Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
devops_security: prisma_cloud/devops_security@3.0.4
Use devops_security
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
orbs:
pcs: prisma_cloud/devops_security@3.0.0
version: 2.1
workflows:
scan:
jobs:
- pcs/scan_iac:
prisma_cloud_access_key: $prisma_cloud_access_key
prisma_cloud_api_url: $prisma_cloud_api_url
prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME
prisma_cloud_failure_criteria: High:1, Medium:1, Low:1, Operator:OR
prisma_cloud_repo_dir: ./scan
prisma_cloud_secret_key: prisma_cloud_secret_key
prisma_cloud_tags: env:development, team:DevOps
Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
jobs:
docker_safe_build:
executor: pcs/compute
steps:
- checkout
- run: docker pull nginx
- pcs/scan_image:
prisma_cloud_compute_password: prisma_cloud_compute_password
prisma_cloud_compute_url: $prisma_cloud_compute_url
prisma_cloud_compute_username: $prisma_cloud_compute_username
prisma_cloud_scan_image: nginx
orbs:
pcs: prisma_cloud/devops_security@3.0.0
version: 2.1
workflows:
scan:
jobs:
- docker_safe_build
Pack IaC templates repo then send to Prima Cloud for evaluation
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
access_key | (deprecated) use prisma_cloud_access_key | No | $prisma_cloud_access_key | string |
failure_criteria_low_severity | (deprecated) use prisma_cloud_failure_criteria | No | 1 | integer |
failure_criteria_medium_severity | (deprecated) use prisma_cloud_failure_criteria | No | 1 | integer |
failure_criteria_operator | (deprecated) use prisma_cloud_failure_criteria | No | OR | string |
faiure_criteria_high_severity | (deprecated) use prisma_cloud_failure_criteria | No | 1 | integer |
prisma_cloud_access_key | Prisma Cloud Access Key | No | '' | string |
prisma_cloud_api_url | Prisma Cloud Server Url | No | $prisma_cloud_api_url | string |
prisma_cloud_asset_name | IaC templates asset name | No | '' | string |
prisma_cloud_failure_criteria | - | No | '' | string |
prisma_cloud_repo_dir | Directory path where IaC templates are stored. | No | '' | string |
prisma_cloud_secret_key | Prisma Cloud Secret Key | No | na | env_var_name |
prisma_cloud_tags | Provide the Tags for the repo. | No | '' | string |
reports | Scan report formats | No | junit | string |
secret_key | (deprecated) use prisma_cloud_secret_key | No | prisma_cloud_secret_key | env_var_name |
tags | (deprecated) use prisma_cloud_tags | No | '' | string |
templates_directory_path | (deprecated) use prisma_cloud_repo_dir | No | . | string |
Pack IaC templates repo then send to Prima Cloud for evaluation
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image | (deprecated) use prisma_cloud_scan_image | No | '' | string |
prisma_cloud_compute_pass | (deprecated) use prisma_cloud_compute_password | No | prisma_cloud_compute_pass | env_var_name |
prisma_cloud_compute_password | The Prisma Cloud Compute user's password | No | prisma_cloud_compute_password | env_var_name |
prisma_cloud_compute_project | The Prisma Cloud Compute project name | No | '' | string |
prisma_cloud_compute_url | The base URL for the Prisma Cloud compute | No | $prisma_cloud_compute_url | string |
prisma_cloud_compute_user | (deprecated) use prisma_cloud_compute_username | No | $prisma_cloud_compute_user | string |
prisma_cloud_compute_username | The Prisma Cloud Compute user with the CI User role | No | $prisma_cloud_compute_username | string |
prisma_cloud_scan_image | The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest | No | '' | string |
reports | Scan report formats | No | junit | string |
This is a compute executor using Linux machine which has docker host access
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
scan_image:
description: |
Pack IaC templates repo then send to Prima Cloud for evaluation
parameters:
image:
default: ""
description: (deprecated) use prisma_cloud_scan_image
type: string
prisma_cloud_compute_pass:
default: prisma_cloud_compute_pass
description: (deprecated) use prisma_cloud_compute_password
type: env_var_name
prisma_cloud_compute_password:
default: prisma_cloud_compute_password
description: The Prisma Cloud Compute user's password
type: env_var_name
prisma_cloud_compute_project:
default: ""
description: The Prisma Cloud Compute project name
type: string
