Look Ahead—Planned Updates on Prisma Cloud Code Security

Review any deprecation notices and policy changes planned in the next Prisma Cloud Code Security release.
Read this section to learn about what is planned in the upcoming release. The Look Ahead announcements are for an upcoming or next release and it is not a cumulative list of all announcements.
The details and functionality listed below are a preview and the actual release date is subject to change.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Terraform Cloud Run Tasks
For Terraform Cloud Run Tasks, the Enforcement Settings for IaC Scans are currently enforced only when you have enabled the checkbox to
Make Prisma Cloud’s run tasks mandatory
.
Make Prisma Cloud’s run tasks mandatory
is being removed, to make this behavior consistent with other VCS, IDE, and CI/CD pipeline integrations for Code Security.
Impact-
If you have an existing Terraform Cloud Run Task integration on Prisma Cloud that was previously not set to mandatory, and have set the Enforcement Settings threshold for Hard Fail to anything other than
Off
such as Low or above for IaC Scan, the run tasks will now be mandatory. Builds that were passing earlier will now fail when there is a violation above the severity threshold detected in your IaC files.

New Policies and Policy Updates

Learn about the new policies and upcoming policy changes for new and existing Prisma Cloud System policies.
POLICY UPDATES
DESCRIPTION
AWS EBS volume region with encryption is disabled
Changes-
The Build remediation instructions are being updated according to encrypt-ebs-volume.
Impact-
No impact on alerts.
Basic Auth Credentials
Changes-
The policy name is being updated to reflect the latest changes.
Current Policy Name-
Basic Authentication Credentials
Impact-
No impact on alerts.
GitHub VCS Integration
To help ensure that your GitHub organization and repository and GitLab repository configurations are using proper branch protection and build integrity guidelines, Prisma Cloud is adding Build Integrity policies in the upcoming release. These permissions are required to pull organization and repository configurations and scan them for Supply Chain policy violations. The following additional read-only permissions are being requested:
  • administration: read-only
  • actions: read-only
  • repository_hooks: read-only
  • organization_hooks: read-only
Impact-
If you opt to reject or ignore the request for the additional permissions, there will be no impact on existing scans; however, you will not be able to detect violations of the build integrity policies.
Policy Deletions
AWS EC2 instance is not configured with VPC
Changes-
This policy is deleted because resources are configured in VPC by default.
Impact-
No impact on alerts.
My SQL server enables public network access (duplication of CKV_AZURE_53)
Changes-
This policy is a duplication of an existing policy, therefore will be deleted.
Impact-
No impact on alerts.

Recommended For You