GitOps with Prisma Cloud Code Security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
100% helpful (1/1)

By Julian Neytchev, Sr. Cloud Security Engineer

 

Introduction

 

Infrastructure as Code (IaC) makes creating, managing and collaborating around cloud infrastructure easier.  DevSecOps provides automated tools and shifts left the security to the developer.  This shift left allows security and compliance to be part of the development process, and not an afterthought in production. Security becomes part of the whole DevOps lifecycle, leading to a more secure product in production. 

 

To facilitate the shift left, tools that scan IaC for compliance and vulnerabilities need to be available to the software development team.  These tools are used to check code prior to check-in for your source code repository and after check-in to your source code repository for your code review.  

 

It is important to understand how Prisma Cloud Code Security can integrate into your development lifecycle through the coding and building phases to ensure repeatable code in your runtime environment infrastructure. 

 

RPrasadi_0-1677622169501.png

Figure 1: Development Lifecycle_palo-alto-networks 

 

GitOps Definition

 

Git Operations or GitOps is a method for managing infrastructure and application deployments as code, using Git as a single source of truth.  In cloud computing, GitOps can be used to maintain the desired state of an infrastructure in a Git repository, and continuously synchronize it with the actual state of the infrastructure. 

 

In typical GitOps setups, all infrastructure state is maintained via a continuous deployment pipeline. The deployment pipeline is triggered by changes pushed to the source code repository, automatically applying the desired state to the infrastructure, ensuring that it remains in a consistent and predictable state. This makes it easier to manage and maintain infrastructure, as all changes are version controlled, auditable, and reversible.

RPrasadi_1-1677622170484.png

Figure 2: General GitOps workflow_palo-alto-networks 

 

Git Workflow

 

A typical Git operation for submitting a pull request (PR) against an infrastructure as code repository follows the following steps:

 

  • Check out the repository
  • Create a new branch
  • Make changes to IaC code
  • Commit changes to your branch
  • Push changes to a remote branch
  • Submit a pull request
  • Code review. Your colleagues, manager and DevOps engineer will review and discuss the desired changes.
    • Merge or reject
  • Deploy to your environment upon approval 

 

In a GitOps workflow, all changes to the infrastructure are version-controlled and auditable, making it easier to track changes, collaborate, and ensure the infrastructure is always in a desired state. When there are issues, the infrastructure can be rolled-back to a known good state. 

 

Improving GitOps security

 

Adding a static scanning tool into your GitOps workflow can improve the quality of code produced by detecting issues early in the development process and automatically enforcing best practices and coding standards. Some benefits of using a static scanning tool include:

 

  • Automated code analysis
    A static scanning tool can automatically analyze IaC code for security vulnerabilities, syntax errors, and other issues, reducing the risk of human error and speeding up the development process.
  • Best practices enforcement
    The tool can enforce best practices and coding standards, ensuring that all code is written in a consistent and high-quality manner.
  • Early issue detection
    Issues can be detected early in the development process, reducing the risk of problems later in the pipeline and speeding up the resolution of problems.
  • Improved collaboration
    By automatically enforcing best practices and coding standards, the tool can improve collaboration between team members and increase the quality of code produced.
  • Increased security
    By detecting security vulnerabilities early in the development process, the tool can reduce the risk of security breaches and ensure the IaC is secure.

 

Prisma Cloud Code Security (CCS) can detect and prevent cybersecurity risks in infrastructure code before it is deployed. By adding the command line tool checkov to their workflow, developers can inspect their infrastructure code even before it is submitted as a pull request. Furthermore, checkov can be integrated with the CI/CD pipeline and perform analysis on infrastructure code  and terminate the pipeline if critical errors are detected before the code is handed to the orchestrator of choice.

 

Figure3.png


Figure 3: GitOps workflow protected with CCS_palo-alto-networks



There are 3 ways to incorporate infrastructure code scanning in your workflow as a developer:

  • VCS only
    Utilize your version control system integration with CCS. You will get periodic repo scans, PR comments and fixes (where available) and drift detection.
    Integrating your VCS with CCS.

 

  • VCS plus local
    Use your VCS integration and checkov to scan your code before you push your changes. You can elect to manually scan your code, or you can integrate checkov with your integrated development environment (IDE). You will get the same benefits as just the VCS integration, plus earlier scan results, reducing remediation time and empowering your developers. 

 

  • VCS, local scanning, CI/CD pipeline
    All of the above benefits are included, plus additional scanning flexibility and the ability to block your pipeline if critical errors are detected. Here is how you can integrate Jenkins with CCS. You can also see other integrations supported by  Prisma Coud CCS. 

 

Let’s review the setting up the developer’s environment, as this is usually the first step new users take to get themselves familiarized with CCS.

  • Make sure you have your infrastructure code repository enrolled in CCS.
  • Make sure you have created your Access Key ID and know your secret key and API URL (it will be in the form of https://apiX.prismacloud.io where X is the number of your tenant, see here for a list.) Please follow security best practices and set an expiration date for the Access Key and rotate following your organization’s best practices.  
  • Select one of the following options:
    1. Manual scans
      You can manually scan you infrastructure code repository from the command line:
      Add the following to your ${HOME}/.bash_profile (linux) or ${HOME}/.zshrc (mac)

export PRISMA_ACCESS_KEY_ID=<your-value-here>

export PRISMA_SECRET_KEY=<your-value-here>

export PRISMA_API_URL=https://api<your-value-here>.prismacloud.io

export BC_API_KEY=${PRISMA_ACCESS_KEY_ID}::${PRISMA_SECRET_KEY}

Now you are ready to install checkov.

pip3 install -U –user checkov

 

As long as you have sourced you bash or zsh profile file, you can change into the directory with your infrastructure code and run your first manual scan:

 

cd <your-value-here>

checkov -d .

Prisma Cloud documentation documenting this process.

 

  1. IDE integration
    Connect you IDE with Prisma Cloud Code Security. You can perform a scan from within the IDE, plus you will be notified of potential errors as you write your infrastructure code in real time.

 

Once you have checkov integrated with your workflow and have performed some scans, you should be able to see results in the CCS console:

 

Figure4.png

Figure 4: Scan results in CCS console_palo-alto-networks 

 

Your VCS will have PR comments plus the ability to automatically submit code fix PRs for some of the violations:

 

 

Figure5-combined.png


Figure 5: PR comments and fixes in your VCS_palo-alto-networks

 

Conclusion

 

Along with the benefits of code scanning / compliance, CCS also offers:

  • Automatic remediation
    Ability to automatically fix common errors.
  • Drift detection
    Continuously verifying that your infrastructure is in a state described in your code. Any manual changes to running assets will be flagged and alerted on.
  • Software composition analysis
    Ability to inspect all underlying packages of your application and find vulnerable versions and incompatible licenses.
  • Secrets scanning
    Ability to identify potential leak of credentials if they are contained within the code that is about to be pushed to a VCS instance.

 

Prisma Cloud Code Security offers various comprehensive benefits to support the development lifecycle of your organization’s infrastructure as outlined above.

 

About the Author:

 

Julian Neytchev is a Sr Cloud Security Engineer on the Prisma Cloud SWAT team, specializing in Cloud Application Security. Julian uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his vast industry knowledge to inspire success. 

Rate this article:
(1)
  • 2839 Views
  • 0 comments
  • 4 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-19-2023 10:36 AM
Updated by: