In today’s fast-paced software development landscape, security must be integrated at every stage of the SDLC to proactively identify misconfigurations, vulnerabilities, secrets, and other risks, minimizing potential threats early in the process. This article demonstrates how Prisma Cloud seamlessly integrates into the entire SDLC (from early development in the IDE (Visual Studio Code), through version control (GitHub) and PR scanning, to CI/CD pipelines (GitHub Actions) and securing code post-commit). By adopting a shift-left approach, Prisma Cloud empowers developers to catch security risks early, ensuring robust, secure code without slowing down development.
Early Security Awareness: IDE Integration with Prisma Cloud in VS Code.
Securing Version Control: PR/MR Scanning in GitHub.
Continuous Security Validation: CI/CD Integration with GitHub Actions.
Securing Code Post-Commit: Automated Fixes and Ongoing Monitoring with Prisma Cloud in the SDLC.
With Prisma Cloud’s seamless integration into core development tools, security is embedded directly into your workflow—catching misconfigurations, vulnerabilities, secrets, and other risks early, all while maintaining fast, agile development practices.
The journey to secure code begins with IDE (VS Code), where developers write and test their code. At this stage, Prisma Cloud integrates directly into VS Code to provide real-time security scanning and analysis.
Key Actions:
Static Code Analysis: Prisma Cloud scans the code for vulnerabilities, misconfigurations, and security risks directly within the VS Code IDE.
Real-Time Alerts: As developers write code, they receive immediate feedback on potential vulnerabilities, enabling quick remediation.
Seamless IDE Integration: Prisma Cloud integrates with VS Code, maintaining an uninterrupted development experience while ensuring that security is embedded from the very first line of code.
By identifying and addressing security issues early, developers can ensure the codebase is secure before committing changes.
Demonstration Workflow:
Resource: aws_instance.fic-01-org-
Misconfiguration Detected: IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2).
Action: Prisma Cloud detects this misconfiguration within VS Code and provides suggestions to fix it by setting http_endpoint = "required". This prevents the misconfiguration from being committed.
Install Prisma Cloud Extension:
Open VS Code and go to the Extensions view (Ctrl+Shift+X) - Windows, (Cmd+Shift+X) - Mac.
Search for Prisma Cloud and click Install.
Figure 1: Prisma-Cloud-Extension_
Authenticating with Prisma Cloud:
Navigate to the Prisma Cloud tab in VS Code.
Enter your Access Key, Secret Key, and Prisma URL.
Optional Settings:
Add a CA-Certificate file if needed.
Figure 2: Configure-Plugin-Settings_
Enforcement Rules:
Allows control over the severity of findings that developers should focus on, based on the code category.
Enable Enforcement Rules for soft-fail thresholds.
Figure 3: Soft-Fail-Thresholds_
Explore the UI:
Navigation: A tree structure displaying issues by security category (IaC misconfigurations, Secrets, Vulnerabilities (SCA), and Licenses). Each category expands to reveal folders containing specific issues detected during a scan.
Code editor: Allows you to review your codebase, and view a list of findings related to a resource (for IaC misconfigurations) or file, along with remediation options.
Problems Tool: Provides a detailed view of a selected issue, including information such as the code difference when available, and Remediation options.
Figure 4: UI-Layout_PaloAltoNetworks
Scans:
Run Full Project Scan.
Click the Run full Scan button in the General Actions category to scan the entire project.
Figure 5: General-Actions_
Real-Time Scanning
File-Specific Scan:- Simply opening or saving a file will trigger a scan for that particular file.
Status Bar – The status bar displays the message: "Prisma Cloud is scanning your files:/Users/rannaladasu/Documents/m
Figure 6: Status-Bar-Indicator_
Findings Management:
IaC Misconfigurations
Misconfiguration Indicators: A red mark next to a line number highlights an issue within a resource.
Issue Details: Hover over the mark to view the detected issue and its severity. If multiple issues are found, scroll to see all of them.
Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the misconfiguration.
Fixes: The fix modifies the configuration. The Problems Tool displays the code difference to be fixed (Fig: 8 ).
Figure 7: fic-01-org-broccoli_
Figure 8: fic-01-org-broccoli-fix_
SCA Vulnerabilities:
Vulnerability Indicators: A red mark next to a line number highlights a vulnerability in the package on that line.
Vulnerability List: If multiple vulnerabilities are found, a list will appear, showing detailed information when hovering over the marker, including CVE details, severity, vulnerable package, and remediation options.
Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the issue.
Remediation: Fix the detected CVE by upgrading the package to a version with a patch. (Fig: 10).
