Use the Prisma Cloud Extension for Azure DevOps

Secure your Azure DevOps pipelines by running IaC scans on templates, container images, and serverless functions against Prisma Cloud’s set of policies.
Use the Prisma Cloud extension to scan IaC templates, container images, and serverless functions in the build or release phase of the Azure DevOps pipeline. After you install this extension from the Azure Visual Studio Marketplace, you can set up the service connections for Prisma Cloud Iac Scan and Prisma Cloud Compute Scan, and then use custom tasks in the build or release pipeline for scanning IaC templates—AWS CloudFormation Templates, Terraform templates (versions of Terraform supported), Kubernetes manifests or app deployment YAML files— container images, or serverless zip files. When you create a custom task, you can specify the build or pipeline failure criteria based on severity of the security issues that the extension identifies.
When you set up the Prisma Cloud extension to scan, you can specify the tags at different stages. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console, and are different from Azure DevOps tags or cloud tags that you may have included within your IaC templates. You can include these tags as
key:value
pairs in a comma separated list when you set up the service connection, and within the.prismaCloud/config.yml at the repository-level, or where you define the failure criteria for a Prisma Cloud IaC scan at the task level, and use it as a filter on Prisma Cloud.

Install and Configure the Prisma Cloud Extensions

You need to add the prisma-cloud-config.yml in the root directory of your repository branch, and get the Prisma Cloud extension from the Visual Studio Marketplace, set up service connections to authenticate with Prisma Cloud and start scanning IaC templates, container images, and serverless functions.
  1. Set up your Azure DevOps organization and pipeline.
    If you are just getting started with Azure Pipeline, refer to the Azure documentation.
    1. Create a project.
    2. Create a new pipeline.
    3. Select your code repository, configure, and save the pipeline.
  2. Create the
    .prismaCloud/config.yml
    and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
  3. Install the extension.
    1. Search for
      Prisma Cloud
      in the Visual Studio Marketplace.
    2. Install
      the extension in your Azure DevOps organization.
      Select
      Organization settings
      Extensions
      to verify that the extensions displays in the list of
      Installed
      extensions.
      Updating the extension—the expected behavior is that Azure DevOps auto-updates the extension version. However, the tasks are not always properly updated, especially in major releases which can break the pipeline. To avoid such scenarios, it is recommended to uninstall and reinstall the extension.
  4. Add service connections to authenticate to Prisma Cloud.
    You must create a new service connection for each type of scan— one for IaC scanning and one for scanning container image or serverless functions.
    1. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud IaC Console
      .
    2. Enter the following information for the Prisma Cloud for IaC scanning and save your changes.
      • Enter the Prisma Cloud API URL as
        Server URL
        .
        The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
        app
        in the URL with
        api
        and enter it here. Refer to the Prisma Cloud REST API Reference for more details.
      • Enter your Prisma Cloud
        Access Key
        .
        The access key enables programmatic access. If you do not have a key, you must Create and Manage Access Keys.
      • Enter your Prisma Cloud
        Secret Key
        .
        You should have saved this key when you generated it. You cannot view it on the Prisma Cloud web interface.
      • Enter an
        Asset Name
        to identify the repository you want to scan.
      • Enter the
        Tags
        to organize the templates that are scanned with this service connection, for visibility on Prisma Cloud.
      • Provide a
        Service connection name
        .
      • Verify that
        Grant access permission to all pipelines
        is selected and
        Save
        your changes.
    3. Continue to the next step if you want to set up another service connection for container image scanning. If not, go to Set up a Custom Task for IaC Scanning.
    4. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud Compute Console
      .
    5. Enter the following information for Prisma Cloud Compute Console and save your changes.
      • Server URL.
        You need to copy the server URL from the Prisma Cloud interface,
        Compute
        Manage
        System
        Downloads
        Path to Console
        . For Prisma Cloud Compute Edition, get the URL from
        Manage
        System
        Downloads
        Path to Console
      • Username and password.
        These credentials are required for the service connection to authenticate with Prisma Cloud. If you are using Prisma Cloud Compute Edition (self-hosted), create a role and enter your username and password.
        If you are using Prisma Cloud Compute, you must first Create Prisma Cloud Roles with the Build and Deploy Security permission group and assign this role to the administrative user so that they can create an access key. The access key is the username and the secret key is your password.
        If your password has special characters, make sure to escape any special characters when you enter your password.
      • Optional
        CA certificate, if you are using certificate-based authentication.
      • Optional
        HTTP Proxy URL, if you use a firewall or a proxy to enable access to the internet.
      • Add a
        Name
        for the service connection.
      • Verify that
        Grant access permission to all pipelines
        is selected.

