Secure your Azure DevOps pipelines by running IaC scans
on templates, container images, and serverless functions against
Prisma Cloud’s set of policies.
Use the Prisma Cloud extension to scan IaC
templates, container images, and serverless functions in the build
or release phase of the Azure DevOps pipeline. After you install
this extension from the Azure Visual Studio Marketplace, you can set
up the service connections for Prisma Cloud Iac Scan and Prisma
Cloud Compute Scan, and then use custom tasks in the build or release
pipeline for scanning IaC templates—AWS CloudFormation Templates, Terraform
templates (versions of Terraform
supported), Kubernetes manifests or app deployment YAML files—
container images, or serverless zip files. When you create a custom
task, you can specify the build or pipeline failure criteria based
on severity of the security issues that the extension identifies.
When
you set up the Prisma Cloud extension to scan, you can specify the
tags at different stages. Prisma Cloud tags enable visibility on
the Prisma Cloud administrator console, and are different from Azure
DevOps tags or cloud tags that you may have included within your
IaC templates. You can include these tags as
key:value
pairs
in a comma separated list when you set up the service connection,
and within the.prismaCloud/config.yml at the repository-level, or
where you define the failure criteria for a Prisma Cloud IaC scan
at the task level, and use it as a filter on Prisma Cloud.
You need to add the prisma-cloud-config.yml
in the root directory of your repository branch, and get the Prisma
Cloud extension from the Visual Studio Marketplace, set up service
connections to authenticate with Prisma Cloud and start scanning
IaC templates, container images, and serverless functions.
Set up your Azure DevOps organization and pipeline.
If you are just getting started with Azure Pipeline, refer
to the Azure documentation.
Create a project.
Create a new pipeline.
Select your code repository, configure, and save the
pipeline.
and
add it to the root directory of your repository branch. The file
is required, and it must include the template type, version, and
the template specific parameters and tags you use in your environment.
to verify
that the extensions displays in the list of
Installed
extensions.
Updating the extension—the expected behavior is that
Azure DevOps auto-updates the extension version. However, the tasks
are not always properly updated, especially in major releases which
can break the pipeline. To avoid such scenarios, it is recommended
to uninstall and reinstall the extension.
Add service connections to authenticate to Prisma Cloud.
You must create a new service connection for each type
of scan— one for IaC scanning and one for scanning container image
or serverless functions.
Select
Project Settings
Service Connections
New Service
Connection
Prisma Cloud IaC Console
.
Enter the following information for the Prisma Cloud
for IaC scanning and save your changes.
Enter
the Prisma Cloud API URL as
Server URL
.
The
URL for Prisma Cloud varies depending on the region and cluster
on which your tenant is deployed. The tenant provisioned for you
is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io.
Replace
app
in the URL with
api
and enter
it here. Refer to the Prisma Cloud REST API Reference for
more details.
You
should have saved this key when you generated it. You cannot view it
on the Prisma Cloud web interface.
Enter an
Asset Name
to identify the repository
you want to scan.
Enter the
Tags
to organize the templates that
are scanned with this service connection, for visibility on Prisma Cloud.
Provide a
Service connection name
.
Verify that
Grant access permission to all pipelines
is
selected and
Save
your changes.
Continue to the next step if you want to set up another
service connection for container image scanning. If not, go to Set up a Custom Task for IaC Scanning.
Select
Project Settings
Service Connections
New Service
Connection
Prisma Cloud Compute Console
.
Enter the following information for Prisma Cloud Compute Console
and save your changes.
Server
URL.
You need to copy the server URL from the Prisma Cloud
interface,
Compute
Manage
System
Downloads
Path to Console
. For Prisma
Cloud Compute Edition, get the URL from
Manage
System
Downloads
Path to Console
Username and password.
These credentials are required
for the service connection to authenticate with Prisma Cloud. If
you are using Prisma Cloud Compute Edition (self-hosted), create a role and enter
your username and password.
