Use the Prisma Cloud Extension for GitLab SCM

IaC scan for GitLab SCM
Use the Prisma Cloud extension to scan IaC templates when you create or update a merge request. You can define failure criteria for each GitLab project and view the scan results directly in the GitLab user interface. In addition, the Prisma Cloud extension can create GitLab issues that report details from IaC scans for checks against security policies. This ability enables you to fix all the reported issues before your changes are merged into the repository.
The sections below describe how to set up the Prisma Cloud extension and how to use it.

Configure the Prisma Cloud Extension for GitLab SCM

The Prisma Cloud Extension for GitLab SCM does not require a separate software installation but does require the following configuration steps.
Much of the configuration involves setting environment variables in your GitLab projet settings. The image below summarizes the environment variables you will set to configure your project for Iac scans.
gitlab-scm-env-vars.png
If you want to run IaC scans for both GitLab SCM and GitLab CICD in a single project, you can set environment variables for both in your project settings.
  1. Set environment variables to support a connection to the Prisma Cloud API.
    1. In GitLab, navigate to
      Project
      Settings
      CICD
      Variables
      and add the connection settings as environment variables.
    2. Set the Prisma Cloud API URL as the value for the
      prisma_cloud_api_url
      environment variable.
      The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. If the tenant provisioned for you is, for example,
      https://app2.prismacloud.io
      or
      https://app.eu.prismacloud.io
      , replace app in the URL with api and enter it here. Refer to the Prisma Cloud REST API Reference, for more details.
    3. Add your Prisma Cloud access key as the value for the
      access_key
      environment variable.
      The access key enables programmatic access. If you do not have a key, see Create and Manage Access Keys.
    4. Add your GitLab server name as the value for the
      scm_asset_name
      environment variable.
      Prisma Cloud uses the asset name to track results. Some example names are creditapp_server and ConsumerBU_server.
    5. Create a GitLab access token by navigating to
      User settings
      access tokens
      and create a new GitLab access token with the following permissions: api, read_user, and read_repository.
      These permissions are necessary to enable the webhook to send necessary data to the Prisma Cloud IaC service to perform the checks against security policies.
  2. Set up the failure criteria for merge request checks.
    You can set the environment variable
    scm_failure_mr_criteria
    to define the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for the
    scm_failure_mr_criteria
    value is as follows.
    High: x, Medium: y, Low: z, Operator: op
    In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. The
    Operator
    value determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value for
    Operator
    , op, can be either OR or AND. The default is OR. Some examples of settings for
    scm_failure_mr_criteria
    are as follows.
    • scm_failure_mr_criteria=High:0, Medium:0, Low: 0, Operator: OR
      The setting above would result in a failed merge request security check for any detected policy check failure.
    • scm_failure_mr_criteria=High:1000, Medium:1000, Low: 1000, Operator: AND
      The setting above would result in merge requests never failing a security check.
  3. Set up the failure criteria for GitLab issue creation.
    You can set the environment variable
    scm_failure_issue_criteria
    to define the number and severity of security policy check failures that need to occur to trigger creation of a GitLab issue, during a merge request. The syntax of the variable value is the same as that for scm_failure_mr_criteria. The value includes High, Medium, and Low counts and includes an Operator whose possible values are AND and OR.
  4. Set up the Prisma Cloud tags.
    Prisma Cloud tags are different from GitLab tags or cloud tags that you might have included within your IaC templates. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.
    Provide the value for this environment variable as a comma-separated list of tags that you define. An example is:
    scm_tags=project x, owner=mr.y, compliance=pci
    .
  5. Set up a webhook to perform the IaC scan during merge request operations.
    1. Navigate to
      Project
      Settings
      Webhooks
      gitlab-scm-webhook-for-iac-scan.png
    2. Specify
      https://scan.api.redlock.io/gitlab/v1
      in the
      URL
      field.
      This URL is the Prisma Cloud SaaS API that supports IaC scanning for GitLab.
    3. Provide the GitLab access token that you generated earlier in the
      Secret Token
      field.
    4. Select
      Merge request events
      as the trigger.
    5. Select
      Enable SSL verification
      .
    6. Select the
      Add webhook
      button to add the webhook you just configured.
      Your newly added webhook should appear under the
      Project Hooks
      list on the same page.
  6. Create the
    .prismaCloud/config.yml
    and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.

Run an IaC Scan in a Merge Request

When you create, update, or reopen a merge request with added or modified files, this set up will trigger a merge request event to invoke a Prisma Cloud IaC scan for all files in the merge request. The scan does not include deleted files.
You can see the results of the IaC scan through a comment on the merge request. If the scan results meets or exceeds the failure criteria set in the environment variable
scm_failure_mr_criteria
, then the results will show that the security check failed.
The following shows the result of an IaC scan for a merge request. In this example, the IaC scan resulted in some security policy check failures. Since the number and severity of the failures did not meet the failure criteria set in the environment
variable scm_failure_mr_criteria
, the security check passed, and the merge request succeeded.
gitlab-scm-mr-iac-scan-failure.png
The following is an example of output that occurs when the failure criteria in the environment variable
scm_failure_issue_criteria
is met or exceeded.
gitlab-scm-mr-issue-iac-scan-failure.png

Recommended For You