A GitHub Action checks for security issues using the Prisma Cloud Infrastructure as Code Scan on the IaC files present in the repository. This action can give you results as an issue, pull request comment and pull request check, or can be viewed as pipeline annotations.
To run the scan, the action needs a Prisma Cloud Access Key and Secret Key.
If you do not have a key, refer to Create and Manage Access Keys to acquire one.
Create GitHub Secrets called PRISMA_CLOUD_ACCESS_KEY
and PRISMA_CLOUD_SECRET_KEY
for the Access Key and Secret Key respectively with the values acquired in Step 1.
Refer to Encrypted secrets for more details on how to setup secrets.
Configure your workflow based on the following example.
Note: the actions/checkout
step is required to run before the scan action, otherwise the action does not have access to the IaC files to be scanned.
name: Prisma Cloud IaC Scan Example
on: [ pull_request ]
jobs:
prisma_cloud_iac_scan:
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Scan on IaC files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@v1
id: iac-scan
with:
prisma_api_url: 'https://api.prismacloud.io'
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
asset_name: 'my-asset-name'
template_type: 'TF'
template_version: '0.13'
- name: Upload scan result artifact
uses: actions/upload-artifact@v2
if: success() || failure()
with:
name: iac_scan_result
path: ${{ steps.iac-scan.outputs.iac_scan_result_path }}
Config Key | Description |
---|---|
prisma_api_url Required |
The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. If your tenant is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io then replace app in the URL with api and enter it here. Refer to the Prisma Cloud REST API Reference for more details. |
access_key Required |
Refer to Create and Manage Access Keys to acquire Acccess and Secret keys. We recommend the actual value to be stored as a GitHub Secret and used here in the Action with ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} |
secret_key Required |
The secret key is provided to you at the time of Access Key generation. You cannot acquire it post generation. We recommend the actual value to be stored as a GitHub Secret and used here in the Action with ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} |
asset_name Required |
Can be a project name or any identifier you want to attach to the scan. Some examples are a CI/CD project name or a Git repository name. Eg: my-repo-name |
template_type Required |
Specify the template type. Valid values are as follows: TF for TerraformCFT for AWS CloudFormationK8S for Kubernetes |
template_version | Specify the template version. Valid values are: 0.11 , 0.12 and 0.13 Note: Only used for 'TF' templateType. |
tags | Prisma Cloud tags are different from cloud tags that you might have included in your IaC templates. Prisma Cloud tags will facilitate use of upcoming Prisma Cloud features like role-based access control and policy selection. Eg: owner:johndoe,team:creditapp,env:dev |
failure_criteria Default: High:1,Medium:1,Low:1,Operator:or |
Enables you to evaluate scan results against set failure criteria to obtain failed or passed verdicts. You can set the count for high, medium, and low severity issues and use and /or operators to refine your criteria.The IaC scan API checks each severity violation number separately against scan results and applies the operator to each evaluation. The scan triggers a failure if the number of violations is greater than or equal to the failureCriteria values. The Pipeline will be set the Failed if the failure criteria matches. |
scan_path Default: ./ |
Path of the directory containing the IaC files. The path is relative to the repository root. |
use_scan_path_when_pr Default: false |
Specifies if files in scan_path should be scanned in context of a PR, not only changed files. Otherwise, only files changed in context of PR are scanned, which includes files outside of scan_path and excludes unchanged files in scan_path. Default is false. |
upload_scan_path_only Default: false |
Specifies if only files in scan_path should be uploaded to be scanned. By default the entire GitHub workspace directory is zipped and uploaded. This option may be necessary if there are other files in the workspace directory besides IaC template files. Too many files may cause the action to timeout. Default is false. |
variables | Template variables in comma separate key:value pairs. Eg: k1:v1,k2:v2 |
variable_files | Comma separated list of variable file paths. Paths are relative to the repository root. Eg: ./var1.json,./var2.json |
create_issue Default: false |
If turned on an Issue will be created with the scan report. Note: Only created on scan failure. |
create_pull_request_check Default: false |
If turned on a Check on Pull Request will be created with the scan report. |
create_pull_request_comment Default: false |
If turned on a Comment on the Pull Request will be created with the scan report. |
github_token Default: ${{ github.token }} Required if any of the above create* are turned on |
The GitHub Token. You can choose to use a different token than the pipeline default GITHUB_TOKEN .Eg: ${{ secrets.GITHUB_TOKEN }} |
result_path Default: ./prismacloud_iac |
Path for the directory where result files should be written |
ignore_ssl Default: false |
Should internal API client ignore SSL errors. Useful when using on GitHub Enterprise On-Prem. |
Config Key | Description |
---|---|
iac_scan_result | Overall result of the scan. Can be one of: 1. passed - either no issues were found or the Failure Criteria threshold was not reached2. failed - issues were found and the Failure Criteria threshold for was reached3. error - there was a scan execution error, generally due to misconfiguration or invalid templates |
iac_scan_result_summary | Summary describing the result of the scan |
iac_scan_result_path | Path for the directory where result files were written |
iac_scan_result_issues_csv_path | Path for the detailed Issue result CSV file |
iac_scan_result_errors_csv_path | Path for the detailed Error result CSV file |
iac_scan_result_sarif_path | Path for the detailed result SARIF Log file |
iac_scan_result_md_path | Path for the detailed result Markdown file |
All paths are relative the workspace root. The base path ./prismacloud_iac
is configurable via the result_path
option.
File | Description |
---|---|
./prismacloud_iac/issues.csv | Scan Issue report in CSV format |
./prismacloud_iac/errors.csv | Scan Error report in CSV format |
./prismacloud_iac/result.md | Scan report in Markdown format |
./prismacloud_iac/result.sarif | Scan report in SARIF Log format |
When a scan finds issues the action will always write the report in SARIF Log format in the workspace.
name: Prisma Cloud IaC Scan Example
on: [ pull_request ]
jobs:
prisma_cloud_iac_scan:
runs-on: ubuntu-latest
name: Run Prisma Cloud IaC Scan to check
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Scan on CFT files in the repository
uses: prisma-cloud-shiftleft/iac-scan-action@v1
id: iac-scan
with:
prisma_api_url: 'https://api.prismacloud.io'
access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
asset_name: 'my-asset-name'
template_type: 'CFT'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
if: success() || failure()
with:
sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}