1. prisma_cloud/devops_security@3.0.4

prisma_cloud/devops_security@3.0.4

Sections
This orb is a wrapper for Prisma cloud IaC Scan and Prisma Cloud Compute Scanning tools from Palo Alto Networks. Prisma Cloud IaC Scan identifies insecure configurations in common Infrastructure-as-Code (IaC) templates - for example, AWS Cloud Formation Templates, HashiCorp Terraform templates, Kubernetes App Deployment YAML files. Prisma Cloud Compute TwistCLI Scan can be used to identify vulnerabilities in container images. More details about the functionality can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security.html
Created: December 25, 2019Version Published: May 14, 2021Releases: 9
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: devops_security: prisma_cloud/devops_security@3.0.4

Use devops_security elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

scan_iac

Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security

1 2 3 4 5 6 7 8 9 10 11 12 13 14 orbs: pcs: prisma_cloud/devops_security@3.0.0 version: 2.1 workflows: scan: jobs: - pcs/scan_iac: prisma_cloud_access_key: $prisma_cloud_access_key prisma_cloud_api_url: $prisma_cloud_api_url prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME prisma_cloud_failure_criteria: High:1, Medium:1, Low:1, Operator:OR prisma_cloud_repo_dir: ./scan prisma_cloud_secret_key: prisma_cloud_secret_key prisma_cloud_tags: env:development, team:DevOps

scan_image

Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 jobs: docker_safe_build: executor: pcs/compute steps: - checkout - run: docker pull nginx - pcs/scan_image: prisma_cloud_compute_password: prisma_cloud_compute_password prisma_cloud_compute_url: $prisma_cloud_compute_url prisma_cloud_compute_username: $prisma_cloud_compute_username prisma_cloud_scan_image: nginx orbs: pcs: prisma_cloud/devops_security@3.0.0 version: 2.1 workflows: scan: jobs: - docker_safe_build

Jobs

scan_iac

Pack IaC templates repo then send to Prima Cloud for evaluation

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
access_key
(deprecated) use prisma_cloud_access_key
No
$prisma_cloud_access_key
string
failure_criteria_low_severity
(deprecated) use prisma_cloud_failure_criteria
No
1
integer
failure_criteria_medium_severity
(deprecated) use prisma_cloud_failure_criteria
No
1
integer
failure_criteria_operator
(deprecated) use prisma_cloud_failure_criteria
No
OR
string
faiure_criteria_high_severity
(deprecated) use prisma_cloud_failure_criteria
No
1
integer
prisma_cloud_access_key
Prisma Cloud Access Key
No
''
string
prisma_cloud_api_url
Prisma Cloud Server Url
No
$prisma_cloud_api_url
string
prisma_cloud_asset_name
IaC templates asset name
No
''
string
prisma_cloud_failure_criteria
-
No
''
string
prisma_cloud_repo_dir
Directory path where IaC templates are stored.
No
''
string
prisma_cloud_secret_key
Prisma Cloud Secret Key
No
na
env_var_name
prisma_cloud_tags
Provide the Tags for the repo.
No
''
string
reports
Scan report formats
No
junit
string
secret_key
(deprecated) use prisma_cloud_secret_key
No
prisma_cloud_secret_key
env_var_name
tags
(deprecated) use prisma_cloud_tags
No
''
string
templates_directory_path
(deprecated) use prisma_cloud_repo_dir
No
.
string

Commands

scan_image

Pack IaC templates repo then send to Prima Cloud for evaluation

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image
(deprecated) use prisma_cloud_scan_image
No
''
string
prisma_cloud_compute_pass
(deprecated) use prisma_cloud_compute_password
No
prisma_cloud_compute_pass
env_var_name
prisma_cloud_compute_password
The Prisma Cloud Compute user's password
No
prisma_cloud_compute_password
env_var_name
prisma_cloud_compute_project
The Prisma Cloud Compute project name
No
''
string
prisma_cloud_compute_url
The base URL for the Prisma Cloud compute
No
$prisma_cloud_compute_url
string
prisma_cloud_compute_user
(deprecated) use prisma_cloud_compute_username
No
$prisma_cloud_compute_user
string
prisma_cloud_compute_username
The Prisma Cloud Compute user with the CI User role
No
$prisma_cloud_compute_username
string
prisma_cloud_scan_image
The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest
No
''
string
reports
Scan report formats
No
junit
string

Executors

compute

This is a compute executor using Linux machine which has docker host access

Show executor Source

default

This is a default executor using Docker and Node.

