Use the Prisma Cloud Extension for the GitLab CI/CD Pipeline

You can use the Prisma Cloud extension for GitLab CI/CD to scan IaC templates to check against Prisma Cloud policies or to scan container images to check for vulnerabilities.
To scan IaC templates in the build or release phase of the GitLab CI/CD pipeline, you need to configure the Prisma Cloud extension. To start, include the Prisma Cloud IaC extension template file in your .gitlab-ci.yml file, then configure the extension using GitLab variables and the config.yml file. When you use this extension to then scan your templates in the pipeline, the failure thresholds you specify are used to pass or fail the check based on the severity of the security issues that are detected. When the scan is successful, the code can be merged. If the scan is unsuccessful, the security issues must be fixed in order to merge code changes.
The list of inputs that are required for scanning IaC templates in the build or release phase of the GitLab CI/CD pipeline are:
  • Connection settings as environment variables to enable communication between the Prisma Cloud API server and your GitLab repository.
  • The .gitlab-ci.yml at the root level in your repository.
    For any commit or push to your repository, this file start jobs on GitLab runners according to the contents of the file. You must have a shared runner or a project-specific/custom runner for the job to run successfully.
  • config.yml file at the root-level within the project under the .prismaCloud directory.
    The path for this file must be .prismaCloud/config.yml. Prisma Cloud requires this configuration file to learn about your IaC module structure, runtime variables, and tags so that it can scan the IaC templates in your repository.
To scan container images for vulnerabilities, the way to set up the Prisma Cloud extension is very similar to IaC scan. You need to first connect to Prisma Cloud Compute using environment variables, and then the container image scanning is available as a command that you invoke through a pipeline job.
The list of inputs that are required for scanning container images are:
  • Connection settings as environment variables to enable communication between the Prisma Cloud Compute console and your GitLab repository.
  • The .gitlab-ci.yml at the root level in your repository.
  • The image to scan.
    You can either provide the image details as an environment variables or directly scan an image using a twistcli command in the pipeline job.
To set up the Prisma Cloud GitLab extension:
If you have been using the Prisma Cloud GitLab extension v1, there are no updates to the environment variables. However, the .gitlab-ci.yml file has been simplified as described in Set Up a Custom GitLab Pipeline Job for IaC Scan.

Configure the Prisma Cloud Extension for GitLab CI/CD

The table below summarizes the environment variables you must configure for your GitLab project.
For
Key
Description
IaC Template Scan
prisma_cloud_api_url
Prisma Cloud base API URL. The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.
If the tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace
app
in the URL with
api
.
Refer to the Prisma Cloud REST API Reference, for more details.
prisma_cloud_access_key
Prisma Cloud access key for API access. If you do not have a key, see Create and Manage Access Keys.
prisma_cloud_secret_key
Secret key that corresponds to the Prisma Cloud access key
prisma_cloud_cicd_asset_name
GitLab server name
prisma_cloud_repo_dir
Template repository directory on the GitLab runner. You must have your IaC files in this directory. You cannot mix different template types (CFT, Terraform etc. in the single scan)
prisma_cloud_cicd_failure_criteria
(
Optional
)
String that defines criteria that should trigger a pipeline failure.
Set the High : x, Medium : y, Low : z, Operator: O, where, x,y,z is the number of issues of each severity, and the operator is OR, AND. For example:
  • To fail the pipeline only when high severity issue is detected,
    High:1,Medium:1000,Low:1000,Operator:or
  • To never fail the pipeline,
    High:1000,Medium:1000,Low:1000,Operator: and
You do not have to define the failure threshold because the default failure criteria is set as follows—High: 1, Medium: 1, Low: 1, Operator: or, so any failure will trigger failure of the pipeline.
prisma_cloud_cicd_tags
(
Optional
) Prisma Cloud tags are different from GitLab tags or cloud tags that you may have included within your IaC templates. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.
For example,
prisma_cloud_cicd_tag:project:x,owner:mr.y,compliance:pci
Container Image Scan
prisma_cloud_compute_url
Base URL for the Prisma Cloud Compute console. For example http://console<example>.com:8083.
prisma_cloud_compute_username
Prisma Cloud Compute user with the CI User role. You must set up a user who belongs to the Build and Deploy Security permission group, see Create Prisma Cloud Roles.
prisma_cloud_compute_password
Prisma Cloud Compute user password (for container image scan)
prisma_cloud_scan_image
Target image ID, or name:tag to scan, or image tar file name. You can use regular expressions when specifying image names, such as nginx*.
  1. Set up the connection to the Prisma Cloud API.
    1. Add the connection settings as environment variables to
      Project
      Settings
      CICD
      Variables
      .
      iac-scan-gitlab-connection-settings.png
      You can also provide the GitLab variables in the .gitlab-ci.yml under variables, instead of adding it in the project settings.
    2. Set the Prisma Cloud API URL as the value for the
      prisma_cloud_api_url
      environment variable.
    3. Add your Prisma Cloud access key as the value for the
      prisma_cloud_access_key
      environment variable.
      The access key enables programmatic access.
    4. Add your GitLab server name as the value for the
      prisma_cloud_cicd_asset_name
      environment variable.
      On Prisma Cloud, the asset name is used to track results. Some examples names are - creditapp_server, ConsumerBU_server. etc
  2. Set up environment variables for container image scans.
    Set up the following environment variables only if you want to run container image scans. As with the environment variables that support IaC scans, you navigate to
    Project
    Settings
    CICD
    Variables
    to add new environment variables.
    shiftleft-gitlab-cicd-container-scan-env-vars.png
    1. Add
      prisma_cloud_compute_url
      , whose value is the base URL for your Prisma Cloud Compute console.
    2. Add
      prisma_cloud_compute_username
      , whose value is the Prisma Cloud Compute user with a CI user role.
    3. Add
      prisma_cloud_compute_password
      , whose value is the password for the Prisma Cloud Compute user.
    4. Add
      prisma_cloud_scan_image
      , whose value is the details to identify the image.
  3. Create the
    .prismaCloud/config.yml
    file and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.

