Use the Prisma Cloud Extension for GitLab SCM

IaC scan for GitLab SCM
Use the Prisma Cloud extension to scan IaC templates when you create or update a merge request. You can define failure criteria for each GitLab project and view the scan results directly in the GitLab user interface. In addition, the Prisma Cloud extension can create GitLab issues that report details from IaC scans for checks against security policies. This ability enables you to fix all the reported issues before your changes are merged into the repository.
The sections below describe how to set up the Prisma Cloud extension and how to use it.
If you have been using the Prisma Cloud GitLab extension v1, there are no updates to the environment variables. For backward compatibility, the GitLab user access token that you provided in v1 is still supported. You must however update the webhook URL to
https://{api_server}/iac/v2/gitlab/webhook
. See Step 3 for details.

Configure the Prisma Cloud Extension for GitLab SCM

The Prisma Cloud Extension for GitLab SCM uses a Webhook integration to scan your IaC templates. It uses a config.yml file where you specify the template type, template specific parameters, and the tags you use in your environment. The Prisma Cloud Extension for GitLab SCM does not require a software installation.
The following table summarizes the environment variables you must configure on your GitLab project to enable IaC scans.
If you want to run IaC scans for both GitLab SCM and GitLab CICD in a single project, you can set environment variables for both in your project settings.
  1. Create an access token on GitLab.
    1. Select
      User settings
      access tokens
    2. Use a bot account or service account to create the token.
      The account requires project Maintainer, Owner, or Administrator role to ensure the Prisma Cloud extension can read the environment variables. The permissions required are—
      api
      ,
      read_user
      , and
      read_repository
      , so that the webhook can send the appropriate data to the Prisma Cloud IaC service to perform the checks against security policies.
  2. Generate Prisma Cloud GitLab SCM Webhook token.
    Make a curl request or browse to the Prisma Cloud GitLab SCM API endpoint to get the webhook token with the following parameters:
    • prismacloud_api_server—Prisma Cloud base API URL. The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.
      If the tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace
      app
      in the URL with
      api
      .
      Refer to the Prisma Cloud REST API Reference, for more details.
    • access_key—Prisma Cloud access key for API access. If you do not have a key, see Create and Manage Access Keys.
    • secret_key—Secret key that corresponds to the Prisma Cloud access key.
    • project_repo—The name of the GitLab project that you want to scan using the Prisma Cloud SCM extension.
    • gitlab_token—The token you generated in the previous step.
    For example:
    curl -u {access_key}:{secret_key} --request GET \ 'https://{prismacloud_api_server}/iac/v2/gitlab/token?project={project_repo}&access_token={gitlab_token}'
    {"token":"HfwMaNS8zBNlszyxOAS2Q-QQYAEkRCntUWH2E90gldK49XkkibRu4FZVap2GImkjLo4cFAADm62aBQDzdYqg4Po7w9IDDTgy=="}
  3. Set up a webhook to perform the IaC scan during merge request operations.
    1. Navigate to
      Project
      Settings
      Webhooks
      gitlab-scm-webhook-for-iac-scan.png
    2. Specify the webhook URL in the
      URL
      field.
      The webhook URL includes the Prisma Cloud API server URL and a set of optional query parameters. The syntax is:
      https://{api_server}/iac/v2/gitlab/webhook?{parameters}
      api_server
      Prisma Cloud API server. For example: api.prismacloud.io
      asset_name
      The IaC scan asset name you choose.
      The GitLab project name
      template_type
      The asset template type. Allowed values include cft, k8s and tf.
      The template_type defined in
      .prismaCloud/config.yml
      failure_mr_criteria
      The the number and severity of security policy check failures that need to occur to trigger a merge request failure. The syntax for the value is as follows.
      High:x,Medium:y,Low:z,Operator:op
      In the syntax above, x is a count of high-severity policy check failure, y is a count of medium-severity policy check failures, and z is a count of low-severity policy check failures. The Operator value determines what combination of High/Medium/Low counts should result in a merge request failure. The default for each count is 0. The value for Operator, op, can be either OR or AND. The default is OR.
      High:1,Medium:1,Low:1,Operator:OR
      failure_issue_criteria
      The the number and severity of security policy check failures that need to occur to trigger GitLab issue creation. The criteria should be equal or more restricted than MR failure criteria to avoid too many trivial issues created.
      High:100,Medium:100,Low:100,Operator:AND
      tags
      Prisma Cloud tags are different from GitLab tags or cloud tags that you might have included within your IaC templates. Prisma Cloud tags enable visibility on the Prisma Cloud administrator console.
      Provide the value for this environment variable as a comma-separated list of tags that you define. An example is: project:x,owner:y
      None
    3. Provide the Prisma Cloud GitLab SCM Webhook token that you generated earlier in the
      Secret Token
      field.
    4. Select
      Merge request events
      as the trigger.
    5. Select
      Enable SSL verification
      .
    6. Select the
      Add webhook
      button to add the webhook you just configured.
      Your newly added webhook should appear under the
      Project Hooks
      list on the same page.
  4. Create the
    .prismaCloud/config.yml
    and add it to the root directory of your repository branch. The file is required, and it must include the template type, version, and the template specific parameters and tags you use in your environment.

Run an IaC Scan in a Merge Request

When you create, update, or reopen a merge request with added or modified files, this set up will trigger a merge request event to invoke a Prisma Cloud IaC scan for all files in the merge request. The scan does not include deleted files.
You can see the results of the IaC scan through a comment on the merge request. If the scan results meets or exceeds the failure criteria set in the environment variable
prisma_cloud_scm_failure_mr_criteria
, then the results will show that the security check failed.
The following shows the result of an IaC scan for a merge request. In this example, the IaC scan resulted in some security policy check failures. Since the number and severity of the failures did not meet the failure criteria set in the environment variable
prisma_cloud_scm_failure_mr_criteria
, the security check passed, and the merge request succeeded.
gitlab-scm-mr-iac-scan-failure.png
The following is an example of output that occurs when the failure criteria in the environment variable
prisma_cloud_scm_failure_issue_criteria
is met or exceeded.
gitlab-scm-mr-issue-iac-scan-failure.png

Recommended For You