Features Introduced in January 2023

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in January 2023.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

New Features

Terraform Enterprise (Run Tasks)
Integrate Terraform Enterprise (Run Tasks)(
Settings >Repositories > Add Repository > Terraform Enterprise Cloud (Run Tasks)
) to seamlessly add policy-as-code checks to your Terraform pipelines for completely automated security guardrails and enable you to collect feedback or directly block insecure deployments.
CVE Severity
The CVEs with Moderate and Important severity will now be mapped as Medium and Important, respectively. With this change, if you have set the
threshold to Medium or above for detecting violations or failing the build for CVEs in your source code, the volume of violations will be higher than before.
For any VCS or CI/CD integrations where the hard fail is implemented for CVEs that are Medium or above in severity, the builds that were passing earlier will now fail.
Terraform Cloud ( Run Tasks)
With this release, for Terraform Cloud ( Run Tasks)(
Settings > Repositories > Add Repository > Terraform Cloud (Run Tasks)
) integration you can enable specific configuration run tasks scan during
phase for selected or all workspaces. Using your preferential configuration, Prisma Cloud will perform a run tasks scan on your selected (or all) workspaces before or after Terraform Cloud generates a plan.
This change does not impact your existing configuration. You can continue to review and manage the scan results on
Code Security > Projects

New Policies and Policy Updates

New Policy
New Configuration Build Policies
The following new build policy is available on Prisma Cloud Code Security module:
  • Cleartext credentials over unencrypted channel should not be accepted for the operation
  • GCP Firewall with Inbound rule overly permissive to All Traffic
  • Rules used could create a double pipeline
  • Detect images within GitLab CI workflows
  • Container job does not use a non latest version tag
  • Pipeline image version is referenced via an arbitrary tag
  • Pipeline uses mutable development orbs
  • Pipeline uses unversioned volatile orbs
  • Pipeline uses netcat with an IP address
  • Pipeline uses run command that is vulnerable to shell injection
  • Pipeline uses curl in a suspicious way
  • Detect images within circleCI workflows
  • Container job does not use a non latest version tag
  • Container job uses a version digest
  • Set variable is marked as a secret"
  • RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
  • Granting create permissions to nodes/proxy or pods/exec sub resources allows potential privilege escalation
  • No ServiceAccount/Node should have impersonate permissions for groups/users/service-accounts
  • ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster
  • No ServiceAccount/Node should be able to read all secrets
  • GitHub branch protection does not dismiss stale reviews
  • GitHub branch protection does not restrict who can dismiss a PR
  • GitHub branch protection does not require code owner reviews
  • GitHub branch protection does not require status checks
  • GitHub branch protection does not require conversation resolution
  • GitHub branch protection does not require push restrictions
  • GitHub branch protection rules allow branch deletions
Addition of Build Checks to Existing Configuration Run Policies
The following configuration policies now include build time checks. With this change, these policies perform checks for Run, Build configuration issues:
  • AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
  • AWS Cloudfront Distribution with S3 have Origin Access set to disabled
  • AWS CloudFront web distribution with default SSL certificate
  • AWS Config must record all possible resources
  • AWS Config Recording is disabled
  • AWS Database Migration Service endpoint do not have SSL configured
  • AWS EC2 Instance IAM Role not enabled
  • AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to disabled
  • AWS route table with VPC peering overly permissive to all traffic
  • AWS S3 buckets are accessible to any authenticated user
  • GCP Cloud Function HTTP trigger is not secured
  • GCP Firewall with Inbound rule overly permissive to All Traffic
  • GCP GCR Container Vulnerability Scanning is disabled

Changes in Existing Behavior

Terraform Cloud Run Tasks
For Terraform Cloud Run Tasks, the Enforcement Settings for IaC Scans were enforced only when you had enabled the checkbox to
Make Prisma Cloud’s run tasks mandatory
. The
Make Prisma Cloud’s run tasks mandatory
is now removed, to make this behavior consistent with other VCS, IDE, and CI/CD pipeline integrations for Code Security.
If you have an existing Terraform Cloud Run Task integration on Prisma Cloud that was not set to mandatory, and have set the Enforcement Settings threshold for Hard Fail to anything other than
such as Low or above for IaC Scan, the run tasks will now be mandatory. Builds that were passing earlier will now fail when there is a violation above the severity threshold detected in your IaC files.

Recommended For You