Use the Prisma Cloud App for GitHub

This Prisma Cloud app on GitHub enables you to scan IaC templates and container images when a pull request is opened. For each pull request, you can define the pass criteria and view the scan results directly on GitHub. When the defined criteria is not met, the pull request fails and you can view all the checks that failed. In addition, the Prisma Cloud app also creates an issue, adds the scan results as comments, so that you can fix all the issues reported before the changes are merged to the repository.
Use this app for scanning files in a private GitHub repository to which has enabled restricted access. Make sure to create a read only role on Prisma Cloud and generate a secret key and access key for a user. You will need provide these credentials to authenticate to Prisma Cloud for API access to the scanning capabilities.

Install the Prisma Cloud App for GitHub

You must set up the plugin to authenticate to Prisma Cloud and can optionally customize the scan settings.
  1. Search for Prisma Cloud on the GitHub marketplace.
  2. Select
    Settings
    Integrations &services
    Add service
    and add
    Prisma Cloud
    .
    This app requires the following permissions:
    Read Access to code to perform scan on template files.
    Read and Write Access to check for issues and open pull requests.
    Read Access to metadata.
    iac-scan-github-app-install.png
  3. Specify where you want to install the app.
    You can choose to install the Prisma Cloud app for GitHub on all repositories or only on selected repositories.
    iac-scan-github-app-repo.png
  4. Settings
    Integrations & services
    Prisma Cloud
    to
    Configure
    the app.
    iac-scan-github-app-add.png

Set up the Prisma Cloud App for GitHub

As a repository administrator, you need to create a new folder and name it
./github
and then add two files—
prisma-cloud-config.yml
and
prisma-template-for-scan-results.yml
in the master branch of your repository.
The prisma-cloud-config.yml includes the details for connecting to your Prisma Cloud API URL and the credentials that you need to authenticate to Prisma Cloud. In this file, you specify the criteria that defines whether you allow the commit for the pull request. The prisma-template-for-scan-results.yml specifies how the scan results are displayed to the person who created the pull request.
After you create the files and save them to the master branch, the IaC and container image scan is run each time a pull request is opened. Depending on the thresholds you defined, the check are performed to allow or fail the request to merge or commit the changes.
  1. Create the prisma-cloud-config.yml.
    1. Select
      Create new file
      .
      Add a new folder called .github and name the file prisma-cloud-config.yml. The path should be
      <your repository name>
      /.github/prisma-cloud-config.yml.
      iac-scan-github-app-create-file.png
    2. Copy and paste the following contents into this new file.
      # Prisma Cloud IaC Scan Config file. # Please update with the respective environment values and commit to master branch under the .github folder before performing scans # API URL for your Prisma Cloud instance prisma_cloud_api_url: 'https://' # Example:'https://api.eu.prismacloud.io' or 'https://api4.prismacloud.io' # --Authentication-- # Create a new access key on the Prisma Cloud web interface (Settings > Access Keys). Copy the credentials below access_key: 'enter your access key' secret_key: 'enter your secret key' # Define the failure criteria for creating checks. If the criteria matches a check will be created. The template for the checks can be customized in the "/.github/prisma-template-for-scan-results" file. failure_criteria_for_creating_checks: high: 1 medium: 1 low: 1 operator: or # Define the failure criteria for creating issues. If the criteria matches an issue will be created. The template for issues can be customized in the "/.github/prisma-template-for-scan-results" file. failure_criteria_for_creating_issues: high: 1 medium: 1 low: 1 operator: and
    3. Modify the contents in the file.
      • Prisma Cloud API URL.
        The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
        app
        in the URL with
        api
        and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface, for more details.
      • Prisma Cloud Access Key ID.
        The access key enables programmatic access. If you do not have a key, you must Create and Manage Access Keys.
      • Your Prisma Cloud Secret Key.
        You should have saved this key when you generated it. You cannot view it on the Prisma Cloud web interface.
    4. Commit your changes.
      Verify that the
      Commit directly to the master branch
      is selected, and
      Commit new file
      .
  2. Create the prisma-template-for-scan-results.yml.
    1. Select
      Create new file
      .
      Add a new folder called .github and name the file prisma-template-for-scan-results.yml.
    2. Copy and paste the following content into the file.
    You can modify the contents of this file to meet your messaging needs. You must however retain the variable in the curly brackets such as {Severity} because Prisma Cloud uses these parameters when it performs the scan.
    iac-scan-github-app-create-file-2.png
    # Prisma custom template for scan results # Please update with the template and commit to master branch under the .github folder before performing scans header_template : "############## Validation Results ################\n---------------------------------------------------\n" content_template : "File Name : {FileName} \n Severity : {Severity}\n Rule Name :{RuleName}\n Rule : {Rule}\n------------------------------------------------\n" #Template for defining title of issues created. issues_title_template : "Vulnerabilities Found : {NumberOfVulnerability}" issues_title_template_full_repo_scan : "Issues found during full repo scan" #Template for defining title of checks created checks_title_template : "Vulnerabilities Found : {NumberOfVulnerability}"
  3. Commit your changes.
    Verify that the
    Commit directly to the master branch
    is selected, and
    Commit new file
    .
  4. Verify that you can see both files in the /.github folder.
    iac-scan-github-app-create-file-review.png

View the Scan Results

When a
Compare and Pull Request
is opened the checks you defined in the prisma-cloud-config.yml are triggered.
  • View a details for a failed check.
    iac-scan-github-app-checks.png
  • View the GitHub issue, which the Prisma Cloud bot creates for a failed check.
    The format for this issue is based on the prisma-template-for-scan-results.yml.
    iac-scan-github-app-issues.png
  • Review error messages.
    This example shows an error for an unsupported file format.
    iac-scan-github-app-error-format.png
    This example shows an error message for an invalid Prisma Cloud API URL.
    iac-scan-github-app-error-credentials.png

Recommended For You