Use the Prisma Cloud App for GitHub

This Prisma Cloud app for GitHub enables you to scan IaC templates to check them against security policies when you open a pull request. For each pull request, you can define the pass criteria and view the scan results directly on GitHub. When the defined criteria are not met, the pull request fails and you can view all the checks that failed. In addition, the Prisma Cloud app creates an issue and adds the scan results as comments, so that you can fix all the issues reported before the changes are merged to the repository.
Use this app for scanning files in a private GitHub repository that has enabled restricted access. Be sure to create a read-only role on Prisma Cloud and to generate a secret key and access key for a user. You will need to provide these credentials to authenticate to Prisma Cloud for API access for the scanning capabilities.
Recent versions of the app capture the Prisma Cloud credentials as part of the installation process and no longer require the credentials to be hard-coded in configuration file .github/prisma-cloud-config.yml. Existing customers should remove the credentials from this file after the app upgrade.

Set up the Prisma Cloud App Files for GitHub

To set up for IaC scans for a repository, you need to create IaC scan configuration files. These files enable you to control the behavior of your scans to meet your needs for that repository. For example, depending on the thresholds you defined in these files, the Prisma Cloud app will perform checks that allow or fail requests to merge or commit changes.
Creating these files before you install the Prisma Cloud app for GitHub enables the app installation itself to run a full IaC scan of selected repositories as part of the installation.
The three new files are:
  • The Prisma Cloud configuration file .prismaCloud/config.yml
    This file identifies the templates types you wish to scan.
  • .github/prisma-cloud-config.yml
    This file includes the criteria that defines whether or not you allow the commit for the pull request.
  • .github/prisma-template-for-scan-results.yml
    This file specifies how the scan results are made available to the person who created the pull request.
  1. Create the .prismaCloud/config.yml in the root directory of your repository branch. This file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
  2. Create the prisma-cloud-config.yml file to support the ability to scan IaC templates.
    1. Select
      Create new file
      .
      Add a new folder called .github, and name the file prisma-cloud-config.yml. The path should be
      <your repository name>
      /.github/prisma-cloud-config.yml.
      iac-scan-github-app-create-file.png
    2. Copy the template for this new file.
      Copy and paste the following contents into .github/prisma-cloud-config.yml.
      # Please update with the respective environment values and commit # to master branch under the .github folder before performing scans # Define the failure criteria for creating checks. If the criteria # matches a check will be created. The template for the checks can # becustomized in the "/.github/prisma-template-for-scan-results" # file. failure_criteria_for_creating_checks: high: 1 medium: 1 low: 1 operator: or # Define the failure criteria for creating issues. If the criteria # matches an issue will be created. The template for issues can be # customized in the "/.github/prisma-template-for-scan-results" # file. failure_criteria_for_creating_issues: high: 1 medium: 1 low: 1 operator: or # Define github asset name github_asset_name: "Github Asset Dev" # Define tags tags: - phase:testing - env:QA
    3. Define the parameter values in prisma-cloud-config.yml.
      The parameters in prisma-cloud-config.yml define the failure criteria for pull requests. You can set
      failure_criteria_for_creating_checks
      to define the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for the
      failure_criteria_for_creating_checks
      value is as follows.
      high: x medium: y low: z operator: op
      In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. The
      operator
      value determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value for operator, op, can be either OR or AND. The default is OR. Some examples of settings for
      failure_critieria_for_creatings_checks
      are as follows.
      • The setting below would result in a failed merge request security check for any detected policy check failure
        high: 0 medium: 0 low: 0 operator: OR
      • The setting below would result in merge requests never failing a security check.
        high: 1000 medium: 1000 low: 1000 operator: AND
      You can also use failure_criteria_for_creating_issues to define the number and severity of security policy check failures that need to occur to trigger creation of a GitHub issue, during a pull request. The syntax of the variable value is the same as that for failure_criteria_for_creating_checks. The value includes
      high
      ,
      medium
      , and
      low
      counts and includes an
      operator
      whose possible values are
      AND
      and
      OR
      .
      Prisma Cloud uses the asset name to track results. Some example names are creditapp_server and ConsumerBU_server.
      Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.
  3. Create the .github/prisma-template-for-scan-results.yml file to support how the scan results are displayed.
    Create the file .github/prisma-template-for-scan-results.yml with the same steps you used to create .github/prisma-cloud-config.yml.
    1. Select
      Create new file
      and add file .github/prisma-template-for-scan-results.yml just as you created .github/prisma-cloud-config.yml earlier.
    2. Copy the template for the newly created prisma-template-for-scan-results.yml file.
      Copy and paste the following contents into .github/prisma-template-for-scan-results.yml.
      # Prisma custom template for scan results # Please update with the template and commit to master branch # under the .github folder before performing scans table_header_template : "Rule Name | Severity | Files | Description\n------------ | ------------- | ------------ | -------------\n" table_content_template : "{RuleName}|{Severity}|{Files}|{Description}\n" #Template for defining title of issues created. issues_title_template : "Vulnerabilities Found : {NumberOfVulnerability}" issues_title_template_full_repo_scan : "Issues found during full repo scan" #Template for defining title of checks created checks_title_template : "Vulnerabilities Found : {NumberOfVulnerability}"
      Update this file further only if you want to customize the text in GitHub issues that the Prisma Cloud app creates.

Install the Prisma Cloud App for GitHub

You must set up the app to authenticate to Prisma Cloud, and you can optionally customize the scan settings.
  1. Search for Prisma Cloud on the GitHub marketplace.
  2. Select
    Settings
    Integrations &services
    Add service
    and add
    Prisma Cloud
    .
    This app requires the following permissions:
    • Read access to code, to perform scan on template files.
    • Read/write access to check for issues and open pull requests.
    • Read access to metadata.
    iac-scan-github-app-install.png
  3. Specify where you want to install the app.
    You can choose to install the Prisma Cloud app for GitHub on all repositories or only on selected repositories. You can change this setting later to include more repositories for scanning.
    iac-scan-github-app-repo.png
  4. Specify the Prisma Cloud API URL, Prisma Cloud access key ID, and corresponding secret key to use for the integration.
    The Prisma Cloud API URL you specify depends on the region and cluster of your Prisma Cloud tenant. For example, if your Prisma Cloud admin console URL is https://app.prismacloud.io, then your Prisma Cloud API URL is https://api.prismacloud.io. See the Prisma Cloud REST API Reference for a list of Prisma Cloud API URLs.
    See Create and Manage Access Keys for details about Prisma Cloud access keys.
    iac-scan-github-app-prisma-cloud-access.png
    Once you’ve entered your settings, select
    Validate
    . If the settings are valid, a
    Save
    button appears, which enables you to save your settings.
  5. To add other repositories or to modify the configuration, you can select
    Settings
    Integrations & services
    Prisma Cloud
    to
    Configure
    the app.
    Whenever you use this option to add repositories, the addition will result in an IaC scan of the repository if all the configuration files for the Prisma Cloud app are set up.
    iac-scan-github-app-add.png

Recommended For You