Use the Prisma Cloud Plugin for CircleCI

Verify the prerequisites.

Verify the .circleci/config.yml is in your project root directory.
CircleCI uses this file each time it runs a build.

Set CircleCI org permissions to allow orbs that are not part of the Certified and Partner list. Your CircleCI org admin can opt in to use uncertified third-party orbs by navigating to
Settings
Security
and selecting the opt-in setting.

For IaC scan, get the details for enabling authentication to Prisma Cloud.
Prisma Cloud API URL
.
The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
app
in the URL with
api
and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.
Access Key
.
The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.
Secret Key
.
You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
For image scan, get the details for authenticating to the Prisma Cloud Compute.
Prisma Cloud Compute URL.
You need to copy the URL from the Prisma Cloud interface,
Manage
Defenders
Deploy
.
Prisma Cloud Compute username and password.

Add the environment variables for enabling authentication to Prisma Cloud.

On CircleCI, you must add the environment variables as name value pairs. The following table lists the environment variables, and the figure below shows an example of environment variable settings for IaC scans.

Name	Value	Notes
prisma_cloud_asset_name	CircleCI server. Examples: creditapp_server, ConsumerBU_server	Used to track specific results in Prisma Cloud. For IaC scan only. Required.
prisma_cloud_secret_key	Prisma Cloud secret key	See Create and Manage Access Keys for details about the secret key. For IaC scan only. Required.
prisma_cloud_compute_pass	Prisma Cloud Compute password	The Prisma Cloud Compute users’s password.
prisma_cloud_tags	Comma-separated list of key/value pairs. Examples: project:x, owner:mr.y, compliance:pci	Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.



For IaC scan, enter the
Name
and
Value
for the Prisma Cloud secret key.
The default name is
prisma_cloud_secret_key
. If you enter a different name, make sure to match this name in the config.yml file in the next step.
For IaC scan, enter the
Name
and
Value
for your asset name.
Prisma Cloud uses
prisma_cloud_asset_name
to track specific scan results.
For IaC scan, enter the
Name
and
Value
for all the
prisma_cloud_tags
you want to define.
The
Value
is a comma-separated list of key/value pairs for tags that you want to define. Use an equals sign to assign tag values to tag keys. Tags are optional but enable visibility in the Prisma Cloud UI.
For image scan, enter the
Name
and
Value
for the Prisma Cloud Compute password.
The default name is
prisma_cloud_compute_pass
. If you enter a different name, make sure to match this name in the config.yml file in the next step.

Add the Prisma Cloud configuration file.

The Prisma Cloud configuration file supports various IaC scan features. To add this file, create a subdirectory and file

.prismacloud/config.yml

in the root folder of your project or repository branch. See Set Up Your Prisma Cloud Configuration File for IaC Scan for details. Note that this file is different from

.circleci/config.yml

, and subsequent references to config.yml in these steps indicate the

.circleci/config.yml

file.

Add the Prisma Cloud orb to the config.yml.

Modify the config.yml to include the orb named prisma_cloud/devops_security for IaC and image scanning.

Note that, through the orb, you can customize the IaC scan failure criteria and the vulnerability thresholds for image scanning based on your security needs.

More details about the Prisma Cloud orb are available at Prisma Cloud Orb Quick Start Guide.

The following table lists the parameters you can specify to customize the Prisma Cloud IaC scan job in your orb.

Parameter	Description	Required	Default	Type
access_key	Prisma Cloud access key	no	$prisma_cloud_access_key	String
secret_key	Prisma Cloud secret key	no	prisma_cloud_secret_key	Environment variable
prisma_cloud_api_url	Prisma Cloud server URL	no	$prisma_cloud_console_url	String
terraform_variable_filenames	Comma-separated list of file names containing Terraform variables	no	‘’	String
templates_directory_path	Directory path where IaC templates are stored. Note: The total size of the IaC templates in this directory cannot exceed 9 MB.	no	.	String
faiure_criteria_high_severity	Provides failure threshold for high severity security issues	no	0	Integer
failure_criteria_medium_severity	Provides failure threshold for medium severity security issues	no	0	Integer
failure_criteria_low_severity	Provides failure threshold for low severity security issues	no	0	Integer
failure_criteria_operator	Provides operator for high, medium, low severity failure thresholds	no	or	String
tags	Comma-separated list of tags for your task. Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.	no	‘’	String

The following table lists the parameters you can specify to customize the Prisma Cloud Compute container image scanning job in your orb.

Parameter	Description	Required	Default	Type
prisma_cloud_compute_user	The Prisma Cloud Compute user with the CI User role	no	$prisma_cloud_compute_user	String
prisma_cloud_compute_pass	The Prisma Cloud Compute user's password	no	prisma_cloud_compute_pass	Environment variable
prisma_cloud_compute_url	The base URL for the console -- e.g. http://console.<abc>.com:8083 -- without a trailing /	no	$prisma_cloud_compute_url	String
workspace_name	Name of workspace to “docker save” the image-tar into so it can be scanned by orb	no	workspace	String
image_tar	The name of the image tar file stored in the workspace	no	image.tar	String
image	The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest	yes		String

The following script is an example that shows you how to add the details required to set up both IaC and container image scanning.

Make sure that you have defined the secret key (

prisma_cloud_secret_key

for IaC scan) and the Prisma Cloud compute password (

prisma_cloud_compute_pass

for container image scanning), each as an environment variable.

version: 2.1orbs:  scan: prisma_cloud/devops_security@2.0.0jobs:  docker_safe_build:    executor: pcs/compute    steps:      - checkout      - run: 'docker pull nginx'      - pcs/scan_image:          prisma_cloud_compute_url: https://us-east1.cloud.twistlock.com/console123          prisma_cloud_scan_image: nginxworkflows:  scan:    jobs:      - pcs/scan_iac:          prisma_cloud_api_url: <prisma cloud api url>          prisma_cloud_repo_dir: ./scan           prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME          prisma_cloud_tags: "svc:github.com"      - docker_safe_build				
								

Check the scan results.

After you update the config.yml, whenever a PR is created, the Prisma Cloud orb checks for any potential issues. The build is a Success or Failure depending on whether the number of the of issues detected is lower than or more than the specified threshold.

When the scan starts, you can view the status:



In the following image you can view the status of the checks. The IaC scan reports as successful, while the image scan has completed the prerequisite check and is pending completion.



The ability to merge code is enabled only when the result is successful.



Click

Details

to view more information. When any of the checks are unsuccessful, the results are generated as a JUNIT report by default, so it shows up in the

TESTS

tab.



The same information is also available in the Prisma Cloud DevOps Inventory page:



If

csv

is included in the report list parameter, then results.csv is uploaded to CircleCI. You can download the violation results from the ARTIFACTS tab.





The following is an example of IaC scan results when the scan is successful and you have no detected security issues.



The following is an example of IaC scan results when the result was successful but with issues.



The following is an example of IaC scan results that returned a failure because of the number and type of security issues it found.



The following shows an example of container image scan results that failed because the IaC scan found security issues in the image.