Figure 9: Vulnerabilities_
Figure 10: Vulnerabilities-fix_
Secrets:
Secret Detection: A red mark next to a line number indicates a secret has been detected in the file.
Severity Information: The severity of the detected secret is displayed alongside the mark.
Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the issue.
Remediation Options: Follow the policy guidelines.
Figure 11: Secrets_PaloAltoNetworks
Once code changes are committed to GitHub (with the repository named secure-shift-left), it enters the Pull Request (PR) or Merge Request (MR) phase. At this point, Prisma Cloud automatically scans the PR/MR submissions to detect vulnerabilities before merging the code into the main branch.
Key Actions:
Comprehensive Code Review: Prisma Cloud scans the changes in pull requests and merge requests, checking for security issues that might have been missed earlier.
Security Gatekeeping: Just like a quality assurance checkpoint, Prisma Cloud prevents insecure or flawed code from being merged into the main codebase. (Enforcement Rules)
Enforcing Secure Development Practices: Prisma Cloud helps reinforce a security-first mindset across the development team by ensuring that security checks are automated during the PR/MR process.
This step ensures that only secure code progresses into the shared codebase, minimizing risks in the project.
Demonstration Workflow:
Resource: aws_instance.fic-02-org-
Misconfiguration Detected: Same IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2) (not fixed in the IDE).
Action: Prisma Cloud detects this misconfiguration during the PR scan in GitHub and blocks the merge to the main branch. The developer is prompted to fix the misconfiguration before merging the code.
Configure Branch Protection Rules:
Set up branch protection rules in GitHub to fail builds if a scan step fails.
Figure 12: Prisma-Cloud-DevSecOps_
Set Severity Threshold - Enforcement Rules
To set the desired severity level (e.g., Critical, High), drag the Comments Bot threshold rule.
The "hard-fail level" defines the threshold for failing a pull request (PR) scan conducted by Prisma Cloud.
Figure 13: Enforcement-Rules_
Trigger PR Scan:
When a pull request (PR) is created or updated, Prisma Cloud automatically scans.
Figure 14: Prisma-Cloud-analysis_
View PR Scan Results:
Errors found by the scan will be displayed as PR comments within the pull request.
Figure 15: PR-comment_PaloAltoNetworks
Expand the PR comment to view details and remediation steps.
Figure 16: How-to-fix_PaloAltoNetworks
If any findings or issues meet or exceed the defined threshold, the PR scan will fail. With branch protection rules enabled, the Prisma Cloud DevSecOps status check will fail, preventing the merge into the default branch. This serves as the first line of defense in a Shift-Left strategy, ensuring that security issues are identified and addressed before code is merged.
Figure 17: First-line-of-defense_
View Results in Prisma Cloud Console:
In the Prisma Cloud Console, go to Projects > VCS Pull Requests tab to see a detailed view of the PR scan results.
Filters: Use filters to refine scan results based on specific criteria.
Findings: Findings are organized by resource. For each resource, the list of failed policies is displayed, providing a clear overview of any issues.
Resource Explorer: The Resource Explorer helps identify if a violation is linked as a dependency to other resources within the repository, aiding in comprehensive analysis and resolution.
Figure 18: PR-scan-results_
In the CI/CD pipeline powered by GitHub Actions, Prisma Cloud performs security scans at each stage of the automated build and deployment process. These scans help ensure that only secure code is deployed to production, following the shift-left philosophy of proactive security.
Key Actions:
Automated Security Validation: Every new code build triggered in GitHub Actions is automatically scanned for vulnerabilities, ensuring only secure code is deployed.
Preventing Vulnerable Code from Reaching Production: Prisma Cloud integrates into the CI/CD pipeline to enforce security policies that prevent insecure code from being deployed to production.
Pipeline Hardening: GitHub Actions configurations are hardened with security best practices, helping ensure that the pipeline itself remains secure from potential vulnerabilities or attacks.
By incorporating Prisma Cloud into the GitHub Actions workflow, security is continuously enforced, and vulnerabilities are caught early, preventing the deployment of insecure code.
Demonstration Workflow:
Resource: aws_instance.fic-org-broccoli.
Misconfiguration Detected: Same IMDSv1 vulnerability (not fixed in the PR).
Action: Prisma Cloud detects the issue during the CI/CD pipeline run. The deployment is blocked.
Connect GitHub Actions:
Figure 19: Job-config_PaloAltoNetworks+
Enable Enforcement Rules:
Configure Enforcement settings to block pipelines and PR merges based on severity levels.
By applying Enforcement rules, you ensure that your CI/CD pipeline is blocked, if critical issues are detected, while still allowing notifications for softer issues to ensure proactive security.
