Use the Prisma Cloud Extension for Azure DevOps
Secure your Azure DevOps pipelines by running IaC scans on templates, container images, and serverless functions against Prisma Cloud’s set of policies.
Use the Prisma Cloud extension to scan IaC templates, container images, and serverless functions in the build or release phase of the Azure DevOps pipeline. After you install this extension from the Azure Visual Studio Marketplace, you can set up the service connections for Prisma Cloud Iac Scan and Prisma Cloud Compute Scan, and then use custom tasks in the build or release pipeline for scanning IaC templates—AWS CloudFormation Templates, Terraform templates (versions of Terraform supported), Kubernetes manifests or app deployment YAML files— container images, or serverless zip files. When you create a custom task, you can specify the build or pipeline failure criteria based on severity of the security issues that the extension identifies.
When you set up the Prisma Cloud extension to scan, you can specify the tags at different stages. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console, and are different from Azure DevOps tags or cloud tags that you may have included within your IaC templates. You can include these tags as
key:valuepairs in a comma separated list when you set up the service connection, and within the.prismaCloud/config.yml at the repository-level, or where you define the failure criteria for a Prisma Cloud IaC scan at the task level, and use it as a filter on Prisma Cloud.
Install and Configure the Prisma Cloud Extensions
You need to add the prisma-cloud-config.yml in the root directory of your repository branch, and get the Prisma Cloud extension from the Visual Studio Marketplace, set up service connections to authenticate with Prisma Cloud and start scanning IaC templates, container images, and serverless functions.
- Set up your Azure DevOps organization and pipeline.
- Create a project.
- Create a new pipeline.
- Select your code repository, configure, and save the pipeline.
- Create the.prismaCloud/config.ymland add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
- Install the extension.
- Search forPrisma Cloudin the Visual Studio Marketplace.
- Installthe extension in your Azure DevOps organization.Selectto verify that the extensions displays in the list ofOrganization settingsExtensionsInstalledextensions.Updating the extension—the expected behavior is that Azure DevOps auto-updates the extension version. However, the tasks are not always properly updated, especially in major releases which can break the pipeline. To avoid such scenarios, it is recommended to uninstall and reinstall the extension.
- Add service connections to authenticate to Prisma Cloud.You must create a new service connection for each type of scan— one for IaC scanning and one for scanning container image or serverless functions.
- Select.Project SettingsService ConnectionsNew Service ConnectionPrisma Cloud IaC Console
- Enter the following information for the Prisma Cloud for IaC scanning and save your changes.
- Enter the Prisma Cloud API URL asServer URL.The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replaceappin the URL withapiand enter it here. Refer to the Prisma Cloud REST API Reference for more details.
- Enter your Prisma CloudAccess Key.The access key enables programmatic access. If you do not have a key, you must Create and Manage Access Keys.
- Enter your Prisma CloudSecret Key.You should have saved this key when you generated it. You cannot view it on the Prisma Cloud web interface.
- Enter anAsset Nameto identify the repository you want to scan.
- Enter theTagsto organize the templates that are scanned with this service connection, for visibility on Prisma Cloud.
- Provide aService connection name.
- Verify thatGrant access permission to all pipelinesis selected andSaveyour changes.
- Continue to the next step if you want to set up another service connection for container image scanning. If not, go to Set up a Custom Task for IaC Scanning.
- Select.Project SettingsService ConnectionsNew Service ConnectionPrisma Cloud Compute Console
- Enter the following information for Prisma Cloud Compute Console and save your changes.
- Server URL.You need to copy the server URL from the Prisma Cloud interface,. For Prisma Cloud Compute Edition, get the URL fromComputeManageSystemDownloadsPath to ConsoleManageSystemDownloadsPath to Console
- Username and password.These credentials are required for the service connection to authenticate with Prisma Cloud. If you are using Prisma Cloud Compute Edition (self-hosted), create a role and enter your username and password.If you are using Prisma Cloud Compute, you must first Create Prisma Cloud Roles with the Build and Deploy Security permission group and assign this role to the administrative user so that they can create an access key. The access key is the username and the secret key is your password.If your password has special characters, make sure to escape any special characters when you enter your password.
- OptionalHTTP Proxy URL, if you use a firewall or a proxy to enable access to the internet.
- Add aNamefor the service connection.
- Verify thatGrant access permission to all pipelinesis selected.
- Continue with Set up a Custom Task for IaC Scanning.
Set up a Custom Task for IaC Scanning
Use the following instructions to add a custom task for IaC scanning and container image and serverless functions scanning in your azure-pipelines.yml. In each task, you can define the pipeline failure criteria based on the severity of the issues that are detected during the scan.
- UnderPipelines, select your pipeline andEditto add custom task.
- Add a custom task for IaC scanning.
- UnderTask, search for Prisma Cloud IaC Scan you created earlier.
- Enter the path for the directory you want to scan.If you want to scan the entire repository, use dot (.) or$(System.DefaultWorkingDirectory).
- Select theService Endpoint, which is the service connection you created in the previous task.
- Enter theTagsyou want to apply to the templates that are being scanned.The tags format isname:value, and you can add multiple tags that are separated using commas.
- Specify if you want to ignore API errors.By default, errors are not ignored and the pipeline fails when the scan detects API errors or vulnerabilities based on your failure criteria thresholds. SelectIgnore Errorsif you do not want the pipeline to fail on API errors; the pipeline will still fail when your failure criteria is met.
- Select theFailure Criteriafor the scan.You can set the count for High, Medium, Low severity issues and decide whether you want to use the AND or OR operator to specify your criteria. For example, if you have a very strict threshold and set the failure criteria to 0,0,0 with the OR operator your build will fail if the policy checks detect any issues.