Show executor Source

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing commands: scan_image: description: | Pack IaC templates repo then send to Prima Cloud for evaluation parameters: image: default: "" description: (deprecated) use prisma_cloud_scan_image type: string prisma_cloud_compute_pass: default: prisma_cloud_compute_pass description: (deprecated) use prisma_cloud_compute_password type: env_var_name prisma_cloud_compute_password: default: prisma_cloud_compute_password description: The Prisma Cloud Compute user's password type: env_var_name prisma_cloud_compute_project: default: "" description: The Prisma Cloud Compute project name type: string prisma_cloud_compute_url: default: $prisma_cloud_compute_url description: The base URL for the Prisma Cloud compute type: string prisma_cloud_compute_user: default: $prisma_cloud_compute_user description: (deprecated) use prisma_cloud_compute_username type: string prisma_cloud_compute_username: default: $prisma_cloud_compute_username description: The Prisma Cloud Compute user with the CI User role type: string prisma_cloud_scan_image: default: "" description: The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest type: string reports: default: junit description: Scan report formats type: string steps: - run: command: | param=<<parameters.prisma_cloud_scan_image>> param=${param:-<<parameters.image>>} if [ -z "$param" ]; then echo "Missing required argument: prisma_cloud_scan_image" exit 1 fi echo "export prisma_cloud_scan_image=${param}" >> $BASH_ENV param=<<parameters.prisma_cloud_compute_username>> echo "export prisma_cloud_compute_username=${param:-<<parameters.prisma_cloud_compute_user>>}" >> $BASH_ENV param=${<<parameters.prisma_cloud_compute_password>>} echo "export prisma_cloud_compute_password='${param:-${<<parameters.prisma_cloud_compute_pass>>}}'" >> $BASH_ENV name: Process parameters - run: command: | if [ ! -f /tmp/twistcli ]; then echo "Download twistcli binary file ..." curl -k -u ${prisma_cloud_compute_username}:${prisma_cloud_compute_password} --output /tmp/twistcli <<parameters.prisma_cloud_compute_url>>/api/v1/util/twistcli chmod +x /tmp/twistcli fi if [ ! -z "<<parameters.prisma_cloud_compute_project>>" ]; then twistproj=(--project="<<parameters.prisma_cloud_compute_project>>") fi /tmp/twistcli --version set +e /tmp/twistcli images scan "${twistproj[@]}" --details --address <<parameters.prisma_cloud_compute_url>> \ --user=${prisma_cloud_compute_username} \ --password=${prisma_cloud_compute_password} \ --output-file twistcli.json ${prisma_cloud_scan_image} rc=$? if [ -f twistcli.json ]; then mkdir -p report/image_scan if echo "<<parameters.reports>>" | grep junit > /dev/null; then touch report/image_scan/results.xml docker run --rm \ -v $PWD/twistcli.json:/tmp/twistcli.json \ -v $PWD/report/image_scan/results.xml:/tmp/results.xml \ redlock/pcs-sl-scanner pcs_compute_junit_report fi fi exit $rc name: twistcli image scan - store_artifacts: path: report - store_test_results: path: report description: | This orb is a wrapper for Prisma cloud IaC Scan and Prisma Cloud Compute Scanning tools from Palo Alto Networks. Prisma Cloud IaC Scan identifies insecure configurations in common Infrastructure-as-Code (IaC) templates - for example, AWS Cloud Formation Templates, HashiCorp Terraform templates, Kubernetes App Deployment YAML files. Prisma Cloud Compute TwistCLI Scan can be used to identify vulnerabilities in container images. More details about the functionality can be found here: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security.html display: home_url: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security.html source_url: https://github.com/PaloAltoNetworks/prisma-cloud-circleci-orb examples: scan_iac: description: | Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security usage: orbs: pcs: prisma_cloud/devops_security@3.0.0 version: 2.1 workflows: scan: jobs: - pcs/scan_iac: prisma_cloud_access_key: $prisma_cloud_access_key prisma_cloud_api_url: $prisma_cloud_api_url prisma_cloud_asset_name: $CIRCLE_PROJECT_REPONAME prisma_cloud_failure_criteria: High:1, Medium:1, Low:1, Operator:OR prisma_cloud_repo_dir: ./scan prisma_cloud_secret_key: prisma_cloud_secret_key prisma_cloud_tags: env:development, team:DevOps scan_image: description: | Trigger IaC scan for all the template files under ./scan folder with Prima Cloud Shift Left security usage: jobs: docker_safe_build: executor: pcs/compute steps: - checkout - run: docker pull nginx - pcs/scan_image: prisma_cloud_compute_password: prisma_cloud_compute_password prisma_cloud_compute_url: $prisma_cloud_compute_url prisma_cloud_compute_username: $prisma_cloud_compute_username prisma_cloud_scan_image: nginx orbs: pcs: prisma_cloud/devops_security@3.0.0 version: 2.1 workflows: scan: jobs: - docker_safe_build executors: compute: description: | This is a compute executor using Linux machine which has docker host access machine: true default: description: | This is a default executor using Docker and Node. docker: - image: redlock/pcs-sl-scanner jobs: scan_iac: description: | Pack IaC templates repo then send to Prima Cloud for evaluation executor: default parameters: access_key: default: $prisma_cloud_access_key description: (deprecated) use prisma_cloud_access_key type: string failure_criteria_low_severity: default: 1 description: (deprecated) use prisma_cloud_failure_criteria type: integer failure_criteria_medium_severity: default: 1 description: (deprecated) use prisma_cloud_failure_criteria type: integer failure_criteria_operator: default: OR description: (deprecated) use prisma_cloud_failure_criteria type: string faiure_criteria_high_severity: default: 1 description: (deprecated) use prisma_cloud_failure_criteria type: integer prisma_cloud_access_key: default: "" description: Prisma Cloud Access Key type: string prisma_cloud_api_url: default: $prisma_cloud_api_url description: Prisma Cloud Server Url type: string prisma_cloud_asset_name: default: "" description: IaC templates asset name type: string prisma_cloud_failure_criteria: default: "" description: null type: string prisma_cloud_repo_dir: default: "" description: Directory path where IaC templates are stored. type: string prisma_cloud_secret_key: default: na description: Prisma Cloud Secret Key type: env_var_name prisma_cloud_tags: default: "" description: Provide the Tags for the repo. type: string reports: default: junit description: Scan report formats type: string secret_key: default: prisma_cloud_secret_key description: (deprecated) use prisma_cloud_secret_key type: env_var_name tags: default: "" description: (deprecated) use prisma_cloud_tags type: string templates_directory_path: default: . description: (deprecated) use prisma_cloud_repo_dir type: string steps: - checkout - run: command: | echo "export prisma_cloud_api_url=<<parameters.prisma_cloud_api_url>>" >> $BASH_ENV param=<<parameters.prisma_cloud_access_key>> echo "export prisma_cloud_access_key=${param:-<<parameters.access_key>>}" >> $BASH_ENV param=${<<parameters.prisma_cloud_secret_key>>} echo "export prisma_cloud_secret_key=${param:-${<<parameters.secret_key>>}}" >> $BASH_ENV param=<<parameters.prisma_cloud_asset_name>> echo "export prisma_cloud_asset_name=${param:-${ASSET_NAME:-${CIRCLE_PROJECT_REPONAME}}}" >> $BASH_ENV param=<<parameters.prisma_cloud_repo_dir>> echo "export prisma_cloud_repo_dir=${param:-<<parameters.templates_directory_path>>}" >> $BASH_ENV param='<<parameters.prisma_cloud_failure_criteria>>' echo "export prisma_cloud_failure_criteria='${param:-High:<<parameters.faiure_criteria_high_severity>>,Medium:<<parameters.failure_criteria_medium_severity>>,Low:<<parameters.failure_criteria_low_severity>>,Operator:<<parameters.failure_criteria_operator>>}'" >> $BASH_ENV param='<<parameters.prisma_cloud_tags>>' echo "export prisma_cloud_tags='${param:-<<parameters.tags>>}'" >> $BASH_ENV name: Process parameters - run: pcs_iac_repo_scan --output "<<parameters.reports>>" - store_artifacts: path: report - store_test_results: path: report version: 2.1
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.