Figure 20: Hard-Fail-Threshold_
Figure 22: Pipeline-block_
View Results in Prisma Cloud Console:
In the Prisma Cloud Console, go to Projects > CI/CD Runs tab to see a detailed view of the PR scan results.
Filters: Use filters to refine scan results based on specific criteria.
Findings: Findings are organized by resource. For each resource, the list of failed policies is displayed, providing a clear overview of any issues.
Resource Explorer: The Resource Explorer helps identify if a violation is linked as a dependency to other resources within the repository, aiding in comprehensive analysis and resolution.
Figure 23: Results-Link_PaloAltoNetworks
Figure 24: CI/CD-Runs_PaloAltoNetworks
Prisma Cloud automates security scans on the default branch of code repositories to detect vulnerabilities, misconfigurations, and compliance issues throughout the SDLC. With Auto Fix and automated Pull Request (PR) creation, Prisma Cloud streamlines the identification and resolution of security risks, reducing time and effort while ensuring code remains secure at every stage.
Demonstration Workflow:
Resources: aws_instance.fic-org-broccoli, aws_instance.fic-02-org-
Misconfiguration Detected: Same IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2) (not fixed in the PR).
Action: Prisma Cloud opens a pull request to apply the required fixes (e.g., setting http_endpoint = "required") to the affected resources. This ensures that misconfigurations are remediated, even after code is already live.
Access Scan Results in Prisma Cloud Projects:
Suggested fix: Prisma Cloud will often provide an automated fix recommendation for common issues.
Figure 25: Default-branch_
Auto Fix with Prisma Cloud:
In the Resource Explorer, once you select the issue, the Auto Fix suggestion will be displayed if available.
Click Fix to add the issue to your Fix Cart.
Figure 26: Fix-available_PaloAltoNetworks
Figure 27: Fix-cart_PaloAltoNetworks
Submit the PR:
In the Fix Cart, review all the issues you want to fix.
Once you're ready, click Submit to generate the PR.
Figure 28: Fix-PR-submission_
A confirmation message will appear, indicating that the PR has been successfully created.
Click on the link in the success message to navigate to your Github console to view and merge the PR.
Figure 29: Fix-PR-successfully-opened_
Review and Merge the PR:
Once the PR is created, developers or security teams can review the changes, test them, and merge them into the main codebase.
Prisma Cloud ensures that the proposed fixes are aligned with security policies and best practices, helping to maintain a secure codebase.
Figure 30: Prisma-Cloud-fix-config_
Figure 31: Fix-Pending_PaloAltoNetworks
When Prisma Cloud doesn't provide an auto-fix recommendation, you have two options for remediation:
Manual Fix: You can resolve the issue manually by reviewing the detailed information in the Resource Explorer.
Suppress: If the issue is non-critical or acceptable in your environment, you can suppress it.
Figure 32: Manual-Fix_PaloAltoNetworks
By integrating Prisma Cloud into the SDLC, developers can proactively detect and address security risks early in the development process, without slowing down the pace of software delivery. The demonstration showed how Prisma Cloud works across multiple stages of the SDLC, from IDE integration in VS Code, through version control (PR/MR) )and CI/CD pipelines, to post-commit default branch scanning and automated fixes.
Early Detection: Prisma Cloud's IDE integration ensures that misconfigurations—such as insecure AWS EC2 settings—along with vulnerabilities, secrets, and other risks, are detected and addressed early in the development process.
Pre-commit Security Checks: GitHub PR/MR scanning ensures that insecure code doesn't make it into the main branch, preventing security issues from reaching production.
CI/CD Pipeline Integration: Continuous security validation in CI/CD pipelines ensures that security checks are part of the deployment process.
Post-commit Monitoring and Automated Fixes: Prisma Cloud offers automated fixes through pull requests, ensuring that misconfigurations/
In conclusion, leveraging Prisma Cloud's integration into the SDLC enables organizations to maintain high security standards while ensuring the agility required for fast-paced development environments. With Prisma Cloud, security becomes an integral part of the development process, helping developers catch risks early and create secure code without disrupting their workflow.
[1] IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2)
[2] Prerequisites
[4] Prisma URL
[7] Filters
[8] Findings
[10] Configure Job
Raj Annaladasu is a senior cloud security engineer specializing in Prisma Cloud, Next-Generation Firewalls, AWS, Azure, GCP, containers, and Kubernetes. Raj utilizes a collaborative and consultative approach to break down complex cybersecurity problems into solutions for global enterprise customers, leveraging his multi-industry knowledge to inspire success.
