Use the Prisma Cloud Plugin for CircleCI
If you use CircleCI to integrate code into
a shared repository several times a day, you can configure the Prisma
Cloud orb (a shareable package on Circle CI) to scan IaC templates
and container images with each pull request (PR).
When you
configure the Prisma Cloud orb to integrate with your GitHub or
Bitbucket repository, each time a PR is created, the scan is automatically
triggered as part of the pipeline. The scan uses the failure thresholds
you specify to determine whether to pass or fail the check. When
the scan is successful, the code can be merged. If the scan is unsuccessful,
the security issues must be fixed in order to merge code changes.
- Verify the prerequisites.
- GitHub or Bitbucket account.See GitHub with CircleCI for an example on how to integrate CircleCI with GitHub.
- Verify the .circleci/config.yml is in your project root directory.CircleCI uses this file each time it runs a build.
- CircleCI org permission to allow orbs that are not part of the Certified and Partner list.
- For IaC scan, get the details for enabling authentication to Prisma Cloud.
- Prisma Cloud API URL.The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replaceappin the URL withapiand enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.
- Access Key.The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.
- Secret Key.You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
- For image scan, get the details for authenticating to the Prisma Cloud Compute.
- Prisma Cloud Compute URL.You need to copy the URL from the Prisma Cloud interface, .
- Prisma Cloud Compute username and password.
- Add the environment variables for enabling authentication to Prisma Cloud.On CircleCI, you must add the environment variables as a name value pair.
- For IaC scan, enter theNameandValuefor the Prisma Cloud secret key.The default name isPC_SECRET_KEY. If you enter a different name, make sure to match this name in the config.yml file in the next step.
- For image scan, enter theNameandValuefor the Prisma Cloud Compute password.The default name isPC_COMPUTE_PASS. If you enter a different name, make sure to match this name in the config.yml file in the next step.
- Add the Prisma Cloud orb to the config.yml.
- Modify the config.yml to include the orb named prisma_cloud/devops_security for IaC and image scanning.The following script is an example that shows you how to add the details required to set up IaC and container image scanning. You can customize the IaC scan failure criteria and the vulnerability threshold for image scanning based on your security needs. See Prisma Cloud orb documentation for the values permitted in these fields.Make sure that you have defined the secret key (PC_SECRET_KEY) and as an environment_variable.version: 2.1 orbs: scan: prisma_cloud/devops_security@1.0.0 jobs: scan_iac: scan/prisma_cloud docker_build_and_save: executor: scan/compute steps: - checkout - run: docker pull nginx - run: mkdir -p workspace - run: docker image - run: 'docker save nginx:latest -o workspace/image.tar' - persist_to_workspace: root: workspace paths: - image.tar workflows: scan: jobs: - scan_iac: prisma_cloud_api_url:<prisma cloud api url> access_key: <prisma cloud access key> secret_key: PC_SECRET_KEY failure_criteria_high_severity: 1 failure_criteria_medium_severity: 2 failure_criteria_low_severity: 3 failure_criteria_operator: and - docker_build_and_save - scan/scan_image: requires: - docker_build_and_save prisma_cloud_compute_url: <prisma cloud compute console url> prisma_cloud_compute_user: <prisma cloud compute username> prisma_cloud_compute_pass: PC_COMPUTE_PASS image: 'myrepo/myimage:tag' image_tar: image.tar vulnerability_threshold: critical compliance_threshold: '' only_fixed: true
- Check the scan results.After you update the config.yml, whenever a PR is created, the Prisma Cloud orb checks for any potential issues. The build is a Success or Failure depending on whether the number of the of issues detected is lower than or more than the specified threshold.When the scan starts, you can view the status:
In the following image you can view the status of the checks. The IaC scan reports as successful, while the image scan has completed the prerequisite check and is pending completion.
The ability to merge code is enabled only when the result is successful.
ClickDetailsto view more information. When any of the checks are unsuccessful, the results are uploaded in a file namedscan.csvin theArtifactstab.
IaC Scan result when the scan is successful and you have no security issues.
IaC Scan results when the result is successful with issues.
IaC Scan results when it fails.
Container image scan results when the scan fails.