Use the Prisma Cloud Extension for Azure DevOps

Use the Prisma Cloud extension to scan IaC templates, container images, and serverless functions in the build or release phase of the Azure DevOps pipeline. After you install this extension from the Azure Visual Studio Marketplace, you can set up the service connections for Prisma Cloud Iac Scan and Prisma Cloud Compute Console, and then use custom tasks in the build or release pipeline for scanning IaC templates, container images, or serverless zip files. When you create a custom task, you can specify the build or pipeline failure criteria based on severity of the security issues that the extension identifies.

Install and Configure the Prisma Cloud Extensions

You need to get the Prisma Cloud extension from the Visual Studio Marketplace, set up service connections to authenticate with Prisma Cloud and start scanning IaC templates, container images, and serverless functions.
  1. Set up your Azure DevOps organization and pipeline.
    If you are just getting started with Azure Pipeline, refer to the Azure documentation.
    1. Create a project.
    2. Create a new pipeline.
    3. Select your code repository, configure, and save the pipeline.
  2. Install the extension.
    1. Search for
      Prisma Cloud
      in the Visual Studio Marketplace.
      iac-scan-azure-devops-prisma-cloud-ext.png
    2. Install
      the extension in your Azure DevOps organization.
      iac-scan-azure-devops-prisma-cloud-ext-install.png
      Select
      Organization settings
      Extensions
      to verify that the extensions displays in the list of
      Installed
      extensions.
      iac-scan-azure-devops-prisma-cloud-ext-installed.png
  3. Add service connections to authenticate to Prisma Cloud.
    You must create a new service connection for each type of scan— one for IaC scanning and one for scanning container image or serverless functions.
    iac-scan-azure-devops-prisma-cloud-ext-service-connections.png
    1. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud IaC Console
      .
    2. Enter the following information for the Prisma Cloud for IaC scanning and save your changes.
      iac-scan-azure-devops-iac-scan-connection.png
      • Prisma Cloud API URL.
        The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
        app
        in the URL with
        api
        and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface, for more details.
      • Prisma Cloud Access Key ID.
        The access key enables programmatic access. If you do not have a key, you must Create and Manage Access Keys.
      • Your Prisma Cloud Secret Key.
        You should have saved this key when you generated it. You cannot view it on the Prisma Cloud web interface.
      • A name for the Service Connection.
      • Verify that the
        Grant access permission to all pipelines
        is selected.
    3. Continue to the next step if you want to set up another service connection for container image scanning. If not, go to Set up a Custom Task for IaC Scanning.
    4. Select
      Project Settings
      Service Connections
      New Service Connection
      Prisma Cloud Compute Console
      .
    5. Enter the following information for Prisma Cloud Compute Console and save your changes.
      iac-scan-azure-devops-rasp-connection.png
      • Server URL.
        You need to copy the server URL from the Prisma Cloud interface,
        Manage
        Defenders
        Deploy
        .
      • Username and password.
        These credentials are required for the service connection to authenticate with Prisma Cloud.
      • Optional
        CA certificate if you are using certificate-based authentication.
      • A name for the Service Connection.
      • Verify that the
        Grant access permission to all pipelines
        is selected.

Set up a Custom Task for IaC Scanning

Use the following instructions to add a custom task for IaC scanning and container image and serverless functions scanning in your azure-pipelines.yml. In each task, you can define the pipeline failure criteria based on the severity of the issues that are detected during the scan.
  1. Under
    Pipelines
    , select your pipeline and
    Edit
    to add custom task.
  2. Add a custom task for IaC scanning.
    1. Under
      Task
      , search for Prisma Cloud.
    2. Enter the path for the directory you want to scan.
      If you want to scan the entire repository provide the
      $(System.DefaultWorkingDirectory)
    3. Select the
      Service Endpoint
      , which is the service connection you created in the previous task.
    4. Add
      to
      yml
      file, and
      Save
      .
    5. Select the
      Failure Criteria
      for the scan.
      You can set the count for High, Medium, Low severity issues and decide whether you want to use the AND or OR operator to specify your criteria. For example, if you have a very strict threshold and set the failure criteria to 0,0,0 with the OR operator your build will fail if the policy checks detect any issues.
    6. Select
      Run, check Enable diagnostic log
      and
      Run to Build/Release phase of the pipeline
      .
    7. Add
      the task.
  3. Run the task.
    1. In Azure DevOps, click
      Queue
      to execute your task on the next available build agent.
      If your task configuration is incomplete, a red status message displays
      Some settings need attention
      just below
      Run your pipeline
      .
    2. Check the results.
      • If the IaC Scan finds no issues the pipeline task result is successful.
        iac-scan-azure-devops-success-message.png
      • If the IaC Scan finds issues but the failure criteria threshold you defined is not met, the job is successful but it displays the list of issues that were detected.
        iac-scan-azure-devops-failure-message.png
        If the failure criteria you defined is more stringent that the default scan threshold, the job will fail and you can review results in the log file.

Set Up Container Image Scanning

To scan container images and serverless functions, you need to enable twistcli and set up a task to scan the pipeline and define the criteria to fail the build.
  1. Download the latest twistcli binary from the Prisma Cloud Compute Console to your local machine.
    Get the binary from
    Compute
    Manage
    System
    Downloads
    ; for Prisma Cloud Compute Edition (self-hosted), it is
    Manage
    System
    Downloads
    . Prisma Cloud Compute console and twistcli binary must be from the same version—SaaS or self-hosted.
  2. Enable twistcli for Azure DevOps
    1. Create a new artifact feed.
      Select
      Project Artifacts
      Create Feed
      .
    2. Connect to the newly created feed.
      Click
      Connect to feed
      , and follow the instructions for publishing a universal package.
      For example, on the command line, type
      az loginaz
      artifacts universal publish --organization https://dev.azure.com/phamel77/ --feed <feedname> --name twistcli --version 0.0.1 --description "twistcli package" --path <filepath>
      (where, filepath is the directory to which you saved the twistcli binary that you downloaded from Prisma Cloud, and feedname is the of the feed you created in the previous step.)
    3. Make twistcli an executable.
      • Add a universal package download task to download twistcli binary in pipeline.
        iac-scan-azure-devops-universal-package.png
      • Add a task to copy the twistcli binary to the /usr/bin directory and make it executable.
        iac-scan-azure-devops-twistcli-executable.png
      • (Optional) Pull the external container images for scan.
  3. Add a pipeline task to scan container images using twistcli.
    iac-scan-azure-devops-twistcli-2.png
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task.
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute twistcli scan
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Service connection
      you created earlier for Prisma Cloud Compute Console.
    5. Set the
      Vulnerability threshold
      .
      Prisma Cloud Compute image scan uses the value you set—critical, high, medium, low—as the minimum failure threshold. If the threshold is set at high, any vulnerability identified at level high or above will fail the pipeline task.
    6. Select
      only fixed
      , if you want to scan only for vulnerabilities that have fixes available.
    7. Specify the
      Grace period
      .
      The grace period is the number of days for which you want to ignore a vulnerability. The time frame is measured in days starting at the date from the first vendor publish.
    8. Set the
      Compliance threshold
      .
      When the image exceeds the configured compliance threshold—critical, high, medium, low—Prisma Cloud Compute image scan fails your builds and prevents code that is in violation from getting back into your pipeline.
    9. Specify the image name or serverless function zip file name.
      You need to pull the image in the pipeline before you can scan it.

Set Up RASP Defender

If you are using Docker-in-Docker, where you have a Docker container that itself has Docker installed, and from within the container you use Docker to pull images, build images, run containers, you have to set up RASP Defenders to secure containers at runtime.
  1. Update the Dockerfile and embed the RASP defender as part of the Azure DevOps build.
    iac-scan-azure-devops-twistcli-3.png
    1. Select Pipelines, and
      Edit
      your pipeline and to add custom task
    2. Search for
      Prisma
      in the task list and select
      Prisma Cloud Compute embed RASP
      .
    3. Select the
      Scan type
      —Images or Serverless.
    4. Select the
      Service connection
      you created earlier for Prisma Cloud Compute Console.
    5. Provide a unique
      Application ID
      for the RASP defender.
      For example, <your company>-<app>
    6. Enter the
      Console Host
      , which is the DNS name or IP address of your Prisma Cloud Compute Console.
    7. Specify the
      Data Folder
      , which is the read-write directory in the container file system.
      For example, /twistlock/.
    8. Enter the
      Dockerfile path
      of the container image to which you want to add the RASP defender.

Recommended For You