Features Introduced in July 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

New Features

Feature
Description
Development Pipelines
Development pipelines provides a bird’s eye view of your onboarded repositories and latest scan results across all VCS and CI/CD integrations.
This summary view (
Code Security
Development Pipelines
) enables you to hone in to what matters most to you:
  • Focus on VCS repositories with the highest rate of failed pull or merge requests.
  • Review VCS repositories with the highest activity based on active git users who committed changes to the default branch weekly andover the last 90 days.
  • Assess the most recent code reviews that triggered scans with the largest number of critical alerts and failures.
  • Scan the results for the last 1000 code scans across all integrations.
  • Define enforcement rules that determine your quality criteria for all scans within a repository.
New Configuration Build Policies
The following new build policies will be available on Prisma Cloud Code Security module:
  • GithHub Actions ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true
  • GithHub Actions Run commands are vulnerable to shell injection
  • GithHub Actions curl is being with secrets
  • GithHub Actions Netcat is being used with IP address
  • OpenAPI Security Definitions Object should be set and not empty
  • OpenAPI If the security scheme is not of type 'oauth2', the array value must be empty
  • OpenAPI Security object needs to have defined rules in its array and rules should be defined in the securityScheme
  • OpenAPI Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error
  • OpenAPI Security requirement not defined in the security definitions
  • Traced Azure resources are manually modified
  • Alibaba Cloud OSS bucket has transfer Acceleration disabled
  • Alibaba Cloud OSS bucket is not encrypted with Customer Master Key
  • Alibaba Cloud OSS bucket has versioning disabled
  • Alibaba Cloud Disk is not encrypted with Customer Master Key
  • Alibaba Cloud database instance accessible to public
  • Alibaba Cloud RAM password policy maximal login attempts is more than 4
  • Alibaba Cloud RAM password policy does not prevent password reuse
  • Alibaba Cloud RAM password policy does not expire in 90 days
  • Alibaba Cloud Kubernetes does not install plugin Terway or Flannel to support standard policies
  • Alibaba Cloud Transparent Data Encryption is disabled on instance
  • Alibaba Cloud OSS bucket has access logging enabled
  • Alibaba Cloud RDS Instance SQL Collector Retention Period is less than 180
  • Alibaba Cloud Action Trail Logging is not enabled for all regions
  • Alibaba Cloud Action Trail Logging is not enabled for all events
  • Alibaba Cloud RDS instance does not use SSL
  • Alibaba Cloud API Gateway API Protocol does not use HTTPS
Updates to Existing Configuration Run Policies
The following new Build policies will be added to the existing Configuration Run policies:
  • Alibaba Cloud OSS bucket accessible to public
  • Alibaba Cloud disk encryption is disabled
  • Alibaba Cloud RAM password policy does not have an uppercase character
  • Alibaba Cloud RAM password policy does not have a number
  • Alibaba Cloud RAM password policy does not have a minimum of 14 characters
  • Alibaba Cloud RAM password policy does not have a symbol
  • Alibaba Cloud RAM password policy does not expire in 90 days
  • Alibaba Cloud RAM password policy does not have a lowercase character
  • Alibaba Cloud Security group allow internet traffic to RDP port (3389)
  • Alibaba Cloud Security group allow internet traffic to SSH port (22)
Policy Deletions
Applies only if you have enabled the Code Security subscription on Prisma Cloud
Google storage buckets are not encrypted
policy will be deleted from Prisma Cloud.
Impact
—No impact on alerts.

REST API Updates

CHANGE
DESCRIPTION
New API Endpoints for Code Security
The following new API endpoints are available for Prisma Cloud Code Security to fix code errors, set policies and tag rules, search repositories, remediate issues, and handle vulnerabilities:
  • POST /code/api/v1/errors/supply-chain-fix
  • GET /code/api/v1/errors/files/{uuid}
  • POST /code/api/v1/policies/definition/{queryId}
  • POST /code/api/v1/policies
  • GET /code/api/v1/policies/table/data
  • POST /code/api/v1/policies/{policyId}
  • DELETE /code/api/v1/policies/{policyId}
  • POST /code/api/v1/policies/preview
  • POST /code/api/v1/policies/clone/{policyId}
  • POST /code/api/v1/remediations/buildtime
  • GET /code/api/v1/remediations/buildtime/{fixId}
  • GET /code/api/v1/remediations/buildtime/baseFile/{filename}
  • GET /code/api/v1/repositories/search
  • POST /code/api/v1/supply-chain/nodes
  • GET /code/api/v1/tag-rules
  • POST /code/api/v1/tag-rules
  • GET /code/api/v1/tag-rules/{tagRuleId}
  • PUT /code/api/v1/tag-rules/{tagRuleId}
  • DELETE /code/api/v1/tag-rules/{tagRuleId}
  • POST /code/api/v1/tag-rules/affected-resources
  • GET /code/api/v1/vulnerabilities/packages/files/{fileMetadataId}
  • GET /code/api/v1/vulnerabilities/packages/{packageUuid}/direct-sub-dependencies
  • GET /code/api/v1/vulnerabilities/packages/{packageUuid}
  • POST /code/api/v1/vulnerabilities/packages/license-violations
  • POST /code/api/v1/vulnerabilities/packages/search
  • GET /code/api/v1/vulnerabilities/packages/{packageUuid}/cves

Recommended For You