Use the Prisma Cloud Plugin for CircleCI

Use the Prisma Cloud orb for CircleCI to scan IaC templates and container images during CircleCI pipelines. In order to use Prisma Cloud IaC scan functionality, you need to have a connection to a Prisma Cloud API server and have details for that connection specified as environment variables. Similarly, in order to perform container image vulnerability scans, you need a connection to the Prisma Cloud Compute console. When you create a custom task to embed this functionality in your CircleCI pipeline, you can specify the build or pipeline failure criteria based on the severity of the security issues that are identified.

Verify the prerequisites.

Verify the .circleci/config.yml is in your project root directory.

CircleCI uses this file each time it runs a build.

Set CircleCI org permissions to allow orbs that are not part of the Certified and Partner list. Your CircleCI org admin can opt in to use uncertified third-party orbs by navigating to

Settings

Security

and selecting the opt-in setting.

For IaC scan, get the details for enabling authentication to Prisma Cloud.

Prisma Cloud API URL

The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace

app

in the URL with

api

and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.

Access Key

The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.

Secret Key

You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.

For image scan, get the details for authenticating to the Prisma Cloud Compute.

Prisma Cloud Compute URL.

You need to copy the URL from the Prisma Cloud interface,

Manage

Defenders

Deploy

Prisma Cloud Compute username and password.

Add the environment variables for enabling authentication to Prisma Cloud.

On CircleCI, you must add the environment variables as name value pairs. The following table lists the environment variables, and the figure below shows an example of environment variable settings for IaC scans.

Name	Value	Notes
prisma_cloud_asset_name	CircleCI server. Examples: creditapp_server, ConsumerBU_server	Used to track specific results in Prisma Cloud. For IaC scan only. Required.
prisma_cloud_secret_key	Prisma Cloud secret key	See Create and Manage Access Keys for details about the secret key. For IaC scan only. Required.
prisma_cloud_compute_pass	Prisma Cloud Compute password	The Prisma Cloud Compute users’s password.
prisma_cloud_tags	Comma-separated list of key/value pairs. Examples: project:x, owner:mr.y, compliance:pci	Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.

For IaC scan, enter the

Name

and

Value

for the Prisma Cloud secret key.

The default name is

prisma_cloud_secret_key

. If you enter a different name, make sure to match this name in the config.yml file in the next step.

For IaC scan, enter the

Name

and

Value

for your asset name.

Prisma Cloud uses

prisma_cloud_asset_name

to track specific scan results.

For IaC scan, enter the

Name

and

Value

for all the

prisma_cloud_tags

you want to define.

The

Value

is a comma-separated list of key/value pairs for tags that you want to define. Use an equals sign to assign tag values to tag keys. Tags are optional but enable visibility in the Prisma Cloud UI.

For image scan, enter the

Name

and

Value

for the Prisma Cloud Compute password.

The default name is

prisma_cloud_compute_pass

. If you enter a different name, make sure to match this name in the config.yml file in the next step.

Add the Prisma Cloud configuration file.

The Prisma Cloud configuration file supports various IaC scan features. To add this file, create a subdirectory and file

.prismacloud/config.yml

in the root folder of your project or repository branch. See Set Up Your Prisma Cloud Configuration File for IaC Scan for details. Note that this file is different from

.circleci/config.yml

, and subsequent references to config.yml in these steps indicate the

.circleci/config.yml

file.

Add the Prisma Cloud orb to the config.yml.

Modify the config.yml to include the orb named prisma_cloud/devops_security for IaC and image scanning.

Note that, through the orb, you can customize the IaC scan failure criteria and the vulnerability thresholds for image scanning based on your security needs.

More details about the Prisma Cloud orb are available at Prisma Cloud Orb Quick Start Guide.

The following table lists the parameters you can specify to customize the Prisma Cloud IaC scan job in your orb.