prisma_cloud_compute_url:
default: $prisma_cloud_compute_url
description: The base URL for the Prisma Cloud compute
type: string
prisma_cloud_compute_user:
default: $prisma_cloud_compute_user
description: (deprecated) use prisma_cloud_compute_username
type: string
prisma_cloud_compute_username:
default: $prisma_cloud_compute_username
description: The Prisma Cloud Compute user with the CI User role
type: string
prisma_cloud_scan_image:
default: ""
description: The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest
type: string
reports:
default: junit
description: Scan report formats
type: string
steps:
- run:
command: |
param=<<parameters.prisma_cloud_scan_image>>
param=${param:-<<parameters.image>>}
if [ -z "$param" ]; then
echo "Missing required argument: prisma_cloud_scan_image"
exit 1
fi
echo "export prisma_cloud_scan_image=${param}" >> $BASH_ENV
param=<<parameters.prisma_cloud_compute_username>>
echo "export prisma_cloud_compute_username=${param:-<<parameters.prisma_cloud_compute_user>>}" >> $BASH_ENV
param=${<<parameters.prisma_cloud_compute_password>>}
echo "export prisma_cloud_compute_password='${param:-${<<parameters.prisma_cloud_compute_pass>>}}'" >> $BASH_ENV
name: Process parameters
- run:
command: |
if [ ! -f /tmp/twistcli ]; then
echo "Download twistcli binary file ..."
curl -k -u ${prisma_cloud_compute_username}:${prisma_cloud_compute_password} --output /tmp/twistcli <<parameters.prisma_cloud_compute_url>>/api/v1/util/twistcli
chmod +x /tmp/twistcli
fi
if [ ! -z "<<parameters.prisma_cloud_compute_project>>" ]; then
twistproj=(--project="<<parameters.prisma_cloud_compute_project>>")
fi
/tmp/twistcli --version
set +e
/tmp/twistcli images scan "${twistproj[@]}" --details --address <<parameters.prisma_cloud_compute_url>> \
--user=${prisma_cloud_compute_username} \
--password=${prisma_cloud_compute_password} \
--output-file twistcli.json ${prisma_cloud_scan_image}
rc=$?
if [ -f twistcli.json ]; then
mkdir -p report/image_scan
if echo "<<parameters.reports>>" | grep junit > /dev/null; then
touch report/image_scan/results.xml
docker run --rm \
-v $PWD/twistcli.json:/tmp/twistcli.json \
-v $PWD/report/image_scan/results.xml:/tmp/results.xml \
redlock/pcs-sl-scanner pcs_compute_junit_report
fi
fi
exit $rc
name: twistcli image scan
- store_artifacts:
path: report
- store_test_results:
path: report
description: |
This orb is a wrapper for Prisma cloud IaC Scan and Prisma Cloud Compute Scanning tools from Palo Alto Networks. Prisma Cloud IaC Scan identifies insecure configurations in common Infrastructure-as-Code (IaC) templates - for example, AWS Cloud Formation Templates, HashiCorp Terraform templates, Kubernetes App Deployment YAML files. Prisma Cloud Compute TwistCLI Scan can be used to identify vulnerabilities in container images. More details about the functionality can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security.html
display:
home_url: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security.html
source_url: https://github.com/PaloAltoNetworks/prisma-cloud-circleci-orb
examples:
scan_iac:
description: |
Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security
usage:
orbs:
pcs: prisma_cloud/devops_security@3.0.0
version: 2.1
workflows:
scan:
jobs:
- pcs/scan_iac:
prisma_cloud_access_key: $prisma_cloud_access_key
prisma_cloud_api_url: $prisma_cloud_api_url
prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME
prisma_cloud_failure_criteria: High:1, Medium:1, Low:1, Operator:OR
prisma_cloud_repo_dir: ./scan
prisma_cloud_secret_key: prisma_cloud_secret_key
prisma_cloud_tags: env:development, team:DevOps
scan_image:
description: |
Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security
usage:
jobs:
docker_safe_build:
executor: pcs/compute
steps:
- checkout
- run: docker pull nginx
- pcs/scan_image:
prisma_cloud_compute_password: prisma_cloud_compute_password
prisma_cloud_compute_url: $prisma_cloud_compute_url
prisma_cloud_compute_username: $prisma_cloud_compute_username
prisma_cloud_scan_image: nginx
orbs:
pcs: prisma_cloud/devops_security@3.0.0
version: 2.1
workflows:
scan:
jobs:
- docker_safe_build
executors:
compute:
description: |
This is a compute executor using Linux machine which has docker host access
machine: true
default:
description: |
This is a default executor using Docker and Node.