Set up a Custom Task for IaC Scanning

Use the following instructions to add a custom task for IaC scanning and container image and serverless functions scanning in your azure-pipelines.yml. In each task, you can define the pipeline failure criteria based on the severity of the issues that are detected during the scan.
  1. Under
    Pipelines
    , select your pipeline and
    Edit
    to add custom task.
  2. Add a custom task for IaC scanning.
    1. Under
      Task
      , search for Prisma Cloud IaC Scan you created earlier.
    2. Enter the path for the directory you want to scan.
      If you want to scan the entire repository, use dot (
      .
      ) or
      $(System.DefaultWorkingDirectory)
      .
    3. Select the
      Service Endpoint
      , which is the service connection you created in the previous task.
    4. Enter the
      Tags
      you want to apply to the templates that are being scanned.
      The tags format is
      name:value
      , and you can add multiple tags that are separated using commas.
    5. Specify if you want to ignore API errors.
      By default, errors are not ignored and the pipeline fails when the scan detects API errors or vulnerabilities based on your failure criteria thresholds. Select
      Ignore Errors
      if you do not want the pipeline to fail on API errors; the pipeline will still fail when your failure criteria is met.
    6. Select the
      Failure Criteria
      for the scan.
      You can set the count for High, Medium, Low severity issues and decide whether you want to use the AND or OR operator to specify your criteria. For example, if you have a very strict threshold and set the failure criteria to 0,0,0 with the OR operator your build will fail if the policy checks detect any issues.
    7. Add
      to
      yml
      file, and
      Save
      the task.
    8. Enable system diagnostics
      and
      Run
      .
  3. Run the task.
    1. In Azure DevOps, click
      Queue
      to execute your task on the next available build agent.
      If your task configuration is incomplete, a red status message displays
      Some settings need attention
      just below
      Run your build
      .
    2. Check the results.
      • If the IaC Scan finds no issues the pipeline task result is successful.
      • If the IaC Scan finds issues but the failure criteria threshold you defined is not met, the job is successful but it displays the list of issues that were detected. For each policy that was violated, click the Policy URL link to review policy details.
        If the failure criteria you defined is more stringent that the default scan threshold, the job will fail and you can review results in the log file.

Set Up Container Image Scanning

On Windows and Linux OS, you can scan container images and serverless functions when you enable twistcli, add a vulnerability scan rule where you define the criteria to fail the build, and set up a task to scan the image or function in the pipeline.
  1. Add a vulnerability scan rule on the Prisma Cloud Compute Console.
    1. Select
      Compute
      Defender
      Vulnerabilities
      Images
      CI
      .
    2. Add Rule
      and enter a
      Rule name
      .
    3. Specify the
      Alert
      and
      Failure
      thresholds.
      You can set the vulnerability scan to fail on critical, high, medium, low severity. The failure threshold must be equal to or greater than the alert threshold.
    4. (
      Optional
      ) Specify the
      Images
      to scan.
      The image or function zip file name is required later when you add the scan task to the pipeline in Step 3.
    5. (
      Optional
      ) Select
      Apply rule when vendor fixes are available
      , if you want to scan only for vulnerabilities that have fixes available.
    6. Specify the
      Grace period
      .
      The grace period is the number of days for which you want to ignore a vulnerability. The time frame is measured in days starting at the date from the first vendor publish. For more details on the advanced settings, see the Prisma Cloud Compute guide.
  2. Add a pipeline task to scan container images using twistcli.
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task.
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute twistcli scan
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Prisma Cloud Compute Console
      service connection name that you created earlier, from the drop-down.
    5. Specify the
      Image
      name or serverless
      Function zip
      file name.
      The image name you enter here must match the name of the image you are building in the pipeline, if it doesn’t the scan will fail.
    6. Specify the
      Project
      name if applicable.
  3. View the results of the scan.
    Click on the job, and then select the
    prismacloudcomputescan
    task to view the CLI output.
    To see results on Prisma Cloud, select
    Compute
    Monitor
    Vulnerabilities
    Twistcli Scans

Set Up RASP Defender

If you are using Docker-in-Docker, where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, you have to set up RASP Defenders to secure containers at runtime.
  1. Update the Dockerfile and embed the RASP defender as part of the Azure DevOps build.
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute embed RASP
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Service connection
      you created earlier for Prisma Cloud Compute Console.
    5. Provide a unique
      Application ID
      for the RASP defender.
      For example, <your company>-<app>
    6. Enter the
      Console Host
      , which is the DNS name or IP address of your Prisma Cloud Compute Console.
    7. Specify the
      Data Folder
      , which is the read-write directory in the container file system.
      For example, /twistlock/.
    8. Enter the
      Dockerfile path
      of the container image to which you want to add the RASP defender.

Sample YAML File

The following is a sample azure-pipeline.yml when you enable both the Prisma Cloud IaC scan and Prisma Cloud Compute scan. This file autogenerates is referenced below as an example.
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: branches: include: - master pool: vmImage: 'ubuntu-latest' steps: - task: Palo-Alto-Networks.build-release-task.custom-build-release-task.prisma-cloud-compute-scan@1 displayName: 'Prisma Cloud Compute Scan' inputs: twistlockService: 'NewEnv Connection' artifact: 'nginx:latest' - task: Prisma Cloud IaC Scan@1 inputs: Path: 'repo' prismaCloudService: 'Prisma Cloud Scan' High: '0' Medium: '0' Low: '0' Operator: 'or' - script: | echo Add other tasks to build, test, and deploy your project. echo See https://aka.ms/yaml displayName: 'Run a multi-line script'

Add Caches for Prisma Cloud Compute Scan

If no Cache Task is implemented in Prisma Cloud Compute Scan, then the task downloads the twistcli binary with every run. This can be time consuming as the same pipeline is executed every time. We can add cache task which will download the twistcli binary only when either of these is true:
  • The binary is not already present.
  • When a different version of the binary is required.
Note: Caches are only available for yaml pipelines and not for classic pipelines.
  1. Add Cache Task to your Prisma Cloud Compute Scan Pipeline.
    In your pipeline search for Cache Task.
  2. Enter the details for your Cache.
    • Key
      : a unique value to identify and retrieve the cache value later.
    • Path
      : enter
      twistcli-scan
      .
    • Cache-hit-variable-enter
      :
      TWISTCLI_RETRIEVED
      .
  3. Click Add to add this task to your pipeline.
  4. Add your task for Prisma Cloud Compute Scan.
    The first time the pipeline runs, it will download the twistcli binary; afterwards, it will first look into the cache and only download the binary if required.

Generate and Scan the Plan File

Use the plan file to scan your repositories. For example, your current repository refers to templates in remote repositories.
  1. Create the Azure DevOps pipeline for your repository.
    Add a Bash task and choose
    Inline
    or
    Script
    based on your environment.
  2. Configure your plan file.
    The script should have commands for downloading Terraform and generating a plan file of your repository.
    For example, in the following script, the plan file for scan/for-expressions folder is being generated using Terraform 0.13. The generated plan file is in JSON format which was placed under the
    plan
    folder, and .prismaCloud is copied to the same folder:
  3. Add Prisma Cloud Scan IaC task and your folder path in
    Directory path
    .
  4. Run the pipeline to view the results.

Recommended For You