Parameter	Description	Required	Default	Type
access_key	Prisma Cloud access key	no	$prisma_cloud_access_key	String
secret_key	Prisma Cloud secret key	no	prisma_cloud_secret_key	Environment variable
prisma_cloud_api_url	Prisma Cloud server URL	no	$prisma_cloud_console_url	String
terraform_variable_filenames	Comma-separated list of file names containing Terraform variables	no	‘’	String
templates_directory_path	Directory path where IaC templates are stored. Note: The total size of the IaC templates in this directory cannot exceed 9 MB.	no	.	String
faiure_criteria_high_severity	Provides failure threshold for high severity security issues	no	0	Integer
failure_criteria_medium_severity	Provides failure threshold for medium severity security issues	no	0	Integer
failure_criteria_low_severity	Provides failure threshold for low severity security issues	no	0	Integer
failure_criteria_operator	Provides operator for high, medium, low severity failure thresholds	no	or	String
tags	Comma-separated list of tags for your task. Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.	no	‘’	String

The following table lists the parameters you can specify to customize the Prisma Cloud Compute container image scanning job in your orb.

Parameter	Description	Required	Default	Type
prisma_cloud_compute_user	The Prisma Cloud Compute user with the CI User role	no	$prisma_cloud_compute_user	String
prisma_cloud_compute_pass	The Prisma Cloud Compute user's password	no	prisma_cloud_compute_pass	Environment variable
prisma_cloud_compute_url	The base URL for the console -- e.g. http://console.<abc>.com:8083 -- without a trailing /	no	$prisma_cloud_compute_url	String
workspace_name	Name of workspace to “docker save” the image-tar into so it can be scanned by orb	no	workspace	String
image_tar	The name of the image tar file stored in the workspace	no	image.tar	String
image	The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest	yes		String

The following script is an example that shows you how to add the details required to set up both IaC and container image scanning.

Make sure that you have defined the secret key (

prisma_cloud_secret_key

for IaC scan) and the Prisma Cloud compute password (

prisma_cloud_compute_pass

for container image scanning), each as an environment variable.


version: 2.1
orbs:
  scan: prisma_cloud/devops_security@2.0.0
jobs:
  scan_iac: scan/prisma_cloud
  docker_build_and_save:
    executor: scan/compute
    steps:
      - checkout
      - run: docker pull nginx
      - run: mkdir -p workspace
      - run: docker image
      - run: 'docker save nginx:latest -o workspace/image.tar'
      - persist_to_workspace:
          root: workspace
          paths:
              - image.tar
workflows:
  scan:
    jobs:
      - scan_iac:
          # Default env var for below: prisma_cloud_console_url
          prisma_cloud_api_url:<prisma cloud api url>
          # Default env var for below: prisma_cloud_access_key 
          access_key: <prisma cloud access key>
          # Default env var for below: prisma_cloud_secret_key 
          secret_key: prisma_cloud_secret_key 
          failure_criteria_high_severity: 1 
          failure_criteria_medium_severity: 2
          failure_criteria_low_severity: 3
          failure_criteria_operator: and
          tags: env:development, team:devOps
      - docker_build_and_save
      - scan/scan_image:
          requires:
            - docker_build_and_save
          # Default env var for below: prisma_cloud_compute_url
          prisma_cloud_compute_url: <prisma cloud compute console url>
          # Default env var for below: prisma_cloud_compute_user 
          prisma_cloud_compute_user: <prisma cloud compute username>
          # Default env var for below: prisma_cloud_compute_pass 
          prisma_cloud_compute_pass: prisma_cloud_compute_pass 
          image: 'myrepo/myimage:tag'
          image_tar: image.tar
          vulnerability_threshold: critical
          compliance_threshold: ''
          only_fixed: true

Check the scan results.

After you update the config.yml, whenever a PR is created, the Prisma Cloud orb checks for any potential issues. The build is a Success or Failure depending on whether the number of the of issues detected is lower than or more than the specified threshold.

When the scan starts, you can view the status:

In the following image you can view the status of the checks. The IaC scan reports as successful, while the image scan has completed the prerequisite check and is pending completion.