Create your FREE Codefresh account and start making pipelines fast. Create Account

Reduce Security Cost by Shifting Left

2 min read

Editors Note: We did a webinar on this very topic!  Scroll to this bottom of this post to watch the webinar.

With the emergence of “Shift Left” as common practice for development, we’re seeing many opportunities to reduce costs around our development practices, but what about security? 

Prisma Cloud is supporting “Shift Left” by making their scanning capabilities available to Developers and CI Tooling to run scans against microservice projects. 

As a bonus, the Prisma Cloud product suite scanning capabilities fit perfectly within Codefresh.  Supporting scans of Docker images, Functions and Kubernetes manifests.  All common to Codefresh and Codefresh customers.The reasoning behind “Shift Left” for security: 

  1. Reduce the risk of security breaches in production!
  2. Reduce costs of fixing vulnerabilities and compliance violations early during the development life cycle.
  3. Prevent vulnerabilities and compliance violations from making it out of development.

We’ve recently introduced 2 steps supporting Prisma Cloud scanning from a Codefresh pipeline:

Marketplace Step: Incorporate this step to scan your Docker image using your Registry connection from Prisma Cloud.

  type: prisma-cloud
    IMAGE_NAME: name
    IMAGE_TAG: tag
    PC_HOSTNAME: hostname
    PC_PORT: port
    PC_USERNAME: username
    PC_PASSWORD: password
    REGISTRY: registry

Ad-Hoc Commands: Incorporate this step to scan any resource (ex. Function, K8s manifest) supported by Prisma Cloud by using the TwistCLI from your Codefresh pipeline.

      - echo "Installing curl... <Optional>"
      - apk add curl
      - echo "Downloading twistcli... <Required>"
      - curl -k -u "${{PC_USERNAME}}:${{PC_PASSWORD}}" --output ./twistcli "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}/api/v1/util/twistcli"
      - chmod +x ./twistcli
      - echo "Scanning codefresh-sa/${{CF_REPO_NAME}}"
      - ./twistcli images scan --ci --details -address "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}" -u "${{PC_USERNAME}}" -p "${{PC_PASSWORD}}" --containerized  "codefresh-sa/${{CF_REPO_NAME}}:${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}" --custom-labels Build="${{CF_BUILD_URL}}"

Additional Documentation

Now that you’ve scanned your Docker images and manifests, you can include their reports in Codefresh using annotations, making them available when auditing or tracing your microservice currently running in your Kubernetes cluster.

Kubernetes Service:

Helm Releases:

Codefresh Environment:

All capable of tracing the Docker image being utilized by a service back to…

The Docker image:

The Build:
The Prisma Cloud Report:

Watch the full webinar: “Shifting Left for a Secure CICD Pipeline”


Dustin Van Buskirk

A Senior Solution Architect at Codefresh

Leave a Reply

* All fields are required. Your email address will not be published.