Focus

Prisma™ Cloud Release Notes

Features Introduced in September 2022

Table of Contents

Features Introduced in September 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in September 2022.

The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

New Features

New Policies and Policy Updates

Changes in Existing Behavior

REST API Updates

New Features

Feature

Description

Software Composition Analysis (SCA)

Software Composition Analysis (SCA) enables you to continuously scan any open source packages defined in your source code. The scan enables you to find and fix vulnerabilities in code and identify license violations earlier in the development lifecycle so that you can address risks in a timely manner. The scan runs across all integrations of repositories, IDE and CI/CD pipelines to give you:

Contextual information on Bill of Materials or Software Bill of Materials (SBOM), an inventory list of all open source packages and third-party components your source code utilizes. (

Code Security

Development Pipelines

)

Visualization on direct and sub-dependencies between open source packages to help you identify vulnerabilities outside root dependency. (

Code Security

Supply Chain

)

Information to identify potential software license violations and manually fix or suppress the issue. (

Code Security

Projects

)

A list of vulnerabilities identified on open source packages that you can either suppress or directly fix in code. (

Code Security

Projects

)

New Policies and Policy Updates

Policy Updates	Description
New Configuration Build Policies	New build policies are available on Prisma Cloud Code Security module for the following categories: General - 123 policies IAM - 12 policies Networking - 34 policies Build Integrity - 18 policies Secrets - 57 policies Kubernetes - 13 policies Logging - 4 policies Public - 1 policy
Addition of Build Checks to Existing Configuration Run Policies	The following configuration policies now include build time checks. With this change, these policies perform checks for Run, Build configuration issues: AWS CloudTrail logging is disabled AWS Lambda function URLs AuthType is not defined AWS RDS PostgreSQL instances use a vulnerable version of log_fdw extension AWS SSM Parameter is not encrypted Azure ACR is set to enable public networking Azure Function app does not use the latest version of TLS encryption GCP compute firewall ingress allow unrestricted MySQL access GCP Private Google Access is not enabled for IPV6 GCP Google compute firewall ingress allow unrestricted HTTP port 80 access GCP Google compute firewall ingress allow unrestricted FTP access OCI security list allows ingress from 0.0.0.0/0 to port 3389 OCI security groups rules allows ingress from 0.0.0.0/0 to port 22 OCI security list allows ingress from 0.0.0.0/0 to port 22 OCI security group does not have stateless ingress security rules
Build Policy Updates-Metadata	The --anonymous-auth argument is not set to False Changes— The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Name— The --anonymous-auth argument is not set to False Updated Name— The --anonymous-auth argument is not set to False for Kubelet Impact— No impact on alerts.
	The --authorization-mode argument is set to AlwaysAllow Changes— The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Name— The --authorization-mode argument is set to AlwaysAllow Updated Name— The --authorization-mode argument is set to AlwaysAllow for API server Impact— No impact on alerts.
	The --profiling argument is not set to False Changes— The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Name— The --profiling argument is not set to False Updated Name— The --profiling argument is not set to False for scheduler Impact— No impact on alerts.
	The --tls-cert-file and --tls-private-key-file arguments are not set appropriately Changes— The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Name— The --tls-cert-file and --tls-private-key-file arguments are not set appropriately Updated Name— The --tls-cert-file and --tls-private-key-file arguments for API server are not set appropriately Impact— No impact on alerts.
	securityContext is not applied to pods and contianers Changes— The policy name has been updated to fix the typo error. Current Name— securityContext is not applied to pods and contianers Updated Name— securityContext is not applied to pods and containers. Impact— No impact on alerts.
	Repository is not Private Changes— The policy name and description has been updated as follows: Current Name— Repository is not Private Updated Name— GitHub repository is not Private Current Description— Ensure Repository is Private Updated Description— Ensure GitHub repository is private

Changes in Existing Behavior

Change

Description

Code Editor for Build Policies

With this release, you can Test
your YAML policy template when creating a rule for a custom policy in build-time checks (

Policies

Add Policy

Config

Additionally, information such as Name
and Severity
will not be displayed in the existing example of the YAML policy template on the console. However, this information will still be visible in your YAML code file. For example, in your

VCS

REST API Updates

CHANGE

DESCRIPTION

Prisma Cloud Code Security

The following new APIs are available for Code Security that allow you to retrieve the code review and integrated VCS repositories metadata, list of affected resources for suppression, BOM report and Checkov version details, single repository and tag rule details, and enforcement rules.

TagRules: Returns the tag rule by OOTB ID