Use the Prisma Cloud Extension for Azure DevOps

Use the Prisma Cloud extension to scan IaC templates, container images, and serverless functions in the build or release phase of the Azure DevOps pipeline. After you install this extension from the Azure Visual Studio Marketplace, you can set up the service connections for Prisma Cloud Iac Scan and Prisma Cloud Compute Scan, and then use custom tasks in the build or release pipeline for scanning IaC templates—AWS CloudFormation Templates, Terraform templates (version 0.11 and 0.12), Kubernetes app deployment YAML files— container images, or serverless zip files. When you create a custom task, you can specify the build or pipeline failure criteria based on severity of the security issues that the extension identifies.
When you set up the Prisma Cloud extension to scan, you can specify the tags at different stages. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console, and are different from Azure DevOps tags or cloud tags that you may have included within your IaC templates. You can include these tags as
key:value
pairs in a comma separated list when you set up the service connection, and within the.prismaCloud/config.yml at the repository-level, or where you define the failure criteria for a Prisma Cloud IaC scan at the task level, and use it as a filter on Prisma Cloud (coming soon).

Install and Configure the Prisma Cloud Extensions

You need to add the prisma-cloud-config.yml in the root directory of your repository branch, and get the Prisma Cloud extension from the Visual Studio Marketplace, set up service connections to authenticate with Prisma Cloud and start scanning IaC templates, container images, and serverless functions.
  1. Set up your Azure DevOps organization and pipeline.
    If you are just getting started with Azure Pipeline, refer to the Azure documentation.
    1. Create a project.
    2. Create a new pipeline.
    3. Select your code repository, configure, and save the pipeline.
  2. Create the
    .prismaCloud/config.yml
    and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
  3. Install the extension.
    1. Search for
      Prisma Cloud
      in the Visual Studio Marketplace.
      iac-scan-azure-devops-prisma-cloud-ext.png
    2. Install
      the extension in your Azure DevOps organization.
      iac-scan-azure-devops-prisma-cloud-ext-install.png
      Select
      Organization settings
      Extensions
      to verify that the extensions displays in the list of
      Installed
      extensions.
      iac-scan-azure-devops-prisma-cloud-ext-installed.png
  4. Add service connections to authenticate to Prisma Cloud.
    You must create a new service connection for each type of scan— one for IaC scanning and one for scanning container image or serverless functions.
    iac-scan-azure-devops-prisma-cloud-ext-service-connections.png
    1. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud IaC Console
      .
    2. Enter the following information for the Prisma Cloud for IaC scanning and save your changes.
      iac-scan-azure-devops-iac-scan-connection.png
      • Enter the Prisma Cloud API URL as
        Server URL
        .
        The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
        app
        in the URL with
        api
        and enter it here. Refer to the Prisma Cloud REST API Reference for more details.
      • Enter your Prisma Cloud
        Access Key
        .
        The access key enables programmatic access. If you do not have a key, you must Create and Manage Access Keys.
      • Enter your Prisma Cloud
        Secret Key
        .
        You should have saved this key when you generated it. You cannot view it on the Prisma Cloud web interface.
      • Enter an
        Asset Name
        to identify the repository you want to scan.
      • Enter the
        Tags
        to organize the templates that are scanned with this service connection, for visibility on Prisma Cloud.
      • Provide a
        Service connection name
        .
      • Verify that
        Grant access permission to all pipelines
        is selected and
        Save
        your changes.
    3. Continue to the next step if you want to set up another service connection for container image scanning. If not, go to Set up a Custom Task for IaC Scanning.
    4. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud Compute Console
      .
    5. Enter the following information for Prisma Cloud Compute Console and save your changes.
      iac-scan-azure-devops-rasp-connection.png
      • Server URL.
        You need to copy the server URL from the Prisma Cloud interface,
        Compute
        Manage
        System
        Downloads
        Path to Console
        . For Prisma Cloud Compute Edition, get the URL from
        Manage
        System
        Downloads
        Path to Console
      • Username and password.
        These credentials are required for the service connection to authenticate with Prisma Cloud. If you are using Prisma Cloud Compute Edition (self-hosted), create a role and enter your username and password.
        If you are using Prisma Cloud Compute, you must first Create Prisma Cloud Roleswith the Build and Deploy Security permission group and assign this role to the administrative user so that they can create an access key. The access key is the username and the secret key is your password.
        iac-scan-azure-devops-prisma-cloud-compute-role.png
        If your password has special characters, make sure to escape any special characters when you enter your password.
      • Optional
        CA certificate if you are using certificate-based authentication.
      • Add a
        Name
        for the service connection.
        iac-scan-azure-devops-connection-compute-url.png
      • Verify that
        Grant access permission to all pipelines
        is selected.

Set up a Custom Task for IaC Scanning

Use the following instructions to add a custom task for IaC scanning and container image and serverless functions scanning in your azure-pipelines.yml. In each task, you can define the pipeline failure criteria based on the severity of the issues that are detected during the scan.
  1. Under
    Pipelines
    , select your pipeline and
    Edit
    to add custom task.
  2. Add a custom task for IaC scanning.
    1. Under
      Task
      , search for Prisma Cloud IaC Scan you created earlier.
      iac-scan-azure-devops-custom-task.png
    2. Enter the path for the directory you want to scan.
      If you want to scan the entire repository, use
      .
      or
      $(System.DefaultWorkingDirectory)
      .
    3. Select the
      Service Endpoint
      , which is the service connection you created in the previous task.
    4. Enter the
      Tags
      you want to apply to the templates that are being scanned.
      The tags format is
      name:value
      , and you can add multiple tags that are separated using commas.
    5. Select the
      Failure Criteria
      for the scan.
      You can set the count for High, Medium, Low severity issues and decide whether you want to use the AND or OR operator to specify your criteria. For example, if you have a very strict threshold and set the failure criteria to 0,0,0 with the OR operator your build will fail if the policy checks detect any issues.
    6. Add
      to
      yml
      file, and
      Save
      the task.
    7. Enable system diagnostics
      and
      Run
      .
      iac-scan-azure-devops-custom-task-run.png
  3. Run the task.
    1. In Azure DevOps, click
      Queue
      to execute your task on the next available build agent.
      If your task configuration is incomplete, a red status message displays
      Some settings need attention
      just below
      Run your build
      .
    2. Check the results.
      • If the IaC Scan finds no issues the pipeline task result is successful.
        iac-scan-azure-devops-success-message-no-issues.png
      • If the IaC Scan finds issues but the failure criteria threshold you defined is not met, the job is successful but it displays the list of issues that were detected.
        iac-scan-azure-devops-success-message.png
        If the failure criteria you defined is more stringent that the default scan threshold, the job will fail and you can review results in the log file.
        iac-scan-azure-devops-failure-message.png

Set Up Container Image Scanning

On Windows and Linux OS, you can scan container images and serverless functions when you enable twistcli, add a vulnerability scan rule where you define the criteria to fail the build, and set up a task to scan the image or function in the pipeline.
  1. Add a vulnerability scan rule on the Prisma Cloud Compute Console.
    1. Select
      Compute
      Defender
      Vulnerabilities
      Images
      CI
      .
      iac-scan-azure-devops-add-vulnerability-rule.png
    2. Add Rule
      and enter a
      Rule name
      .
      iac-scan-azure-devops-add-vulnerability-rule-2.png
    3. Specify the
      Alert
      and
      Failure
      thresholds.
      You can set the vulnerability scan to fail on critical, high, medium, low severity. The failure threshold must be equal to or greater than the alert threshold.
    4. (
      Optional
      ) Specify the
      Images
      to scan.
      The image or function zip file name is required later when you add the scan task to the pipeline in Step 3.
    5. (
      Optional
      ) Select
      Apply rule when vendor fixes are available
      , if you want to scan only for vulnerabilities that have fixes available.
    6. Specify the
      Grace period
      .
      The grace period is the number of days for which you want to ignore a vulnerability. The time frame is measured in days starting at the date from the first vendor publish. For more details on the advanced settings, see the Prisma Cloud Compute guide.
  2. Add a pipeline task to scan container images using twistcli.
    iac-scan-azure-devops-twistcli-2.png
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task.
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute twistcli scan
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Prisma Cloud Compute Console
      service connection name that you created earlier, from the drop-down.
    5. Specify the
      Image
      name or serverless
      Function zip
      file name.
      The image name you enter here must match the name of the image you are building in the pipeline, if it doesn’t the scan will fail.
  3. View the results of the scan.
    See the results in
    iac-scan-azure-devops-prisma-cloud-compute-scan.png
    To see results on Prisma Cloud, select
    Compute
    Monitor
    Vulnerabilities
    Twistcli Scans
    iac-scan-azure-devops-prisma-cloud-compute-scan-results.png

Set Up RASP Defender

If you are using Docker-in-Docker, where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, you have to set up RASP Defenders to secure containers at runtime.
  1. Update the Dockerfile and embed the RASP defender as part of the Azure DevOps build.
    iac-scan-azure-devops-twistcli-3.png
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute embed RASP
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Service connection
      you created earlier for Prisma Cloud Compute Console.
    5. Provide a unique
      Application ID
      for the RASP defender.
      For example, <your company>-<app>
    6. Enter the
      Console Host
      , which is the DNS name or IP address of your Prisma Cloud Compute Console.
    7. Specify the
      Data Folder
      , which is the read-write directory in the container file system.
      For example, /twistlock/.
    8. Enter the
      Dockerfile path
      of the container image to which you want to add the RASP defender.

Sample YAML File

The following is a sample azure-pipeline.yml when you enable both the Prisma Cloud IaC scan and Prisma Cloud Compute scan. This file autogenerates is referenced below as an example.
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: branches: include: - master pool: vmImage: 'ubuntu-latest' steps: - task: Palo-Alto-Networks.build-release-task.custom-build-release-task.prisma-cloud-compute-scan@1 displayName: 'Prisma Cloud Compute Scan' inputs: twistlockService: 'NewEnv Connection' artifact: 'nginx:latest' - task: Prisma Cloud IaC Scan@1 inputs: Path: 'repo' prismaCloudService: 'Prisma Cloud Scan' High: '0' Medium: '0' Low: '0' Operator: 'or' - script: | echo Add other tasks to build, test, and deploy your project. echo See https://aka.ms/yaml displayName: 'Run a multi-line script'

Recommended For You