docker:
- image: redlock/pcs-sl-scanner
jobs:
scan_iac:
description: |
Pack IaC templates repo then send to Prima Cloud for evaluation
executor: default
parameters:
access_key:
default: $prisma_cloud_access_key
description: (deprecated) use prisma_cloud_access_key
type: string
failure_criteria_low_severity:
default: 1
description: (deprecated) use prisma_cloud_failure_criteria
type: integer
failure_criteria_medium_severity:
default: 1
description: (deprecated) use prisma_cloud_failure_criteria
type: integer
failure_criteria_operator:
default: OR
description: (deprecated) use prisma_cloud_failure_criteria
type: string
faiure_criteria_high_severity:
default: 1
description: (deprecated) use prisma_cloud_failure_criteria
type: integer
prisma_cloud_access_key:
default: ""
description: Prisma Cloud Access Key
type: string
prisma_cloud_api_url:
default: $prisma_cloud_api_url
description: Prisma Cloud Server Url
type: string
prisma_cloud_asset_name:
default: ""
description: IaC templates asset name
type: string
prisma_cloud_failure_criteria:
default: ""
description: null
type: string
prisma_cloud_repo_dir:
default: ""
description: Directory path where IaC templates are stored.
type: string
prisma_cloud_secret_key:
default: na
description: Prisma Cloud Secret Key
type: env_var_name
prisma_cloud_tags:
default: ""
description: Provide the Tags for the repo.
type: string
reports:
default: junit
description: Scan report formats
type: string
secret_key:
default: prisma_cloud_secret_key
description: (deprecated) use prisma_cloud_secret_key
type: env_var_name
tags:
default: ""
description: (deprecated) use prisma_cloud_tags
type: string
templates_directory_path:
default: .
description: (deprecated) use prisma_cloud_repo_dir
type: string
steps:
- checkout
- run:
command: |
echo "export prisma_cloud_api_url=<<parameters.prisma_cloud_api_url>>" >> $BASH_ENV
param=<<parameters.prisma_cloud_access_key>>
echo "export prisma_cloud_access_key=${param:-<<parameters.access_key>>}" >> $BASH_ENV
param=${<<parameters.prisma_cloud_secret_key>>}
echo "export prisma_cloud_secret_key=${param:-${<<parameters.secret_key>>}}" >> $BASH_ENV
param=<<parameters.prisma_cloud_asset_name>>
echo "export prisma_cloud_asset_name=${param:-${ASSET_NAME:-${CIRCLE_PROJECT_REPONAME}}}" >> $BASH_ENV
param=<<parameters.prisma_cloud_repo_dir>>
echo "export prisma_cloud_repo_dir=${param:-<<parameters.templates_directory_path>>}" >> $BASH_ENV
param='<<parameters.prisma_cloud_failure_criteria>>'
echo "export prisma_cloud_failure_criteria='${param:-High:<<parameters.faiure_criteria_high_severity>>,Medium:<<parameters.failure_criteria_medium_severity>>,Low:<<parameters.failure_criteria_low_severity>>,Operator:<<parameters.failure_criteria_operator>>}'" >> $BASH_ENV
param='<<parameters.prisma_cloud_tags>>'
echo "export prisma_cloud_tags='${param:-<<parameters.tags>>}'" >> $BASH_ENV
name: Process parameters
- run: pcs_iac_repo_scan --output "<<parameters.reports>>"
- store_artifacts:
path: report
- store_test_results:
path: report
version: 2.1