Code Security

Prisma® Cloud delivers automated security for cloud native infrastructure and applications, integrated with developer tools

Cloud-native application development is fast-paced and complex. It can be a challenge for security teams to keep up. However, several DevOps best practices present an opportunity to use automation to secure apps and infrastructure from code to cloud, alleviating that pressure.

Read about Unit 42’s latest research on the state of infrastructure as code security

A single tool for securing IaC, container images and open source software across all modern architectures and software supply chains.

Prisma Cloud embeds comprehensive security across the software development cycle. The platform identifies vulnerabilities, misconfigurations and compliance violations in IaC templates, container images, open source packages and delivery pipelines. It offers misconfiguration scanning backed by an open source community and vulnerability analysis backed by years of expertise and threat research. With connected visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that all deployed code is secure.
  • Support for multiple languages, runtimes and frameworks
  • Consistent controls from build time to runtime
  • Embedded in DevOps tooling
  • IaC scanning
    Infrastructure as Code scanning
  • Container image scanning
    Container image scanning
  • Policy as code
    Policy as code
  • Supply Chain Security
    Supply Chain Security
  • Secrets scanning
    Secrets scanning
  • Software composition analysis
    Software composition analysis
  • OSS license compliance
    OSS license compliance

THE PRISMA CLOUD SOLUTION

Our approach to Code Security

Infrastructure as code scanning

Infrastructure as code presents an opportunity to secure cloud infrastructure in code before it’s ever deployed to production. Prisma Cloud streamlines security throughout the software development lifecycle using automation and by embedding security into workflows in DevOps tooling for Terraform, CloudFormation, Kubernetes, Dockerfile, Serverless and ARM templates.

  • Automate cloud misconfiguration checks in code

    Add automated checks for misconfigurations at every step of the software development lifecycle.

  • Leverage the power of open source and the community

    Checkov, the open source tool built by Bridgecrew powering Prisma Cloud Infrastructure as Code Security, is backed by an active community and has been downloaded millions of times.

  • Embed misconfiguration checks in developer tools

    Prisma Cloud comes with native integrations for IDEs, VCS, and CI/CD tooling to help developers secure code in their existing workflows.

  • Include deep context for misconfigurations

    Prisma Cloud automatically tracks dependencies for IaC resources as well as the most recent developer modifiers to improve collaboration in large teams.

  • Provide automated feedback and fixes in code

    Automate pull request comments for misconfigurations along with automated pull requests and commit fixes and Smart Fixes for identified misconfigurations.

Container image scanning

Container images are a key component of cloud native applications. However, they typically include many resources outside the control of developers, such as operating systems and configurations. Prisma Cloud allows security teams to provide actionable feedback and guardrails for vulnerabilities and compliance violations in container images to keep these components secure.

  • Identify vulnerabilities in container images

    Use twistcli to identify vulnerabilities in operating systems and open source packages built into container image layers.

  • Provide fix status and remediation guidance

    Give developers the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating packages.

  • Alert on or block vulnerabilities by severity level

    Add guardrails to block images with vulnerabilities that don’t meet severity level requirements, before they are pushed to production.

  • Achieve container compliance in code

    Check your container image dependencies and configurations for violations against popular benchmarks like CIS and proprietary issues such as malware in build time.

  • Ensure trust for container images

    Harden images by leveraging build time scanning and trusted registries for a secure container image supply chain.

  • Integrate across the software development lifecycle

    Embed security feedback and guardrails in popular CI/CD tools, VCS, and registries.

Policy as code

Traditional security testing is performed by separate organizations using separate tools, creating siloed and difficult-to-replicate controls. Prisma Cloud offers policy-as-code to provide controls built into code that can be replicated, version-controlled and tested against live code repositories.

  • Build and control policies using code

    Define, test and version control check-lists, skip-lists and graph-based custom policies in Python and YAML for IaC templates.

  • Deploy and configure accounts and agents in code

    Use Terraform to onboard accounts, deploy agents and configure runtime policies, including ingestion and protection based on OpenAPI and Swagger files.

