '0' to scan all functions.For scanning Google Cloud Functions with GCP organization level credentials, the limit value is for the entire organization. Increase the limit as needed to cover all the projects within your GCP organization.
- Select the accounts to scan by credential. If you wish to add an account, click onAdd credential.If you create a credential in the credentials store (Manage > Authentication > Credentials store), your service principal authenticates with a password. To authenticate with a certificate, create a cloud account.
- ClickAdd.
- Click the green save button.
- View the scan report.Go toMonitor > Vulnerabilities > Functions > Scanned functions.All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by clicking on the CSV button in the top right of the table.
View AWS Lambda Layers scan report
Prisma Cloud can scan the AWS Lambda Layers code as part of the Lambda function’s code scanning.
This capability can help you determine whether the vulnerability issues are associated with the function or function Layers.
Follow the steps below to view the Lambda Layers scan results:
- Open Console.
- Make sure you selected theScan Lambda layersin the Defend > Vulnerabilities > Functions > Functions > Serverless Accounts >Function scan scope
- Go toMonitor > Vulnerabilities > Functions > Scanned functions.
- Filter the table to include functions with the desired Layer by adding theLayersfilter.You can also filter the results by a specific layer name or postfix wildcards. Example: Layers:* OR Layers:arn:aws:lambda:*
- Open theFunction detailsdialog to view the details about the Layers and the vulnerabilities associated with them:
- Click on a specific function
- See the Function’s vulnerabilities, compliance issues and package info in the related tabs. Use theFound incolumn to determine if the component is associated with the Function or with the Function’s Layers.
- Use theLayers infotab to see the full list of the Function’s Layers, and aggregated information about the Layers vulnerabilities. In case that there are vulnerabilities associated with the layer you will be able to expand the layer raw to list all the vulnerabilities.
Authenticating with AWS
The serverless scanner is implemented as part of Console.
The scanner requires the following permissions policy:
+