1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Prisma Cloud DevOps Security
    6. Use the Prisma Cloud App for GitHub

    Use the Prisma Cloud App for GitHub

    This Prisma Cloud app for GitHub enables you to scan IaC templates to check them against security policies when you open a pull request. For each pull request, you can define the pass criteria and view the scan results directly on GitHub. When the defined criteria are not met, the pull request fails and you can view all the checks that failed. In addition, the Prisma Cloud app creates an issue and adds the scan results as comments, so that you can fix all the issues reported before the changes are merged to the repository.
    Use this app for scanning files in a private GitHub repository that has enabled restricted access. Be sure to create a read-only role on Prisma Cloud and to generate a secret key and access key for a user. You will need to provide these credentials to authenticate to Prisma Cloud for API access for the scanning capabilities.
    Recent versions of the app capture the Prisma Cloud credentials as part of the installation process and no longer require the credentials to be hard-coded in configuration file .github/prisma-cloud-config.yml. Existing customers should remove the credentials from this file after the app upgrade.

    Set up the Prisma Cloud App Files for GitHub

    To set up for IaC scans for a repository, you need to create IaC scan configuration files. These files enable you to control the behavior of your scans to meet your needs for that repository. For example, depending on the thresholds you defined in these files, the Prisma Cloud app will perform checks that allow or fail requests to merge or commit changes.
    Creating these files before you install the Prisma Cloud app for GitHub enables the app installation itself to run a full IaC scan of selected repositories as part of the installation.
    The two new files are:
    • The Prisma Cloud configuration file .prismaCloud/config.yml
      This file identifies the templates types you wish to scan.
    • .github/prisma-cloud-config.yml
      This file includes the criteria that defines whether or not you allow the commit for the pull request.
    1. Create the .prismaCloud/config.yml in the root directory of your repository branch. This file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
    2. Create the prisma-cloud-config.yml file to support the ability to scan IaC templates.
      1. Select
        Create new file
        .
        Add a new folder called .github, and name the file prisma-cloud-config.yml. The path should be
        <your repository name>
        /.github/prisma-cloud-config.yml.
        iac-scan-github-app-create-file.png
      2. Copy the template for this new file.
        Copy and paste the following contents into .github/prisma-cloud-config.yml.
        
# Please update with the respective environment values and commit
# to master branch under the .github folder before performing scans

# Define the failure criteria for creating checks. If the criteria 
# matches a check will be created. The template for the checks can 
# becustomized in the "/.github/prisma-template-for-scan-results" 
# file.
failure_criteria_for_creating_checks:
  high: 1
  medium: 1
  low: 1
  operator: or

# Define the failure criteria for creating issues. If the criteria 
# matches an issue will be created. The template for issues can be 
# customized in the "/.github/prisma-template-for-scan-results" 
# file.
failure_criteria_for_creating_issues:
  high: 1
  medium: 1
  low: 1
  operator: or

# Define github asset name
github_asset_name: "Github Asset Dev"

# Define tags
tags:
- phase:testing
- env:QA
      3. Define the parameter values in prisma-cloud-config.yml.
        The parameters in prisma-cloud-config.yml define the failure criteria for pull requests. You can set
        failure_criteria_for_creating_checks
         to define the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for the
        failure_criteria_for_creating_checks
         value is as follows. 
        
  high: x
  medium: y
  low: z
  operator: op
        In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. The
        operator
         value determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value for operator, op, can be either OR or AND. The default is OR. Some examples of settings for
        failure_critieria_for_creatings_checks
         are as follows.
        • The setting below would result in a failed merge request security check for any detected policy check failure
          
  high: 0
  medium: 0
  low: 0
  operator: OR
        • The setting below would result in merge requests never failing a security check.
          
  high: 1000
  medium: 1000
  low: 1000
  operator: AND
        You can also use failure_criteria_for_creating_issues to define the number and severity of security policy check failures that need to occur to trigger creation of a GitHub issue, during a pull request. The syntax of the variable value is the same as that for failure_criteria_for_creating_checks. The value includes
        high
        ,
        medium
        , and
        low
         counts and includes an
        operator
         whose possible values are
        AND
         and
        OR
        .
        Prisma Cloud uses the asset name to track results. Some example names are creditapp_server and ConsumerBU_server.
        Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.

    Install the Prisma Cloud App for GitHub

    You must set up the app to authenticate to Prisma Cloud, and you can optionally customize the scan settings.
    1. Search for Prisma Cloud on the GitHub marketplace.
    2. Select
      Settings
      Integrations &services
      Add service
       and add
      Prisma Cloud
      .
      This app requires the following permissions:
      • Read access to code, to perform scan on template files.
      • Read/write access to check for issues and open pull requests.
      • Read access to metadata.
      iac-scan-github-app-install.png
    3. Specify where you want to install the app.
      You can choose to install the Prisma Cloud app for GitHub on all repositories or only on selected repositories. You can change this setting later to include more repositories for scanning.
      iac-scan-github-app-repo.png
    4. Specify the Prisma Cloud API URL, Prisma Cloud access key ID, and corresponding secret key to use for the integration.
      The Prisma Cloud API URL you specify depends on the region and cluster of your Prisma Cloud tenant. For example, if your Prisma Cloud admin console URL is https://app.prismacloud.io, then your Prisma Cloud API URL is https://api.prismacloud.io. See the Prisma Cloud REST API Reference for a list of Prisma Cloud API URLs.
      See Create and Manage Access Keys for details about Prisma Cloud access keys.
      iac-scan-github-app-prisma-cloud-access.png
      Once you’ve entered your settings, select
      Validate
      . If the settings are valid, a
      Save
       button appears, which enables you to save your settings.
    5. To add other repositories or to modify the configuration, you can select
      Settings
      Integrations & services
      Prisma Cloud
       to
      Configure
       the app.
      Whenever you use this option to add repositories, the addition will result in an IaC scan of the repository if all the configuration files for the Prisma Cloud app are set up.
      iac-scan-github-app-add.png

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo