Use the Prisma Cloud Extension for the GitLab CI/CD Pipeline
You can use the Prisma Cloud extension for
GitLab CI/CD to scan IaC templates to check against Prisma Cloud
policies or to scan container images to check for vulnerabilities.
To
scan IaC templates in the build or release phase of the GitLab CI/CD
pipeline, you need to configure the Prisma Cloud extension. To start,
include the Prisma Cloud IaC extension template file in your .gitlab-ci.yml
file, then configure the extension using GitLab variables and the
config.yml file. When you use this extension to then scan your templates
in the pipeline, the failure thresholds you specify are used to
pass or fail the check based on the severity of the security issues
that are detected. When the scan is successful, the code can be
merged. If the scan is unsuccessful, the security issues must be
fixed in order to merge code changes.
- Connection settings as environment variables to enable communication between the Prisma Cloud API server and your GitLab repository.
- The .gitlab-ci.yml at the root level in your repository.For any commit or push to your repository, this file start jobs on GitLab runners according to the contents of the file. You must have a shared runner or a project-specific/custom runner for the job to run successfully.
- config.yml file at the root-level within the project under the .prismaCloud directory.The path for this file must be .prismaCloud/config.yml. Prisma Cloud requires this configuration file to learn about your IaC module structure, runtime variables, and tags so that it can scan the IaC templates in your repository.
To
scan container images for vulnerabilities, the way to set up the
Prisma Cloud extension is very similar to IaC scan. You need to
first connect to Prisma Cloud Compute using environment variables,
and then the container image scanning is available as a command
that you invoke through a pipeline job.
The list of inputs
that are required for scanning container images are:
- Connection settings as environment variables to enable communication between the Prisma Cloud Compute console and your GitLab repository.
- The .gitlab-ci.yml at the root level in your repository.
- The image to scan.You can either provide the image details as an environment variables or directly scan an image using a twistcli command in the pipeline job.
To set up
the Prisma Cloud GitLab extension:
If
you have been using the Prisma Cloud GitLab extension v1, there
are no updates to the environment variables. However, the .gitlab-ci.yml
file has been simplified as described in Set Up a Custom GitLab Pipeline Job for IaC Scan.
Configure the Prisma Cloud Extension for GitLab CI/CD
The table below summarizes the environment
variables you must configure for your GitLab project.
For | Key | Description |
|---|---|---|
IaC Template Scan | prisma_cloud_api_url | Prisma Cloud base API URL. The API URL for
Prisma Cloud varies depending on the region and cluster on which
your tenant is deployed. If the tenant provisioned for you
is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace app in
the URL with api . |
prisma_cloud_access_key | Prisma Cloud access key for API access. If
you do not have a key, see Create and Manage Access Keys. | |
prisma_cloud_secret_key | Secret key that corresponds to the Prisma Cloud
access key | |
prisma_cloud_cicd_asset_name | GitLab server name | |
prisma_cloud_repo_dir | Template repository directory on the GitLab
runner. You must have your IaC files in this directory. You cannot mix
different template types (CFT, Terraform etc. in the single scan) | |
prisma_cloud_cicd_failure_criteria | ( Optional ) String that defines
criteria that should trigger a pipeline failure. Set the
High : x, Medium : y, Low : z, Operator: O, where, x,y,z is the
number of issues of each severity, and the operator is OR, AND.
For example:
You
do not have to define the failure threshold because the default
failure criteria is set as follows—High: 1, Medium: 1, Low: 1, Operator:
or, so any failure will trigger failure of the pipeline. | |
prisma_cloud_cicd_tags | ( Optional ) Prisma Cloud tags are
different from GitLab tags or cloud tags that you may have included
within your IaC templates. Prisma Cloud tags enable visibility on the
Prisma Cloud administrator console.For example, prisma_cloud_cicd_tag:project:x,owner:mr.y,compliance:pci You
cannot include a comma in the values. For example, the following
is invalid:
key1 and val1 will
be kept while val2 will be discarded. | |
Container Image Scan | prisma_cloud_compute_url | Base URL for the Prisma Cloud Compute console.
For example http://console<example>.com:8083. |
prisma_cloud_compute_username | Prisma Cloud Compute user with the CI User role. You must
set up a user who belongs to the Build and Deploy Security permission
group, see Create Prisma Cloud Roles. | |
prisma_cloud_compute_password | Prisma Cloud Compute user password (for container
image scan) | |
prisma_cloud_scan_image | Target image ID, or name:tag to scan, or image
tar file name. You can use regular expressions when specifying image
names, such as nginx*. |
- Set up the connection to the Prisma Cloud API.
- Add the connection settings as environment variables to .
You can also provide the GitLab variables in the .gitlab-ci.yml under variables, instead of adding it in the project settings. - Set the Prisma Cloud API URL as the value for theprisma_cloud_api_urlenvironment variable.
- Add your Prisma Cloud access key as the value for theprisma_cloud_access_keyenvironment variable.The access key enables programmatic access.
- Add your GitLab server name as the value for theprisma_cloud_cicd_asset_nameenvironment variable.On Prisma Cloud, the asset name is used to track results. Some examples names are - creditapp_server, ConsumerBU_server. etc
- Set up environment variables for container image scans.Set up the following environment variables only if you want to run container image scans. As with the environment variables that support IaC scans, you navigate to to add new environment variables.
- Addprisma_cloud_compute_url, whose value is the base URL for your Prisma Cloud Compute console.
- Addprisma_cloud_compute_username, whose value is the Prisma Cloud Compute user with a CI user role.
- Addprisma_cloud_compute_password, whose value is the password for the Prisma Cloud Compute user.
- Addprisma_cloud_scan_image, whose value is the details to identify the image.
- Create the.prismaCloud/config.ymlfile and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
Set Up a Custom GitLab Pipeline Job for IaC Scan
- Add the Prisma Cloud GitLab extension to the GitLab CI configuration.The GitLab CI configuration is stored in the .gitlab-ci.yml file. Add the following line to this file—include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml'Refer to the GitLab documentation to learn about the gitlab-ci.yml file.The IaC templates in this directory must not exceed the 300MB size limit.
- Extend pipeline job from .pcs_iac_scan.prisma-cloud-scan: stage: build extends: - .pcs_iac_scan
- Modify IaC scan variable values.You can define the variable again in the gitlab-ci.yml file to override the value for any variable specified in the project settings.prisma-cloud-scan: stage: build extends: - .pcs_iac_scan variables: prisma_cloud_asset_name: ${CI_PROJECT_NAME} prisma_cloud_cicd_tags: "project:scan-api-test" prisma_cloud_repo_dir: ${CI_PROJECT_DIR}/tests/templateFiles/k8sA sample gitlab.ci.yml is show below:include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml' stages: - build prisma-cloud-scan: stage: build extends: .pcs_iac_scan variables: prisma_cloud_api_url: https://api.prismacloud.io prisma_cloud_access_key: ${access_key_app2slqa} prisma_cloud_secret_key: ${secret_key_app2slqa} prisma_cloud_asset_name: ${CI_PROJECT_NAME} prisma_cloud_cicd_tags: "project:scan-api-test" prisma_cloud_repo_dir: ${CI_PROJECT_DIR}/tests/templateFiles/k8s
- View IaC scan results.The Prisma Cloud IaC scan uses the failure criteria you defined in theprisma_cloud_cicd_failure_criteriaenvironment variable to pass or fail a scan. When it detects a security issue, it generates an artifact. The scan report is in Junit compatible format and you can view the results on your GitLab pipeline and on the DevOps Inventory on Prisma Cloud.
- View the scan results on theteststab on your GitLab pipeline.List of job results.
- IaC Scan result with details for a specific job.
- View the Prisma Cloud IaC scan results on the Prisma Cloud administrator console., select the job and view the details.
Set Up a Custom GitLab Pipeline Job for Container Image Scan
You can add container image scans to the extension
you have already configured for IaC scans, or you can configure
the extension to perform just container image scans.
- Add the Prisma Cloud GitLab extension to the GitLab CI configuration.The GitLab CI configuration is stored in the .gitlab-ci.yml file. Add the following line to this file—include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml'
- Extend pipeline job from .pcs_compute_scan.prisma-cloud-compute-scan: stage: build extends: - .pcs_compute_scan
- Refine IaC scan variables.You can override the value for any variable specified in the project settings by defining the variable again in the gitlab-ci.yml file. Verify that the prisma_cloud_scan_image is in the runner docker before you execute the image scan script ./image_scan.shprisma-cloud-compute-scan: stage: build extends: .pcs_compute_scan variables: prisma_cloud_scan_image: nginx:latest script: # build or pull your docker image first - docker pull $prisma_cloud_scan_image # trigger the pre-defind image scan script located in currennt directory - ./image_scan.sh
- View container scan results.The Prisma Cloud container image scan uses the failure criteria you defined in theprisma_cloud_cicd_failure_criteriaenvironment variable to pass or fail a scan. When it detects a security issue, it generates an artifact. The scan report is in Junit compatible format and you can view the results on your GitLab pipeline and on the DevOps Inventory on Prisma Cloud.
- View the scan results on theteststab on your GitLab pipeline.List of job results.
- Container Scan result with details for a specific job.
