Features Introduced in June 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

New Features

Policy Updates
Description
Enforcement Thresholds and Scope
Enforcement enables you to define the thresholds for reducing unnecessary noise in your code reviews and focusing on the most critical issues across the following categories— Open Source (SCA), Infrastructure as Code (IaC), Secrets, Container Images, and Build Integrity.
Based on best practice guidelines Prisma Cloud provides default enforcement settings. If you had previously configured any rules on
Settings
Code Security Configuration
, these are migrated as your thresholds and scope for enforcement.
To modify the enforcement configuration (
Code Security
Projects
More Actions
Enforcement
) for all repositories that you are monitoring using Prisma Cloud, you must specify the severity —Critical, High, Medium and Low—of policy violations for which you want to soft fail, hard fail, or enable bot comments to suggest fixes where available.You can also add exceptions for one or more repositories where you need a more stringent or more lenient approach to enforcement.
Terraform Cloud (Run Tasks)
Integrate Terraform Cloud (Run Tasks)(
Settings
Add Repositories
Terraform Cloud (Run Tasks)
) to seamlessly add policy-as-code checks to your Terraform pipelines for completely automated security guardrails and enable you to collect feedback or directly block insecure deployments.
New Configuration Build Policies
The following new build policies are available on Prisma Cloud Code Security module:
  • OCI private keys are hard coded in the provider
  • OpenStack hard coded password, token, or application_credential_secret exists in provider
  • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)
  • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
  • Kubernetes ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized
  • Kubernetes ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized
  • Kubernetes Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized
  • Kubernetes Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized
  • AWS Lambda encryption settings environmental variable is not set properly
  • Provisioned resources are manually modified
  • Traced AWS resources are manually modified
Updates to Existing Configuration Run Policies
The following new Build policies are added to the existing Configuration Run policies:
  • OCI Block Storage Block Volume does not have backup enabled
  • OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)
  • OCI Compute Instance boot volume has in-transit data encryption is disabled
  • OCI Compute Instance has Legacy MetaData service endpoint enabled
  • OCI Compute Instance has monitoring disabled
  • OCI Object Storage bucket does not emit object events
  • OCI Object Storage Bucket has object Versioning disabled
  • OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)
  • OCI Object Storage bucket is publicly accessible
  • OCI IAM password policy for local (non-federated) users does not have a lowercase character
  • OCI IAM password policy for local (non-federated) users does not have a number
  • OCI IAM password policy for local (non-federated) users does not have a symbol
  • OCI IAM password policy for local (non-federated) users does not have an uppercase character
  • OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK)
  • OCI VCN has no inbound security list
  • OCI VCN Security list has stateful security rules
  • OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
Build Policy Updates-Metadata
AWS access keys and secrets are hard coded in infrastructure
Changes—
The cloud type for this policy is updated from ANY to AWS.
Impact—
No impact on alerts.
Azure Storage Account Access Keys
Changes—
The cloud type for this policy is updated from ANY to Azure.
Impact—
No impact on alerts.
GCP resources that support labels do not have labels
Changes—
The cloud type for this policy is updated from ANY to GCP.
Impact—
No impact on alerts.
AWS S3 Bucket BlockPublicPolicy is set to True
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name—
    AWS S3 Bucket BlockPublicPolicy is set to True
  • Updated Policy Name—
    AWS S3 Bucket BlockPublicPolicy is not set to True
Impact—
No impact on alerts.
AWS S3 bucket IgnorePublicAcls is set to True
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name—
    AWS S3 bucket IgnorePublicAcls is set to True
  • Updated Policy Name—
    AWS S3 bucket IgnorePublicAcls is not set to True
Impact—
No impact on alerts.
AWS S3 bucket RestrictPublicBucket is set to True
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name—
    AWS S3 bucket RestrictPublicBucket is set to True
  • Updated Policy Name—
    AWS S3 bucket RestrictPublicBucket is not set to True
Impact—
No impact on alerts.
S3 bucket MFA Delete is not enabled
Changes—
The policy description and recommendation details have been updated to describe the policy better.
Updated Description—
Ensure S3 bucket MFA Delete is enabled.
Impact—
No impact on alerts.
AWS IAM policies that allow full administrative privileges are created
Changes—
The severity level for this policy is updated from
Critical
to
Low
.
Impact—
No impact on alerts.
Lambda function’s environment variables expose secrets
Changes—
The severity level for this policy is updated from
High
to
Medium
.
Impact—
No impact on alerts.
SQS queue policy is public and access is not restricted to specific services or principals
Changes—
The severity level for this policy is updated from
Medium
to
High
.
Impact—
No impact on alerts.
Policy Deletions
Applies only if you have enabled the Code Security subscription on Prisma Cloud
The following build policies are deleted from Prisma Cloud:
  • Secret Keyword
  • Redshift clusters do not have AWS Backup’s backup plan
  • A retention period of less than 90 days is not specified
  • Secure transfer required is not enabled
Impact—
No impact on alerts.

Changes in Existing Behavior

Change
Description
Code Reviews and Pull Request Bot Comments for Code Security Configuration
With this release, new Enforcement options are available for code reviews. With the enhancement, the ability to configure Code Reviews and Pull Request Bot Comments is no longer part of the Code Security Configuration on
Settings
Code Security Configuration
. Instead, these capabilities are now available as a part of Enforcement on
Code Security
Projects
More Actions
Enforcement
.
This change does not impact your existing configuration. All your existing configurations are migrated over as
Enforcement
settings. You can review and manage the enforcement thresholds and exceptions from
Code Security
Projects
More Actions
Enforcement
.

Recommended For You