Set Up a Custom GitLab Pipeline Job for IaC Scan

  1. Add the Prisma Cloud GitLab extension to the GitLab CI configuration.
    The GitLab CI configuration is stored in the .gitlab-ci.yml file. Add the following line to this file—
    include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml'
    Refer to the GitLab documentation to learn about the gitlab-ci.yml file.
    The IaC templates in this directory must not exceed the 300MB size limit.
  2. Extend pipeline job from .pcs_iac_scan.
    prisma-cloud-scan: stage: build extends: - .pcs_iac_scan
  3. Modify IaC scan variable values.
    You can define the variable again in the gitlab-ci.yml file to override the value for any variable specified in the project settings.
    prisma-cloud-scan: stage: build extends: - .pcs_iac_scan variables: prisma_cloud_asset_name: ${CI_PROJECT_NAME} prisma_cloud_cicd_tags: "project:scan-api-test" prisma_cloud_repo_dir: ${CI_PROJECT_DIR}/tests/templateFiles/k8s
    A sample gitlab.ci.yml is show below:
    include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml' stages: - build prisma-cloud-scan: stage: build extends: .pcs_iac_scan variables: prisma_cloud_api_url: https://api.prismacloud.io prisma_cloud_access_key: ${access_key_app2slqa} prisma_cloud_secret_key: ${secret_key_app2slqa} prisma_cloud_asset_name: ${CI_PROJECT_NAME} prisma_cloud_cicd_tags: "project:scan-api-test" prisma_cloud_repo_dir: ${CI_PROJECT_DIR}/tests/templateFiles/k8s
  4. View IaC scan results.
    The Prisma Cloud IaC scan uses the failure criteria you defined in the
    prisma_cloud_cicd_failure_criteria
    environment variable to pass or fail a scan. When it detects a security issue, it generates an artifact. The scan report is in Junit compatible format and you can view the results on your GitLab pipeline and on the DevOps Inventory on Prisma Cloud.
    • View the scan results on the
      tests
      tab on your GitLab pipeline.
      List of job results.
      iac-scan-gitlab-cicd-results-details.png
    • IaC Scan result with details for a specific job.
      iac-scan-gitlab-cicd-results.png
    • View the Prisma Cloud IaC scan results on the Prisma Cloud administrator console.
      Inventory
      DevOps
      , select the job and view the details.
      iac-scan-gitlab-cicd-results-devops-inventory.png

Set Up a Custom GitLab Pipeline Job for Container Image Scan

You can add container image scans to the extension you have already configured for IaC scans, or you can configure the extension to perform just container image scans.
  1. Add the Prisma Cloud GitLab extension to the GitLab CI configuration.
    The GitLab CI configuration is stored in the .gitlab-ci.yml file. Add the following line to this file—
    include: - remote: 'https://gitlab.com/prismacloud-public/shift-left/extension/-/raw/master/.pcs.gitlab-ci.yml'
  2. Extend pipeline job from .pcs_compute_scan.
    prisma-cloud-compute-scan: stage: build extends: - .pcs_compute_scan
  3. Refine IaC scan variables.
    You can override the value for any variable specified in the project settings by defining the variable again in the gitlab-ci.yml file. Verify that the prisma_cloud_scan_image is in the runner docker before you execute the image scan script ./image_scan.sh
    prisma-cloud-compute-scan: stage: build extends: .pcs_compute_scan variables: prisma_cloud_scan_image: nginx:latest script: # build or pull your docker image first - docker pull $prisma_cloud_scan_image # trigger the pre-defind image scan script located in currennt directory - ./image_scan.sh
  4. View container scan results.
    The Prisma Cloud container image scan uses the failure criteria you defined in the
    prisma_cloud_cicd_failure_criteria
    environment variable to pass or fail a scan. When it detects a security issue, it generates an artifact. The scan report is in Junit compatible format and you can view the results on your GitLab pipeline and on the DevOps Inventory on Prisma Cloud.
    • View the scan results on the
      tests
      tab on your GitLab pipeline.
      List of job results.
      iac-scan-gitlab-cicd-results-details.png
    • Container Scan result with details for a specific job.
      iac-scan-gitlab-cicd-container-scan-results-details.png

Recommended For You