Use the Prisma Cloud App for GitHub
This Prisma Cloud app for GitHub enables you to scan IaC templates to check them against security policies when you open a pull request. For each pull request, you can define the pass criteria and view the scan results directly on GitHub. When the defined criteria are not met, the pull request fails and you can view all the checks that failed. In addition, the Prisma Cloud app creates an issue and adds the scan results as comments, so that you can fix all the issues reported before the changes are merged to the repository.
Use this app for scanning files in a private GitHub repository that has enabled restricted access. Be sure to create a read-only role on Prisma Cloud and to generate a secret key and access key for a user. You will need to provide these credentials to authenticate to Prisma Cloud for API access for the scanning capabilities.
Recent versions of the app capture the Prisma Cloud credentials as part of the installation process and no longer require the credentials to be hard-coded in configuration file .github/prisma-cloud-config.yml. Existing customers should remove the credentials from this file after the app upgrade.
Set up the Prisma Cloud App Files for GitHub
To set up for IaC scans for a repository, you need to create IaC scan configuration files. These files enable you to control the behavior of your scans to meet your needs for that repository. For example, depending on the thresholds you defined in these files, the Prisma Cloud app will perform checks that allow or fail requests to merge or commit changes.
Creating these files before you install the Prisma Cloud app for GitHub enables the app installation itself to run a full IaC scan of selected repositories as part of the installation.
The two new files are:
- The Prisma Cloud configuration file .prismaCloud/config.ymlThis file identifies the templates types you wish to scan.
- .github/prisma-cloud-config.ymlThis file includes the criteria that defines whether or not you allow the commit for the pull request.
- Create the .prismaCloud/config.yml in the root directory of your repository branch. This file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
- Create the prisma-cloud-config.yml file to support the ability to scan IaC templates.
- SelectCreate new file.Add a new folder called .github, and name the file prisma-cloud-config.yml. The path should be<your repository name>/.github/prisma-cloud-config.yml.
- Copy the template for this new file.Copy and paste the following contents into .github/prisma-cloud-config.yml.# Please update with the respective environment values and commit # to master branch under the .github folder before performing scans # Define the failure criteria for creating checks. If the criteria # matches a check will be created. The template for the checks can # becustomized in the "/.github/prisma-template-for-scan-results" # file. failure_criteria_for_creating_checks: high: 1 medium: 1 low: 1 operator: or # Define the failure criteria for creating issues. If the criteria # matches an issue will be created. The template for issues can be # customized in the "/.github/prisma-template-for-scan-results" # file. failure_criteria_for_creating_issues: high: 1 medium: 1 low: 1 operator: or # Define github asset name github_asset_name: "Github Asset Dev" # Define tags tags: - phase:testing - env:QA
- Define the parameter values in prisma-cloud-config.yml.The parameters in prisma-cloud-config.yml define the failure criteria for pull requests. You can setfailure_criteria_for_creating_checksto define the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for thefailure_criteria_for_creating_checksvalue is as follows.
In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. Thehigh: x medium: y low: z operator: opoperatorvalue determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value for operator, op, can be either OR or AND. The default is OR. Some examples of settings forfailure_critieria_for_creatings_checksare as follows.
You can also use failure_criteria_for_creating_issues to define the number and severity of security policy check failures that need to occur to trigger creation of a GitHub issue, during a pull request. The syntax of the variable value is the same as that for failure_criteria_for_creating_checks. The value includeshigh,medium, andlowcounts and includes anoperatorwhose possible values areANDandOR.Prisma Cloud uses the asset name to track results. Some example names are creditapp_server and ConsumerBU_server.Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.
- The setting below would result in a failed merge request security check for any detected policy check failurehigh: 0 medium: 0 low: 0 operator: OR
- The setting below would result in merge requests never failing a security check.high: 1000 medium: 1000 low: 1000 operator: AND
Install the Prisma Cloud App for GitHub
You must set up the app to authenticate to Prisma Cloud, and you can optionally customize the scan settings.
- Search for Prisma Cloud on the GitHub marketplace.
- Selectand addSettingsIntegrations &servicesAdd servicePrisma Cloud.This app requires the following permissions:
- Read access to code, to perform scan on template files.
- Read/write access to check for issues and open pull requests.
- Read access to metadata.
- Specify where you want to install the app.You can choose to install the Prisma Cloud app for GitHub on all repositories or only on selected repositories. You can change this setting later to include more repositories for scanning.
- Specify the Prisma Cloud API URL, Prisma Cloud access key ID, and corresponding secret key to use for the integration.The Prisma Cloud API URL you specify depends on the region and cluster of your Prisma Cloud tenant. For example, if your Prisma Cloud admin console URL is https://app.prismacloud.io, then your Prisma Cloud API URL is https://api.prismacloud.io. See the Prisma Cloud REST API Reference for a list of Prisma Cloud API URLs.See Create and Manage Access Keys for details about Prisma Cloud access keys.Once you’ve entered your settings, selectValidate. If the settings are valid, aSavebutton appears, which enables you to save your settings.
- To add other repositories or to modify the configuration, you can selecttoSettingsIntegrations & servicesPrisma CloudConfigurethe app.Whenever you use this option to add repositories, the addition will result in an IaC scan of the repository if all the configuration files for the Prisma Cloud app are set up.
Recommended For You
Recommended videos not found.