Reduce Security Cost by Shifting Left

Join Our Newsletter!
Community

Reduce Security Cost by Shifting Left

2 min read
Dustin Van Buskirk

Editors Note: We did a webinar on this very topic!  Scroll to this bottom of this post to watch the webinar.

With the emergence of “Shift Left” as common practice for development, we’re seeing many opportunities to reduce costs around our development practices, but what about security? 

Prisma Cloud is supporting “Shift Left” by making their scanning capabilities available to Developers and CI Tooling to run scans against microservice projects. 

As a bonus, the Prisma Cloud product suite scanning capabilities fit perfectly within Codefresh.  Supporting scans of Docker images, Functions and Kubernetes manifests.  All common to Codefresh and Codefresh customers.The reasoning behind “Shift Left” for security: 

  1. Reduce the risk of security breaches in production!
  2. Reduce costs of fixing vulnerabilities and compliance violations early during the development life cycle.
  3. Prevent vulnerabilities and compliance violations from making it out of development.

We’ve recently introduced 2 steps supporting Prisma Cloud scanning from a Codefresh pipeline:

Marketplace Step: Incorporate this step to scan your Docker image using your Registry connection from Prisma Cloud.

PrismaCloudImageScan:
  type: prisma-cloud
  arguments:
    IMAGE_NAME: name
    IMAGE_TAG: tag
    PC_HOSTNAME: hostname
    PC_PORT: port
    PC_USERNAME: username
    PC_PASSWORD: password
    REGISTRY: registry
    COMPLIANCE_THRESHOLD: level
    VULNERABILITY_THRESHOLD: level

Ad-Hoc Commands: Incorporate this step to scan any resource (ex. Function, K8s manifest) supported by Prisma Cloud by using the TwistCLI from your Codefresh pipeline.

commands:
      - echo "Installing curl... <Optional>"
      - apk add curl
      - echo "Downloading twistcli... <Required>"
      - curl -k -u "${{PC_USERNAME}}:${{PC_PASSWORD}}" --output ./twistcli "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}/api/v1/util/twistcli"
      - chmod +x ./twistcli
      - echo "Scanning codefresh-sa/${{CF_REPO_NAME}}"
      - ./twistcli images scan --ci --details -address "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}" -u "${{PC_USERNAME}}" -p "${{PC_PASSWORD}}" --containerized  "codefresh-sa/${{CF_REPO_NAME}}:${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}" --custom-labels Build="${{CF_BUILD_URL}}"

Additional Documentation

Now that you’ve scanned your Docker images and manifests, you can include their reports in Codefresh using annotations, making them available when auditing or tracing your microservice currently running in your Kubernetes cluster.

Kubernetes Service:

Helm Releases:

Codefresh Environment:

All capable of tracing the Docker image being utilized by a service back to…

The Docker image:

The Build:
The Prisma Cloud Report:

Watch the full webinar: “Shifting Left for a Secure CICD Pipeline”

 

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

CATEGORIES

Build your GitOps skills and credibility today with a GitOps Certification.

Get GitOps Certified

Ready to Get Started?
  • safer deployments
  • More frequent deployments
  • resilient deployments
Sign Up Book A Demo