Visibility in the Code & Build Lifecycle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter

By Carlos Martins Jr., Customer Success Engineer

 

With the introduction of CBDR (Code, Build, Deploy, Run) Implementation Plans on LiveCommunity, Palo Alto Networks is enhancing how we look at Prisma Cloud in our customers' environments. Prisma Cloud touches every part of your app and infrastructure lifecycle, so knowing what the product does and when is essential. For example, shift-left security helps detect issues and misconfigurations earlier in the app dev lifecycle. In addition, visibility enables you to avoid technical debt and other problems in the product lifecycle. 

 

RPrasadi_0-1715880270077.png

Fig 1: Introduction of CBDR_palo-alto-networks 

 

As a part of this shift in perspective with CBDR, we are soon introducing new customer success sessions to help our premium customers find as much value as possible with Prisma Cloud. One of the premium sessions, “Visibility in the Code & Build Lifecycle,” discusses Prisma Cloud's features to assist you in your product lifecycle's code and build phases. Let’s look at some topics covered in this session.

 

VCS/CI/IDE/CLI Scans with Code Security

 

Prisma Cloud offers the new Code Security framework, which scans your IaC files, container images, and more. There are several ways to use the Code Security scanning features, such as scanning your VCS directly, using CI integration for scans and IDE or CLI-based scans for developers. 

 

These three integration methods will cover the most critical areas of concern in a software development lifecycle:

 

IDE and CLI integrations are ideal for a shift-left approach to security, bringing the knowledge of security professionals directly to the development process and significantly reducing avoidable mistakes. 

 

CI integration will ensure that any code passing through a CI/CD pipeline undergoes another round of scans. The scan ensures nothing is missing or changed when the developer makes their first pass with the IDE or CLI tool. The CLI tool can also be leveraged in the CI process if necessary. 

 

You can scan the code at rest in a repository. In addition, code security scans regularly check the code base to ensure you can address any emerging threats or configuration mistakes after developers are reassigned to other projects or tasks. 

 

Code Security Projects

 

The Projects section of Code Security will be the landing page for anyone using the platform to remediate issues in IaC.

 

RPrasadi_1-1715880432895.png

Fig 2: Projects section of Code Security_palo-alto-networks 

 

Here are the scan results for the integrated repositories, CLI, and CI scans. This page serves as the main source of results, drift detection, and contextual information relating to resources covered by the scan. The results also include tags, configuration details, and a history of issues found with the resource. 

 

Projects also provide the ability to suppress and automatically fix select issues with the press of a button. This action sends all necessary information about the proposed changes directly to the integrated VCS, where the code base resides. 

 

Code Security IaC Tag and Trace + Drift Detection

 

Code Security offers the ability to automatically add tags to cloud infrastructure via your integrated code repositories and use drift detection to track and remediate any changes made to your cloud infrastructure. Using tags and drift detection can improve traceability and compliance in your cloud environments. Additionally, you can fix the drift via another IaC deployment to overwrite the drift or by merging the change into your VCS via the pull request feature in the UI. 

 

Tagging also offers the ability to create custom tags that can be applied to specific repositories and tracing tags that enable drift detection. They will display as merge requests in your VCS after a scan. This can save you a lot of time tagging and ensuring that every tag is in its proper place. 

 

Image Analysis Sandbox in CWP

 

Using the Image Analysis Sandbox feature in Prisma Cloud Compute, you can test container images to ensure they are safe and free from malicious images and suspicious findings. In addition, you can leverage the Image Analysis Sandbox to analyze your container images on demand or as part of your CI/CD process. 

 

RPrasadi_2-1715880643103.png

Fig 3: Image Analysis Sandbox feature_palo-alto-networks 

 

Every report will provide information about the container image. This can include the SHA-256 hash representing the image ID in Prisma Cloud, the OS the container runs on and any other scan results for this image. 

 

Conclusion

 

Because Prisma Cloud is designed with the software lifecycle in mind, your organization can benefit from combining all of these features with one solution. The ability to scan code packages and containers for license issues and vulnerabilities, IaC misconfigurations, exposed passwords and much more, keeps your data safe with the ease of a centralized command center. 


About the Author

RPrasadi_5-1678406152143.png

 

 

  • 1941 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Top Liked Authors