Features Introduced in September 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in September 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

New Features

Feature
Description
Software Composition Analysis (SCA)
Software Composition Analysis (SCA) enables you to continuously scan any open source packages defined in your source code. The scan enables you to find and fix vulnerabilities in code and identify license violations earlier in the development lifecycle so that you can address risks in a timely manner. The scan runs across all integrations of repositories, IDE and CI/CD pipelines to give you:
  • Contextual information on Bill of Materials or Software Bill of Materials (SBOM), an inventory list of all open source packages and third-party components your source code utilizes. (
    Code Security
    Development Pipelines
    )
  • Visualization on direct and sub-dependencies between open source packages to help you identify vulnerabilities outside root dependency. (
    Code Security
    Supply Chain
    )
  • Information to identify potential software license violations and manually fix or suppress the issue. (
    Code Security
    Projects
    )
  • A list of vulnerabilities identified on open source packages that you can either suppress or directly fix in code. (
    Code Security
    Projects
    )

New Policies and Policy Updates

Policy Updates
Description
New Configuration Build Policies
New build policies are available on Prisma Cloud Code Security module for the following categories:
  • General - 123 policies
  • IAM - 12 policies
  • Networking - 34 policies
  • Build Integrity - 18 policies
  • Secrets - 57 policies
  • Kubernetes - 13 policies
  • Logging - 4 policies
  • Public - 1 policy
Addition of Build Checks to Existing Configuration Run Policies
The following configuration policies now include build time checks. With this change, these policies perform checks for Run, Build configuration issues:
  • AWS CloudTrail logging is disabled
  • AWS Lambda function URLs AuthType is not defined
  • AWS RDS PostgreSQL instances use a vulnerable version of log_fdw extension
  • AWS SSM Parameter is not encrypted
  • Azure ACR is set to enable public networking
  • Azure Function app does not use the latest version of TLS encryption
  • GCP compute firewall ingress allow unrestricted MySQL access
  • GCP Private Google Access is not enabled for IPV6
  • GCP Google compute firewall ingress allow unrestricted HTTP port 80 access
  • GCP Google compute firewall ingress allow unrestricted FTP access
  • OCI security list allows ingress from 0.0.0.0/0 to port 3389
  • OCI security groups rules allows ingress from 0.0.0.0/0 to port 22
  • OCI security list allows ingress from 0.0.0.0/0 to port 22
  • OCI security group does not have stateless ingress security rules
Build Policy Updates-Metadata
The --anonymous-auth argument is not set to False
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Name—
    The --anonymous-auth argument is not set to False
  • Updated Name—
    The --anonymous-auth argument is not set to False for Kubelet
Impact—
No impact on alerts.
The --authorization-mode argument is set to AlwaysAllow
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Name—
    The --authorization-mode argument is set to AlwaysAllow
  • Updated Name—
    The --authorization-mode argument is set to AlwaysAllow for API server
Impact—
No impact on alerts.
The --profiling argument is not set to False
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Name—
    The --profiling argument is not set to False
  • Updated Name—
    The --profiling argument is not set to False for scheduler
Impact—
No impact on alerts.
The --tls-cert-file and --tls-private-key-file arguments are not set appropriately
Changes—
The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Name—
    The --tls-cert-file and --tls-private-key-file arguments are not set appropriately
  • Updated Name—
    The --tls-cert-file and --tls-private-key-file arguments for API server are not set appropriately
Impact—
No impact on alerts.
securityContext is not applied to pods and contianers
Changes—
The policy name has been updated to fix the typo error.
  • Current Name—
    securityContext is not applied to pods and contianers
  • Updated Name—
    securityContext is not applied to pods and containers.
Impact—
No impact on alerts.
Repository is not Private
Changes—
The policy name and description has been updated as follows:
Current Name—
Repository is not Private
Updated Name—
GitHub repository is not Private
Current Description—
Ensure Repository is Private
Updated Description—
Ensure GitHub repository is private

Changes in Existing Behavior

Change
Description
Code Editor for Build Policies
With this release, you can
Test
your YAML policy template when creating a rule for a custom policy in build-time checks (
Policies
Add Policy
Config
).
Additionally, information such as
Name
and
Severity
will not be displayed in the existing example of the YAML policy template on the console. However, this information will still be visible in your YAML code file. For example, in your
VCS
.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud Code Security
The following new APIs are available for Code Security that allow you to retrieve the code review and integrated VCS repositories metadata, list of affected resources for suppression, BOM report and Checkov version details, single repository and tag rule details, and enforcement rules.

Recommended For You