- Addtoymlfile, andSavethe task.
- Enable system diagnosticsandRun.
- Run the task.
- In Azure DevOps, clickQueueto execute your task on the next available build agent.If your task configuration is incomplete, a red status message displaysSome settings need attentionjust belowRun your build.
- Check the results.
- If the IaC Scan finds no issues the pipeline task result is successful.
- If the IaC Scan finds issues but the failure criteria threshold you defined is not met, the job is successful but it displays the list of issues that were detected. For each policy that was violated, click the Policy URL link to review policy details.If the failure criteria you defined is more stringent that the default scan threshold, the job will fail and you can review results in the log file.
Set Up Container Image Scanning
On Windows and Linux OS, you can scan container images and serverless functions when you enable twistcli, add a vulnerability scan rule where you define the criteria to fail the build, and set up a task to scan the image or function in the pipeline.
- Add a vulnerability scan rule on the Prisma Cloud Compute Console.
- Add Ruleand enter aRule name.
- Specify theAlertandFailurethresholds.You can set the vulnerability scan to fail on critical, high, medium, low severity. The failure threshold must be equal to or greater than the alert threshold.
- (Optional) Specify theImagesto scan.The image or function zip file name is required later when you add the scan task to the pipeline in Step 3.
- (Optional) SelectApply rule when vendor fixes are available, if you want to scan only for vulnerabilities that have fixes available.
- Specify theGrace period.The grace period is the number of days for which you want to ignore a vulnerability. The time frame is measured in days starting at the date from the first vendor publish. For more details on the advanced settings, see the Prisma Cloud Compute guide.
- Add a pipeline task to scan container images using twistcli.
- Select Pipelines, andEdityour pipeline and to add custom task.
- Search forPrismain the task list and selectPrisma Cloud Compute twistcli scan.
- Select theScan type—Images or Serverless.
- Select thePrisma Cloud Compute Consoleservice connection name that you created earlier, from the drop-down.
- Specify theImagename or serverlessFunction zipfile name.The image name you enter here must match the name of the image you are building in the pipeline, if it doesn’t the scan will fail.
- Specify theProjectname if applicable.
- View the results of the scan.Click on the job, and then select theprismacloudcomputescantask to view the CLI output.To see results on Prisma Cloud, selectComputeMonitorVulnerabilitiesTwistcli Scans
Set Up RASP Defender
If you are using Docker-in-Docker, where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, you have to set up RASP Defenders to secure containers at runtime.
- Update the Dockerfile and embed the RASP defender as part of the Azure DevOps build.
- Select Pipelines, andEdityour pipeline and to add custom task
- Search forPrismain the task list and selectPrisma Cloud Compute embed RASP.
- Select theScan type—Images or Serverless.
- Select theService connectionyou created earlier for Prisma Cloud Compute Console.
- Provide a uniqueApplication IDfor the RASP defender.For example, <your company>-<app>
- Enter theConsole Host, which is the DNS name or IP address of your Prisma Cloud Compute Console.
- Specify theData Folder, which is the read-write directory in the container file system.For example, /twistlock/.
- Enter theDockerfile pathof the container image to which you want to add the RASP defender.
Sample YAML File
The following is a sample azure-pipeline.yml when you enable both the Prisma Cloud IaC scan and Prisma Cloud Compute scan. This file autogenerates is referenced below as an example.
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: branches: include: - master pool: vmImage: 'ubuntu-latest' steps: - task: Palo-Alto-Networks.build-release-task.custom-build-release-task.prisma-cloud-compute-scan@1 displayName: 'Prisma Cloud Compute Scan' inputs: twistlockService: 'NewEnv Connection' artifact: 'nginx:latest' - task: Prisma Cloud IaC Scan@1 inputs: Path: 'repo' prismaCloudService: 'Prisma Cloud Scan' High: '0' Medium: '0' Low: '0' Operator: 'or' - script: | echo Add other tasks to build, test, and deploy your project. echo See https://aka.ms/yaml displayName: 'Run a multi-line script'
Code copied to clipboard
Unable to copy due to lack of browser support.
Add Caches for Prisma Cloud Compute Scan
If no Cache Task is implemented in Prisma Cloud Compute Scan, then the task downloads the twistcli binary with every run. This can be time consuming as the same pipeline is executed every time. We can add cache task which will download the twistcli binary only when either of these is true:
- The binary is not already present.
- When a different version of the binary is required.
Note: Caches are only available for yaml pipelines and not for classic pipelines.
- Add Cache Task to your Prisma Cloud Compute Scan Pipeline.In your pipeline search for Cache Task.
- Enter the details for your Cache.
- Key: a unique value to identify and retrieve the cache value later.
- Path: entertwistcli-scan.
- Click Add to add this task to your pipeline.
- Add your task for Prisma Cloud Compute Scan.
Generate and Scan the Plan File
Use the plan file to scan your repositories. For example, your current repository refers to templates in remote repositories.
- Create the Azure DevOps pipeline for your repository.Add a Bash task and chooseInlineorScriptbased on your environment.
- Configure your plan file.The script should have commands for downloading Terraform and generating a plan file of your repository.For example, in the following script, the plan file for scan/for-expressions folder is being generated using Terraform 0.13. The generated plan file is in JSON format which was placed under theplanfolder, and .prismaCloud is copied to the same folder:
- Add Prisma Cloud Scan IaC task and your folder path inDirectory path.
- Run the pipeline to view the results.
Recommended For You
Recommended videos not found.