GitHub-Actions _Container-Image Scanning with Prisma Cloud
DevSecops — Scanning for vulnerabilities on the fly
Thanking my leaders for making my hands dirty on CSPM tool’s and secure the cloud accounts with Prisma Cloud.
Cdr Praveen Kumar (CISO) — https://www.linkedin.com/in/cdr-praveen-kumar-0532ba6/
Saurabh Arora — https://www.linkedin.com/in/saurabh-arora-a72b4922/
Contributors —
Khagendra Thapa — https://www.linkedin.com/in/khagendra-thapa-097a6270/
kushank sehgal — https://www.linkedin.com/in/kushank-sehgal-b4b3936b/
Introduction —
Cloud security posture management (CSPM) is a technology designed to detect and prevent the misconfigurations and threats that lead to sensitive data breaches and compliance violations. With strong CSPM, security teams can eliminate cloud blind spots, achieve compliance and proactively address risks.
Note: We have developed our own workflow file to send all the vulnerabilities and misconfigurations to GitHub security code scanning tab. Palo Alto’s official doccument is not giving the complete solution — https://www.paloaltonetworks.com/blog/prisma-cloud/github-action-container-image-scanning/
Prisma CI Image vulnerability policy setup:
Steps:
- Login to the Prisma cloud and click on compute > Defend > Vulnerabilities > Images > CI.
- Click on “Add Rule” or we can use the Default Rule.
- Click on 3 dots “…” under actions and edit to add the severity threshold.
- For alerts, select the severity “Low”, “Medium”, “High” & “Critical”.
- For pipeline failure based on severity “Low”, “Medium”, “High” & “Critical” vulnerabilities.
GitHub workflow file & Code scanning:
Now comes the main part, article shows that palo alto is giving the sample workflow file to scan & push the results to GitHub-security-code scannig tab, but we will get sariff upload errors in the pipeline.
https://www.paloaltonetworks.com/blog/prisma-cloud/github-action-container-image-scanning/
Edit your workflow as below to send all the vulnerabilities to GitHub code scanning
- name: Prisma Cloud image scan - SOMENAME
id: SOMEID
if: needs.validate_branch.outputs.op_workflow_name == 'SOMENAME'
uses: PaloAltoNetworks/prisma-cloud-scan@v1.4.0
with:
pcc_console_url: < ADD YOUR PCC CONSOLE URL >
pcc_user: ${{ secrets.pcc_user }}
pcc_pass: ${{ secrets.pcc_pass }}
image_name: ${{ env.IMAGE_NAME_WITH_TAG }}
- name: Checkout central repository
uses: actions/checkout@v3
with:
repository: Org/Repo # Replace with your central repository
ref: master
token: ${{ secrets.secret }}
path: "policy"
- name: Run Central PowerShell script
shell: pwsh
run: |
# Execute the PowerShell script
./policy/prisma_parser_files.ps1
- name: convert sarif
run: |
sed -i 's/${{ env.IMAGE_NAME }}:/file:/g' ${{ github.workspace }}/pcc_scan_results.sarif_parse.json
if: always()
# (Optional) for compatibility with GitHub's code scanning alerts
- name: Upload SARIF file
if: ${{ always() }} # necessary if using failure thresholds in the image scan
uses: github/codeql-action/upload-sarif@v2
with:
#sarif_file: ./prisma/pcc_scan_results.sarif.json
sarif_file: ${{ github.workspace }}/pcc_scan_results.sarif_parse.json In GitHub repo check the vulnerabilities report after running the pipeline under security > Code scanning
CVE exception in Prisma Cloud:
- For an exception on any vulnerabilities, click on advanced settings
- Click on “Add exception”
— Provide the CVE ID of the vulnerability.
— Keep the option Ignore under Effect.
— Description.
— Expiration — Give a date for exception.
Note: This exception will be applied to all the repositories in GitHub.
- Provide an exception for GitHub Repo, please follow the below:
- Click on Compute > Manage > Collection & Tags
- Click on Tags.
- Click on Assign Tag
— Select the Tag as ignored
- Provide the CVE id that need to keep in exception.
- Select the preferred package or all packages under package scope.
- Select Images as Resource Type.
- Provide the repo name with wild card and “:latest”
- Provide the description and save.
- Go to advanced settings.
- Click on “Add exception”
- Select Tag
- Provide the details like below picture and update.
