Use the Prisma Cloud Plugin for CircleCI

Use the Prisma Cloud orb for CircleCI to scan IaC templates and container images during CircleCI pipelines. In order to use Prisma Cloud IaC scan functionality, you need to have a connection to a Prisma Cloud API server and have details for that connection specified as environment variables. Similarly, in order to perform container image vulnerability scans, you need a connection to the Prisma Cloud Compute console. When you create a custom task to embed this functionality in your CircleCI pipeline, you can specify the build or pipeline failure criteria based on the severity of the security issues that are identified.
  1. Verify the prerequisites.
    • Verify the .circleci/config.yml is in your project root directory.
      CircleCI uses this file each time it runs a build.
      iac-scan-circleci-config-yaml.png
    • Set CircleCI org permissions to allow orbs that are not part of the Certified and Partner list. Your CircleCI org admin can opt in to use uncertified third-party orbs by navigating to
      Settings
      Security
      and selecting the opt-in setting.
      circleci-opt-in-for-uncertified-orbs.png
    • For IaC scan, get the details for enabling authentication to Prisma Cloud.
      • Prisma Cloud API URL
        .
        The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. The tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io. Replace
        app
        in the URL with
        api
        and enter it here. Refer to the Prisma Cloud REST API Reference, which is accessible from the Help Center within the Prisma Cloud web interface for more details.
      • Access Key
        .
        The access key enables programmatic access to Prisma Cloud. If you do not have a key, you must Create and Manage Access Keys.
      • Secret Key
        .
        You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
    • For image scan, get the details for authenticating to the Prisma Cloud Compute.
      • Prisma Cloud Compute URL.
        You need to copy the URL from the Prisma Cloud interface,
        Manage
        Defenders
        Deploy
        .
      • Prisma Cloud Compute username and password.
  2. Add the environment variables for enabling authentication to Prisma Cloud.
    On CircleCI, you must add the environment variables as name value pairs. The following table lists the environment variables, and the figure below shows an example of environment variable settings for IaC scans.
    Name
    Value
    Notes
    prisma_cloud_asset_name
    CircleCI server. Examples: creditapp_server, ConsumerBU_server
    Used to track specific results in Prisma Cloud. For IaC scan only. Required.
    prisma_cloud_secret_key
    Prisma Cloud secret key
    See Create and Manage Access Keys for details about the secret key. For IaC scan only. Required.
    prisma_cloud_compute_pass
    Prisma Cloud Compute password
    The Prisma Cloud Compute users’s password.
    prisma_cloud_tags
    Comma-separated list of key/value pairs. Examples: project:x, owner:mr.y, compliance:pci
    Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.
    iac-scan-circleci-env-vars.png
    1. For IaC scan, enter the
      Name
      and
      Value
      for the Prisma Cloud secret key.
      The default name is
      prisma_cloud_secret_key
      . If you enter a different name, make sure to match this name in the config.yml file in the next step.
    2. For IaC scan, enter the
      Name
      and
      Value
      for your asset name.
      Prisma Cloud uses
      prisma_cloud_asset_name
      to track specific scan results.
    3. For IaC scan, enter the
      Name
      and
      Value
      for all the
      prisma_cloud_tags
      you want to define.
      The
      Value
      is a comma-separated list of key/value pairs for tags that you want to define. Use an equals sign to assign tag values to tag keys. Tags are optional but enable visibility in the Prisma Cloud UI.
    4. For image scan, enter the
      Name
      and
      Value
      for the Prisma Cloud Compute password.
      The default name is
      prisma_cloud_compute_pass
      . If you enter a different name, make sure to match this name in the config.yml file in the next step.
  3. Add the Prisma Cloud configuration file.
    The Prisma Cloud configuration file supports various IaC scan features. To add this file, create a subdirectory and file
    .prismacloud/config.yml
    in the root folder of your project or repository branch. See Set Up Your Prisma Cloud Configuration File for IaC Scan for details. Note that this file is different from
    .circleci/config.yml
    , and subsequent references to config.yml in these steps indicate the
    .circleci/config.yml
    file.
  4. Add the Prisma Cloud orb to the config.yml.
    1. Modify the config.yml to include the orb named prisma_cloud/devops_security for IaC and image scanning.
      Note that, through the orb, you can customize the IaC scan failure criteria and the vulnerability thresholds for image scanning based on your security needs.
      More details about the Prisma Cloud orb are available at Prisma Cloud Orb Quick Start Guide.
      The following table lists the parameters you can specify to customize the Prisma Cloud IaC scan job in your orb.
      Parameter
      Description
      Required
      Default
      Type
      access_key
      Prisma Cloud access key
      no
      $prisma_cloud_access_key
      String
      secret_key
      Prisma Cloud secret key
      no
      prisma_cloud_secret_key
      Environment variable
      prisma_cloud_api_url
      Prisma Cloud server URL
      no
      $prisma_cloud_console_url
      String
      terraform_variable_filenames
      Comma-separated list of file names containing Terraform variables
      no
      ‘’
      String
      templates_directory_path
      Directory path where IaC templates are stored. Note: The total size of the IaC templates in this directory cannot exceed 9 MB.
      no
      .