If you are using Prisma Cloud
Compute, you must first Create Prisma Cloud Roles with the Build
and Deploy Security permission group and assign this role to the
administrative user so that they can create an access key.
The access key is the username and the secret key is your password.
If
your password has special characters, make sure to escape any special
characters when you enter your password.
Use the following instructions to add a custom
task for IaC scanning and container image and serverless functions
scanning in your azure-pipelines.yml. In each task, you can define
the pipeline failure criteria based on the severity of the issues
that are detected during the scan.
Under
Pipelines
, select
your pipeline and
Edit
to add custom task.
Add a custom task for IaC scanning.
Under
Task
, search
for Prisma Cloud IaC Scan you created earlier.
Enter the path for the directory you want to scan.
If you want to scan the entire repository, use dot (
.
)
or
$(System.DefaultWorkingDirectory)
.
Select the
Service Endpoint
,
which is the service connection you created in the previous task.
Enter the
Tags
you want to
apply to the templates that are being scanned.
The tags format is
name:value
, and
you can add multiple tags that are separated using commas.
Select the
Failure Criteria
for
the scan.
You can set the count for High, Medium, Low severity issues
and decide whether you want to use the AND or OR operator to specify
your criteria. For example, if you have a very strict threshold
and set the failure criteria to 0,0,0 with the OR operator your
build will fail if the policy checks detect any issues.
Add
to
yml
file, and
Save
the
task.
Enable system diagnostics
and
Run
.
Run the task.
In Azure DevOps, click
Queue
to
execute your task on the next available build agent.
If your task configuration is incomplete, a red status message
displays
Some settings need attention
just
below
Run your build
.
Check the results.
If the IaC Scan finds no issues the pipeline task result
is successful.
If the IaC Scan finds issues but the failure criteria threshold
you defined is not met, the job is successful but it displays the
list of issues that were detected. For each policy that was violated,
click the Policy URL link to review policy details.
If
the failure criteria you defined is more stringent that the default
scan threshold, the job will fail and you can review results in
the log file.
Set Up Container Image Scanning
On Windows and Linux OS, you can scan container
images and serverless functions when you enable twistcli, add a
vulnerability scan rule where you define the criteria to fail the
build, and set up a task to scan the image or function in the pipeline.
Add a vulnerability scan rule on the Prisma Cloud Compute
Console.
Select
Compute
Defender
Vulnerabilities
Images
CI
.
Add Rule
and enter a
Rule name
.
Specify the
Alert
and
Failure
thresholds.
You can set the vulnerability scan to fail on critical,
high, medium, low severity. The failure threshold must be equal
to or greater than the alert threshold.
(
Optional
) Specify the
Images
to
scan.
The image or function zip file name is required later when
you add the scan task to the pipeline in Step 3.
(
Optional
) Select
Apply rule when vendor
fixes are available
, if you want to scan only for vulnerabilities that
have fixes available.
Specify the
Grace period
.
The grace period is the number of days for which you want
to ignore a vulnerability. The time frame is measured in days starting
at the date from the first vendor publish. For more details on the
advanced settings, see the Prisma Cloud Compute guide.
Add a pipeline task to scan container images using twistcli.
Select Pipelines, and
Edit
your
pipeline and to add custom task.
Search for
Prisma
in the task
list and select
Prisma Cloud Compute twistcli scan
.
Select the
Scan type
—Images
or Serverless.
Select the
Prisma Cloud Compute Console
service
connection name that you created earlier, from the drop-down.
Specify the
Image
name or serverless
Function
zip
file name.
The image name you enter here must match the name of the
image you are building in the pipeline, if it doesn’t the scan will fail.
Specify the
Project
name if
applicable.
View the results of the scan.
Click on the job, and then select the
prismacloudcomputescan
task
to view the CLI output.