  • Leverage out of the box and custom policies for misconfigurations

    Prisma Cloud comes out of the box with hundreds of policies built in code and allows you to add custom policies for cloud resources and IaC templates.

  • Provide feedback directly on the code being written

    IaC templates have direct feedback with auto-fixes, pull/merge request comments, and pull/merge request auto-fixes.

Supply chain security

Cloud-native software supply chains are increasingly becoming the target of attacks as they give bad actors access to code and secrets, which they use to inject malicious code or pivot to exfiltrate data. Prisma Cloud provides visibility into the components of your supply chain and posture for your version control systems (VCS) and CI/CD pipelines. Leverage the platform’s graph visualization to understand the attack surface and keep pipelines secure by aligning to best practices.

  • Visualize your supply chain

    The Supply Chain Graph provides an inventory and easy-to-consume visualization of your supply chain components to understand and protect your attack surface.

  • Align VCS configurations to best practices

    Automatically manage the posture of your version control systems (VCS) to ensure that security best practices, such as branch protections, are in place.

  • Prevent image poisoning attacks

    Leveraging Prisma Cloud image scanning and container sandbox analysis, identify and block malicious images and only allow vetted images into your deployments with trusted images.

  • Generate a software bill of materials (SBOM)

    Generate an SBOM report containing your open source packages, libraries and IaC resources along with associated security issues to track and understand your application risk.

Secrets scanning

It only takes bad actors a minute to find and abuse credentials exposed online. Identify secrets before production using Prisma Cloud. Find and remove secrets in IaC templates and container images in development environments and build time using signatures and heuristics.

  • Find secrets in IaC templates

    Identify passwords and tokens in IaC templates in IDEs, CLIs, pre-commit and in CI/CD tooling.

  • Identify secrets in container images

    Find hardcoded secrets in container images locally, in registries and CI/CD scans.

  • Identify secrets using multiple methods

    Use regular expressions, keywords or entropy-based identifiers to locate common and uncommon secrets such as AWS access keys and database passwords.

Software composition analysis

The majority of modern application code is made up of open source dependencies. Lack of awareness of what dependencies are actually in use, and the fear of introducing breaking changes, leads to vulnerabilities going unremediated. Prisma Cloud integrates with developer tools to identify vulnerabilities in open source packages and their full dependency trees with support for flexible and granular bump fixes.

  • Leverage industry-leading sources for complete open source security confidence

    Prisma Cloud scans open source dependencies wherever they are and compares them against public databases like NVD and the Prisma Cloud Intelligence Stream to identify vulnerabilities.

  • Identify vulnerabilities at any dependency depth and in context

    Prisma Cloud ingests package manager data to extrapolate dependency trees to the furthest layer and connects infrastructure and application risks to prioritize remediations faster.

  • Integrate open source security across the development lifecycle

    Surface real-time vulnerability feedback to developers via IDEs and VCS pull/merge requests and block builds based on vulnerability thresholds to proactive keep your cloud-native environment secure.

  • Fix issues without introducing breaking changes

    Get the recommended smallest update to fix vulnerabilities in direct and transitive dependencies without the risk of breaking critical functions. Fix multiple issues at once with the flexibility of selecting granular versions per package.

OSS license compliance

Every company has its own acceptable use policies for open source licenses. Don’t wait until a manual compliance review to find out that an open source library isn’t compliant with your requirements. Prisma Cloud catalogs open source licenses for dependencies and can alert or block deployments based on customizable license policies.

  • Avoid costly open source license violations

    Surface feedback early, and block builds based on open source package license violations with support for all the popular languages and package managers.

  • Scan git and non-git repositories for issues

    Prisma Cloud has native integrations with version control systems like GitHub and Bitbucket but can scan any repository type using our command-line tool.

  • Use default rules or customize alerting and blocking

    Set alerting and blocking thresholds by license type to match internal requirements for copyleft and permissive licenses.

Code Security modules

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

SOFTWARE COMPOSITION ANALYSIS (SCA)

Highly accurate and context-aware open source security and license compliance

SOFTWARE SUPPLY CHAIN SECURITY

End-to-end protection for software components and pipelines

Featured Resources

Valuable Code Security documents