Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in July 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.
Development pipelines provides a bird’s eye view of your onboarded repositories and latest scan results across all VCS and CI/CD integrations.
This summary view (
Code Security
Development Pipelines
) enables you to hone in to what matters most to you:
Focus on VCS repositories with the highest rate of failed pull or merge requests.
Review VCS repositories with the highest activity based on active git users who committed changes to the default branch weekly andover the last 90 days.
Assess the most recent code reviews that triggered scans with the largest number of critical alerts and failures.
Scan the results for the last 1000 code scans across all integrations.
Define enforcement rules that determine your quality criteria for all scans within a repository.
New Configuration Build Policies
The following new build policies will be available on Prisma Cloud Code Security module:
GithHub Actions ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set to true
GithHub Actions Run commands are vulnerable to shell injection
GithHub Actions curl is being with secrets
GithHub Actions Netcat is being used with IP address
OpenAPI Security Definitions Object should be set and not empty
OpenAPI If the security scheme is not of type 'oauth2', the array value must be empty
OpenAPI Security object needs to have defined rules in its array and rules should be defined in the securityScheme
OpenAPI Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error
OpenAPI Security requirement not defined in the security definitions
Traced Azure resources are manually modified
Alibaba Cloud OSS bucket has transfer Acceleration disabled
Alibaba Cloud OSS bucket is not encrypted with Customer Master Key
Alibaba Cloud OSS bucket has versioning disabled
Alibaba Cloud Disk is not encrypted with Customer Master Key
Alibaba Cloud database instance accessible to public
Alibaba Cloud RAM password policy maximal login attempts is more than 4
Alibaba Cloud RAM password policy does not prevent password reuse
Alibaba Cloud RAM password policy does not expire in 90 days
Alibaba Cloud Kubernetes does not install plugin Terway or Flannel to support standard policies
Alibaba Cloud Transparent Data Encryption is disabled on instance
Alibaba Cloud OSS bucket has access logging enabled
Alibaba Cloud RDS Instance SQL Collector Retention Period is less than 180
Alibaba Cloud Action Trail Logging is not enabled for all regions
Alibaba Cloud Action Trail Logging is not enabled for all events
Alibaba Cloud RDS instance does not use SSL
Alibaba Cloud API Gateway API Protocol does not use HTTPS
Updates to Existing Configuration Run Policies
The following new Build policies will be added to the existing Configuration Run policies:
Alibaba Cloud OSS bucket accessible to public
Alibaba Cloud disk encryption is disabled
Alibaba Cloud RAM password policy does not have an uppercase character
Alibaba Cloud RAM password policy does not have a number
Alibaba Cloud RAM password policy does not have a minimum of 14 characters
Alibaba Cloud RAM password policy does not have a symbol
Alibaba Cloud RAM password policy does not expire in 90 days
Alibaba Cloud RAM password policy does not have a lowercase character
Alibaba Cloud Security group allow internet traffic to RDP port (3389)
Alibaba Cloud Security group allow internet traffic to SSH port (22)
Policy Deletions
Applies only if you have enabled the Code Security subscription on Prisma Cloud
Google storage buckets are not encrypted
policy will be deleted from Prisma Cloud.
Impact—
No impact on alerts.
REST API Updates
CHANGE
DESCRIPTION
New API Endpoints for Code Security
The following new API endpoints are available for Prisma Cloud Code Security to fix code errors, set policies and tag rules, search repositories, remediate issues, and handle vulnerabilities:
POST /code/api/v1/errors/supply-chain-fix
GET /code/api/v1/errors/files/{uuid}
POST /code/api/v1/policies/definition/{queryId}
POST /code/api/v1/policies
GET /code/api/v1/policies/table/data
POST /code/api/v1/policies/{policyId}
DELETE /code/api/v1/policies/{policyId}
POST /code/api/v1/policies/preview
POST /code/api/v1/policies/clone/{policyId}
POST /code/api/v1/remediations/buildtime
GET /code/api/v1/remediations/buildtime/{fixId}
GET /code/api/v1/remediations/buildtime/baseFile/{filename}
GET /code/api/v1/repositories/search
POST /code/api/v1/supply-chain/nodes
GET /code/api/v1/tag-rules
POST /code/api/v1/tag-rules
GET /code/api/v1/tag-rules/{tagRuleId}
PUT /code/api/v1/tag-rules/{tagRuleId}
DELETE /code/api/v1/tag-rules/{tagRuleId}
POST /code/api/v1/tag-rules/affected-resources
GET /code/api/v1/vulnerabilities/packages/files/{fileMetadataId}
GET /code/api/v1/vulnerabilities/packages/{packageUuid}/direct-sub-dependencies
GET /code/api/v1/vulnerabilities/packages/{packageUuid}
POST /code/api/v1/vulnerabilities/packages/license-violations
POST /code/api/v1/vulnerabilities/packages/search
GET /code/api/v1/vulnerabilities/packages/{packageUuid}/cves