To see results
on Prisma Cloud, select
Compute
Monitor
Vulnerabilities
Twistcli Scans
Set Up RASP Defender
If you are using Docker-in-Docker, where you
have a Docker container that itself has Docker installed, and from
within the container you use Docker to pull images, build images,
run containers, you have to set up RASP Defenders to secure containers at runtime.
Update the Dockerfile and embed the RASP defender
as part of the Azure DevOps build.
Select Pipelines, and
Edit
your
pipeline and to add custom task
Search for
Prisma
in the task
list and select
Prisma Cloud Compute embed RASP
.
Select the
Scan type
—Images
or Serverless.
Select the
Service connection
you created
earlier for Prisma Cloud Compute Console.
Provide a unique
Application ID
for the
RASP defender.
For example, <your company>-<app>
Enter the
Console Host
, which
is the DNS name or IP address of your Prisma Cloud Compute Console.
Specify the
Data Folder
, which
is the read-write directory in the container file system.
For example, /twistlock/.
Enter the
Dockerfile path
of
the container image to which you want to add the RASP defender.
Sample YAML File
The following is a sample azure-pipeline.yml
when you enable both the Prisma Cloud IaC scan and Prisma Cloud
Compute scan. This file autogenerates is referenced below as an
example.
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
branches:
include:
- master
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Palo-Alto-Networks.build-release-task.custom-build-release-task.prisma-cloud-compute-scan@1
displayName: 'Prisma Cloud Compute Scan'
inputs:
twistlockService: 'NewEnv Connection'
artifact: 'nginx:latest'
- task: Prisma Cloud IaC Scan@1
inputs:
Path: 'repo'
prismaCloudService: 'Prisma Cloud Scan'
High: '0'
Medium: '0'
Low: '0'
Operator: 'or'
- script: |
echo Add other tasks to build, test, and deploy your project.
echo See https://aka.ms/yaml
displayName: 'Run a multi-line script'
Add Caches for Prisma Cloud Compute Scan
If no Cache Task is implemented in Prisma
Cloud Compute Scan, then the task downloads the twistcli binary
with every run. This can be time consuming as the same pipeline
is executed every time. We can add cache task which will download
the twistcli binary only when either of these is true:
The
binary is not already present.
When a different version of the binary is required.
Note:
Caches are only available for yaml pipelines and not for classic
pipelines.
Add Cache Task to your Prisma Cloud Compute Scan Pipeline.
In your pipeline search for Cache Task.
Enter the details for your Cache.
Key
: a unique value to identify and
retrieve the cache value later.
Path
: enter
twistcli-scan
.
Cache-hit-variable-enter
:
TWISTCLI_RETRIEVED
.
Click Add to add this task to your pipeline.
Add your task for Prisma Cloud Compute Scan.
The first time the pipeline runs, it will download the
twistcli binary; afterwards, it will first look into the cache and
only download the binary if required.
Generate and Scan the Plan File
Use the plan file to scan your repositories.
For example, your current repository refers to templates in remote
repositories.
Create the Azure DevOps pipeline for your repository.
Add a Bash task and choose
Inline
or
Script
based
on your environment.
Configure your plan file.
The script should have commands for downloading Terraform
and generating a plan file of your repository.
For example,
in the following script, the plan file for scan/for-expressions
folder is being generated using Terraform 0.13. The generated plan
file is in JSON format which was placed under the
plan
folder,
and .prismaCloud is copied to the same folder:
Add Prisma Cloud Scan IaC task and your folder path in
Select to verify that the extensions displays in the list ofInstalledextensions.
Updating the extension—the expected behavior is that Azure DevOps auto-updates the extension version. However, the tasks are not always properly updated, especially in major releases which can break the pipeline. To avoid such scenarios, it is recommended to uninstall and reinstall the extension.
If your password has special characters, make sure to escape any special characters when you enter your password.
If the failure criteria you defined is more stringent that the default scan threshold, the job will fail and you can review results in the log file.
The first time the pipeline runs, it will download the twistcli binary; afterwards, it will first look into the cache and only download the binary if required.
