1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma Cloud Code Security Release Information
    6. Features Introduced in 2022—Code Security
    7. Features Introduced in June 2022

    Features Introduced in June 2022

    Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June 2022.
    The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

    New Features

    Policy Updates
    Description
    Enforcement Thresholds and Scope
    Enforcement enables you to define the thresholds for reducing unnecessary noise in your code reviews and focusing on the most critical issues across the following categories— Open Source (SCA), Infrastructure as Code (IaC), Secrets, Container Images, and Build Integrity.
    Based on best practice guidelines Prisma Cloud provides default enforcement settings. If you had previously configured any rules on
    Settings
    Code Security Configuration
    , these are migrated as your thresholds and scope for enforcement.
    To modify the enforcement configuration (
    Code Security
    Projects
    More Actions
    Enforcement
    ) for all repositories that you are monitoring using Prisma Cloud, you must specify the severity —Critical, High, Medium and Low—of policy violations for which you want to soft fail, hard fail, or enable bot comments to suggest fixes where available.You can also add exceptions for one or more repositories where you need a more stringent or more lenient approach to enforcement.
    Terraform Cloud (Run Tasks)
    Integrate Terraform Cloud (Run Tasks)(
    Settings
    Add Repositories
    Terraform Cloud (Run Tasks)
    ) to seamlessly add policy-as-code checks to your Terraform pipelines for completely automated security guardrails and enable you to collect feedback or directly block insecure deployments.
    New Configuration Build Policies
    The following new build policies are available on Prisma Cloud Code Security module:
    • OCI private keys are hard coded in the provider
    • OpenStack hard coded password, token, or application_credential_secret exists in provider
    • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)
    • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
    • Kubernetes ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized
    • Kubernetes ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized
    • Kubernetes Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized
    • Kubernetes Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized
    • AWS Lambda encryption settings environmental variable is not set properly
    • Provisioned resources are manually modified
    • Traced AWS resources are manually modified
    Updates to Existing Configuration Run Policies
    The following new Build policies are added to the existing Configuration Run policies:
    • OCI Block Storage Block Volume does not have backup enabled
    • OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)
    • OCI Compute Instance boot volume has in-transit data encryption is disabled
    • OCI Compute Instance has Legacy MetaData service endpoint enabled
    • OCI Compute Instance has monitoring disabled
    • OCI Object Storage bucket does not emit object events
    • OCI Object Storage Bucket has object Versioning disabled
    • OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)
    • OCI Object Storage bucket is publicly accessible
    • OCI IAM password policy for local (non-federated) users does not have a lowercase character
    • OCI IAM password policy for local (non-federated) users does not have a number
    • OCI IAM password policy for local (non-federated) users does not have a symbol
    • OCI IAM password policy for local (non-federated) users does not have an uppercase character
    • OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK)
    • OCI VCN has no inbound security list
    • OCI VCN Security list has stateful security rules
    • OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
    Build Policy Updates-Metadata
    AWS access keys and secrets are hard coded in infrastructure
    Changes—
     The cloud type for this policy is updated from ANY to AWS.
    Impact—
     No impact on alerts.
    Azure Storage Account Access Keys
    Changes—
     The cloud type for this policy is updated from ANY to Azure.
    Impact—
     No impact on alerts.
    GCP resources that support labels do not have labels
    Changes—
     The cloud type for this policy is updated from ANY to GCP.
    Impact—
     No impact on alerts.
    AWS S3 Bucket BlockPublicPolicy is set to True
    Changes—
     The policy name has been updated to support Prisma Cloud’s naming guidelines.
    • Current Policy Name—
      AWS S3 Bucket BlockPublicPolicy is set to True
    • Updated Policy Name—
      AWS S3 Bucket BlockPublicPolicy is not set to True
    Impact—
     No impact on alerts.
    AWS S3 bucket IgnorePublicAcls is set to True
    Changes—
     The policy name has been updated to support Prisma Cloud’s naming guidelines.
    • Current Policy Name—
      AWS S3 bucket IgnorePublicAcls is set to True
    • Updated Policy Name—
      AWS S3 bucket IgnorePublicAcls is not set to True
    Impact—
     No impact on alerts.
    AWS S3 bucket RestrictPublicBucket is set to True
    Changes—
     The policy name has been updated to support Prisma Cloud’s naming guidelines.
    • Current Policy Name—
      AWS S3 bucket RestrictPublicBucket is set to True
    • Updated Policy Name—
      AWS S3 bucket RestrictPublicBucket is not set to True
    Impact—
     No impact on alerts.
    S3 bucket MFA Delete is not enabled
    Changes—
     The policy description and recommendation details have been updated to describe the policy better.
    Updated Description—
     Ensure S3 bucket MFA Delete is enabled.
    Impact—
     No impact on alerts.
    AWS IAM policies that allow full administrative privileges are created
    Changes—
     The severity level for this policy is updated from
    Critical
     to
    Low
     .
    Impact—
     No impact on alerts.
    Lambda function’s environment variables expose secrets
    Changes—
     The severity level for this policy is updated from
    High
     to
    Medium
     .
    Impact—
     No impact on alerts.
    SQS queue policy is public and access is not restricted to specific services or principals
    Changes—
     The severity level for this policy is updated from
    Medium
     to
    High
    .
    Impact—
     No impact on alerts.
    Policy Deletions
    Applies only if you have enabled the Code Security subscription on Prisma Cloud
    The following build policies are deleted from Prisma Cloud:
    • Secret Keyword
    • Redshift clusters do not have AWS Backup’s backup plan
    • A retention period of less than 90 days is not specified
    • Secure transfer required is not enabled
    Impact—
     No impact on alerts.

    Changes in Existing Behavior

    Change
    Description
    Code Reviews and Pull Request Bot Comments for Code Security Configuration
    With this release, new Enforcement options are available for code reviews. With the enhancement, the ability to configure Code Reviews and Pull Request Bot Comments is no longer part of the Code Security Configuration on
    Settings
    Code Security Configuration
    . Instead, these capabilities are now available as a part of Enforcement on
    Code Security
    Projects
    More Actions
    Enforcement
    .
    This change does not impact your existing configuration. All your existing configurations are migrated over as
    Enforcement
     settings. You can review and manage the enforcement thresholds and exceptions from
    Code Security
    Projects
    More Actions
    Enforcement
    .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo