Use the Prisma Cloud Extension for GitLab SCM
IaC scan for GitLab SCM
Use the Prisma Cloud extension to scan IaC templates when you create or update a merge request. You can define failure criteria for each GitLab project and view the scan results directly in the GitLab user interface. In addition, the Prisma Cloud extension can create GitLab issues that report details from IaC scans for checks against security policies. This ability enables you to fix all the reported issues before your changes are merged into the repository.
The sections below describe how to set up the Prisma Cloud extension and how to use it.
Configure the Prisma Cloud Extension for GitLab SCM
The Prisma Cloud Extension for GitLab SCM does not require a separate software installation but does require the following configuration steps.
Much of the configuration involves setting environment variables in your GitLab projet settings. The image below summarizes the environment variables you will set to configure your project for Iac scans.
If you want to run IaC scans for both GitLab SCM and GitLab CICD in a single project, you can set environment variables for both in your project settings.
- Set environment variables to support a connection to the Prisma Cloud API.
- In GitLab, navigate toand add the connection settings as environment variables.ProjectSettingsCICDVariables
- Set the Prisma Cloud API URL as the value for theprisma_cloud_api_urlenvironment variable.The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. If the tenant provisioned for you is, for example,https://app2.prismacloud.ioorhttps://app.eu.prismacloud.io, replace app in the URL with api and enter it here. Refer to the Prisma Cloud REST API Reference, for more details.
- Add your Prisma Cloud access key as the value for theaccess_keyenvironment variable.
- Add your GitLab server name as the value for thescm_asset_nameenvironment variable.Prisma Cloud uses the asset name to track results. Some example names are creditapp_server and ConsumerBU_server.
- Create a GitLab access token by navigating toand create a new GitLab access token with the following permissions: api, read_user, and read_repository.User settingsaccess tokensThese permissions are necessary to enable the webhook to send necessary data to the Prisma Cloud IaC service to perform the checks against security policies.
- Set up the failure criteria for merge request checks.You can set the environment variablescm_failure_mr_criteriato define the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for thescm_failure_mr_criteriavalue is as follows.
In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. TheHigh: x, Medium: y, Low: z, Operator: opOperatorvalue determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value forOperator, op, can be either OR or AND. The default is OR. Some examples of settings forscm_failure_mr_criteriaare as follows.
- scm_failure_mr_criteria=High:0, Medium:0, Low: 0, Operator: ORThe setting above would result in a failed merge request security check for any detected policy check failure.
- scm_failure_mr_criteria=High:1000, Medium:1000, Low: 1000, Operator: ANDThe setting above would result in merge requests never failing a security check.
- Set up the failure criteria for GitLab issue creation.You can set the environment variablescm_failure_issue_criteriato define the number and severity of security policy check failures that need to occur to trigger creation of a GitLab issue, during a merge request. The syntax of the variable value is the same as that for scm_failure_mr_criteria. The value includes High, Medium, and Low counts and includes an Operator whose possible values are AND and OR.
- Set up the Prisma Cloud tags.Prisma Cloud tags are different from GitLab tags or cloud tags that you might have included within your IaC templates. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.Provide the value for this environment variable as a comma-separated list of tags that you define. An example is:scm_tags=project x, owner=mr.y, compliance=pci.
- Set up a webhook to perform the IaC scan during merge request operations.
- Navigate toProjectSettingsWebhooks
- Specifyhttps://scan.api.redlock.io/gitlab/v1in theURLfield.This URL is the Prisma Cloud SaaS API that supports IaC scanning for GitLab.
- Provide the GitLab access token that you generated earlier in theSecret Tokenfield.
- SelectMerge request eventsas the trigger.
- SelectEnable SSL verification.
- Select theAdd webhookbutton to add the webhook you just configured.Your newly added webhook should appear under theProject Hookslist on the same page.
- Create the.prismaCloud/config.ymland add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.
Run an IaC Scan in a Merge Request
When you create, update, or reopen a merge request with added or modified files, this set up will trigger a merge request event to invoke a Prisma Cloud IaC scan for all files in the merge request. The scan does not include deleted files.
You can see the results of the IaC scan through a comment on the merge request. If the scan results meets or exceeds the failure criteria set in the environment variable
scm_failure_mr_criteria, then the results will show that the security check failed.
The following shows the result of an IaC scan for a merge request. In this example, the IaC scan resulted in some security policy check failures. Since the number and severity of the failures did not meet the failure criteria set in the environment
variable scm_failure_mr_criteria, the security check passed, and the merge request succeeded.
The following is an example of output that occurs when the failure criteria in the environment variable
scm_failure_issue_criteriais met or exceeded.
Recommended For You
Recommended videos not found.