topic Re: Code Security: Policy Ids for Errors in Prisma Cloud Discussions

Code Security: Policy Ids for Errors

JSchneider1 — Mon, 08 May 2023 21:34:44 GMT

When scanning IAC with Bridgecrew GitHub action, an error may be returned as "Check: 8060797_AWS_1672940525627: "AWS Lambda function is not configured for function-level concurrent execution Limit" with a link to https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.

Why is the 8060797_AWS_1672940525627 shown as the policy id rather than the native policy id - either BC_AWS_GENERAL_63 or CKV_AWS_115?

In the API to list errors (/code/api/v1/errors/file), the response still returns 8060797_AWS_1672940525627 rather than a native ID as errorId. The API does not return a link to documentation.

Linking errors to the underlying OOTB policy is challenging without the native policy id.

Re: Code Security: Policy Ids for Errors

tplisson — Tue, 09 May 2023 15:44:12 GMT

A policy ID like "8060797_AWS_1672940525627" is the format of a custom build policy (CCS). Maybe a clone of the OOTB policy?

Re: Code Security: Policy Ids for Errors

JSchneider1 — Tue, 09 May 2023 16:24:26 GMT

A custom policy would explain it.

However, I know this one is not.

When viewing the policy definition in the console, it says "This policy is defined in Checkov, for more information about this policy's exact definition visithttps://github.com/bridgecrewio/checkov".

When querying policy details through the API, the createdBy attribute = "Prisma Cloud System Admin".

I know we've at one time disabled, re-enabled, and updated the labels on this policy (and most other OOTB build policies). Maybe there was a side effect of one of those operations.

So I agree that indications are that somehow Prisma Cloud is inaccurately seeing this and other many other of our OOTB build policies as custom policies.