Use the Prisma Cloud Plugin for CircleCI
Use the Prisma Cloud orb for CircleCI to scan
IaC templates and container images during CircleCI pipelines. In
order to use Prisma Cloud IaC scan functionality, you need to have
a connection to a Prisma Cloud API server and have details for that
connection specified as environment variables. Similarly, in order
to perform container image vulnerability scans, you need a connection to
the Prisma Cloud Compute console. When you create a custom task
to embed this functionality in your CircleCI pipeline, you can specify
the build or pipeline failure criteria based on the severity of
the security issues that are identified.
- Verify the prerequisites.
- Verify the .circleci/config.yml is in your project root directory.CircleCI uses this file each time it runs a build.
- Set CircleCI org permissions to allow orbs that are not part of the Certified and Partner list. Your CircleCI org admin can opt in to use uncertified third-party orbs by navigating toand selecting the opt-in setting.SettingsSecurity
- For IaC scan, get the details for enabling authentication to Prisma Cloud.
- Prisma Cloud API URL.The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replaceappin the URL withapiand enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.
- Access Key.The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.
- Secret Key.You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
- For image scan, get the details for authenticating to the Prisma Cloud Compute.
- Prisma Cloud Compute URL.You need to copy the URL from the Prisma Cloud interface,.ManageDefendersDeploy
- Prisma Cloud Compute username and password.
- Add the environment variables for enabling authentication to Prisma Cloud.On CircleCI, you must add the environment variables as name value pairs. The following table lists the environment variables, and the figure below shows an example of environment variable settings for IaC scans.NameValueNotesprisma_cloud_asset_nameCircleCI server. Examples: creditapp_server, ConsumerBU_serverUsed to track specific results in Prisma Cloud. For IaC scan only. Required.prisma_cloud_secret_keyPrisma Cloud secret keySee Create and Manage Access Keys for details about the secret key. For IaC scan only. Required.prisma_cloud_compute_passPrisma Cloud Compute passwordThe Prisma Cloud Compute users’s password.prisma_cloud_tagsComma-separated list of key/value pairs. Examples: project:x, owner:mr.y, compliance:pciUsed for visibility in Prisma Cloud UI. For IaC scan only. Optional.
- For IaC scan, enter theNameandValuefor the Prisma Cloud secret key.The default name isprisma_cloud_secret_key. If you enter a different name, make sure to match this name in the config.yml file in the next step.
- For IaC scan, enter theNameandValuefor your asset name.Prisma Cloud usesprisma_cloud_asset_nameto track specific scan results.
- For IaC scan, enter theNameandValuefor all theprisma_cloud_tagsyou want to define.TheValueis a comma-separated list of key/value pairs for tags that you want to define. Use an equals sign to assign tag values to tag keys. Tags are optional but enable visibility in the Prisma Cloud UI.
- For image scan, enter theNameandValuefor the Prisma Cloud Compute password.The default name isprisma_cloud_compute_pass. If you enter a different name, make sure to match this name in the config.yml file in the next step.
- Add the Prisma Cloud configuration file.The Prisma Cloud configuration file supports various IaC scan features. To add this file, create a subdirectory and file.prismacloud/config.ymlin the root folder of your project or repository branch. See Set Up Your Prisma Cloud Configuration File for IaC Scan for details. Note that this file is different from.circleci/config.yml, and subsequent references to config.yml in these steps indicate the.circleci/config.ymlfile.
- Add the Prisma Cloud orb to the config.yml.
- Modify the config.yml to include the orb named prisma_cloud/devops_security for IaC and image scanning.Note that, through the orb, you can customize the IaC scan failure criteria and the vulnerability thresholds for image scanning based on your security needs.More details about the Prisma Cloud orb are available at Prisma Cloud Orb Quick Start Guide.The following table lists the parameters you can specify to customize the Prisma Cloud IaC scan job in your orb.ParameterDescriptionRequiredDefaultTypeaccess_keyPrisma Cloud access keyno$prisma_cloud_access_keyStringsecret_keyPrisma Cloud secret keynoprisma_cloud_secret_keyEnvironment variableprisma_cloud_api_urlPrisma Cloud server URLno$prisma_cloud_console_urlStringterraform_variable_filenamesComma-separated list of file names containing Terraform variablesno‘’Stringtemplates_directory_pathDirectory path where IaC templates are stored. Note: The total size of the IaC templates in this directory cannot exceed 9 MB.no.Stringfaiure_criteria_high_severityProvides failure threshold for high severity security issuesno0Integerfailure_criteria_medium_severityProvides failure threshold for medium severity security issuesno0Integerfailure_criteria_low_severityProvides failure threshold for low severity security issuesno0Integerfailure_criteria_operatorProvides operator for high, medium, low severity failure thresholdsnoorStringtagsComma-separated list of tags for your task. Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.no‘’StringThe following table lists the parameters you can specify to customize the Prisma Cloud Compute container image scanning job in your orb.ParameterDescriptionRequiredDefaultTypeprisma_cloud_compute_userThe Prisma Cloud Compute user with the CI User roleno$prisma_cloud_compute_userStringprisma_cloud_compute_passThe Prisma Cloud Compute user's passwordnoprisma_cloud_compute_passEnvironment variableprisma_cloud_compute_urlThe base URL for the console -- e.g. http://console.<abc>.com:8083 -- without a trailing /no$prisma_cloud_compute_urlStringworkspace_nameName of workspace to “docker save” the image-tar into so it can be scanned by orbnoworkspaceStringimage_tarThe name of the image tar file stored in the workspacenoimage.tarStringimageThe name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latestyesStringThe following script is an example that shows you how to add the details required to set up both IaC and container image scanning.Make sure that you have defined the secret key (prisma_cloud_secret_keyfor IaC scan) and the Prisma Cloud compute password (prisma_cloud_compute_passfor container image scanning), each as an environment variable.version: 2.1orbs: scan: prisma_cloud/devops_security@2.0.0jobs: docker_safe_build: executor: pcs/compute steps: - checkout - run: 'docker pull nginx' - pcs/scan_image: prisma_cloud_compute_url: https://us-east1.cloud.twistlock.com/console123 prisma_cloud_scan_image: nginxworkflows: scan: jobs: - pcs/scan_iac: prisma_cloud_api_url: <prisma cloud api url> prisma_cloud_repo_dir: ./scan prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME prisma_cloud_tags: "svc:github.com" - docker_safe_build
- Check the scan results.After you update the config.yml, whenever a PR is created, the Prisma Cloud orb checks for any potential issues. The build is a Success or Failure depending on whether the number of the of issues detected is lower than or more than the specified threshold.When the scan starts, you can view the status:In the following image you can view the status of the checks. The IaC scan reports as successful, while the image scan has completed the prerequisite check and is pending completion.The ability to merge code is enabled only when the result is successful.ClickDetailsto view more information. When any of the checks are unsuccessful, the results are generated as a JUNIT report by default, so it shows up in theTESTStab.The same information is also available in the Prisma Cloud DevOps Inventory page:Ifcsvis included in the report list parameter, then results.csv is uploaded to CircleCI. You can download the violation results from the ARTIFACTS tab.The following is an example of IaC scan results when the scan is successful and you have no detected security issues.The following is an example of IaC scan results when the result was successful but with issues.The following is an example of IaC scan results that returned a failure because of the number and type of security issues it found.The following shows an example of container image scan results that failed because the IaC scan found security issues in the image.
Recommended For You
Recommended Videos
Recommended videos not found.