      String
      faiure_criteria_high_severity
      Provides failure threshold for high severity security issues
      no
      0
      Integer
      failure_criteria_medium_severity
      Provides failure threshold for medium severity security issues
      no
      0
      Integer
      failure_criteria_low_severity
      Provides failure threshold for low severity security issues
      no
      0
      Integer
      failure_criteria_operator
      Provides operator for high, medium, low severity failure thresholds
      no
      or
      String
      tags
      Comma-separated list of tags for your task. Used for visibility in Prisma Cloud UI. For IaC scan only. Optional.
      no
      ‘’
      String
      The following table lists the parameters you can specify to customize the Prisma Cloud Compute container image scanning job in your orb.
      Parameter
      Description
      Required
      Default
      Type
      prisma_cloud_compute_user
      The Prisma Cloud Compute user with the CI User role
      no
      $prisma_cloud_compute_user
      String
      prisma_cloud_compute_pass
      The Prisma Cloud Compute user's password
      no
      prisma_cloud_compute_pass
      Environment variable
      prisma_cloud_compute_url
      The base URL for the console -- e.g. http://console.<abc>.com:8083 -- without a trailing /
      no
      $prisma_cloud_compute_url
      String
      workspace_name
      Name of workspace to “docker save” the image-tar into so it can be scanned by orb
      no
      workspace
      String
      image_tar
      The name of the image tar file stored in the workspace
      no
      image.tar
      String
      image
      The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest
      yes
      String
      The following script is an example that shows you how to add the details required to set up both IaC and container image scanning.
      Make sure that you have defined the secret key (
      prisma_cloud_secret_key
      for IaC scan) and the Prisma Cloud compute password (
      prisma_cloud_compute_pass
      for container image scanning), each as an environment variable.
      version: 2.1 orbs: scan: prisma_cloud/devops_security@2.0.0 jobs: scan_iac: scan/prisma_cloud docker_build_and_save: executor: scan/compute steps: - checkout - run: docker pull nginx - run: mkdir -p workspace - run: docker image - run: 'docker save nginx:latest -o workspace/image.tar' - persist_to_workspace: root: workspace paths: - image.tar workflows: scan: jobs: - scan_iac: # Default env var for below: prisma_cloud_console_url prisma_cloud_api_url:<prisma cloud api url> # Default env var for below: prisma_cloud_access_key access_key: <prisma cloud access key> # Default env var for below: prisma_cloud_secret_key secret_key: prisma_cloud_secret_key failure_criteria_high_severity: 1 failure_criteria_medium_severity: 2 failure_criteria_low_severity: 3 failure_criteria_operator: and tags: env:development, team:devOps - docker_build_and_save - scan/scan_image: requires: - docker_build_and_save # Default env var for below: prisma_cloud_compute_url prisma_cloud_compute_url: <prisma cloud compute console url> # Default env var for below: prisma_cloud_compute_user prisma_cloud_compute_user: <prisma cloud compute username> # Default env var for below: prisma_cloud_compute_pass prisma_cloud_compute_pass: prisma_cloud_compute_pass image: 'myrepo/myimage:tag' image_tar: image.tar vulnerability_threshold: critical compliance_threshold: '' only_fixed: true
    2. Check the scan results.
      After you update the config.yml, whenever a PR is created, the Prisma Cloud orb checks for any potential issues. The build is a Success or Failure depending on whether the number of the of issues detected is lower than or more than the specified threshold.
      When the scan starts, you can view the status:
      iac-scan-circleci-start-scan-1.png
      In the following image you can view the status of the checks. The IaC scan reports as successful, while the image scan has completed the prerequisite check and is pending completion.
      iac-scan-circleci-start-scan-2.png
      The ability to merge code is enabled only when the result is successful.
      iac-scan-circleci-results-2.png
      Click
      Details
      to view more information. When any of the checks are unsuccessful, the results are uploaded in a file named
      scan.csv
      in the
      Artifacts
      tab.
      iac-scan-circleci-results-3.png
      iac-scan-circleci-results-4.png
      The following is an example of IaC scan results when the scan is successful and you have no detected security issues.
      iac-scan-circleci-plugin-successful-scan.png
      The following is an example of IaC scan results when the result was successful but with issues.
      iac-scan-circleci-successful-iac-scan-with-issues.png
      The following is an example of IaC scan results that returned a failure because of the number and type of security issues it found.
      iac-scan-circleci-failed-iac-scan.png
      The following shows an example of container image scan results that failed because the IaC scan found security issues in the image.
      iac-scan-circleci-results-image-scan.png

Recommended For You