Editors Note: We did a webinar on this very topic! Scroll to this bottom of this post to watch the webinar.
With the emergence of “Shift Left” as common practice for development, we’re seeing many opportunities to reduce costs around our development practices, but what about security?
Prisma Cloud is supporting “Shift Left” by making their scanning capabilities available to Developers and CI Tooling to run scans against microservice projects.
As a bonus, the Prisma Cloud product suite scanning capabilities fit perfectly within Codefresh. Supporting scans of Docker images, Functions and Kubernetes manifests. All common to Codefresh and Codefresh customers.The reasoning behind “Shift Left” for security:
- Reduce the risk of security breaches in production!
- Reduce costs of fixing vulnerabilities and compliance violations early during the development life cycle.
- Prevent vulnerabilities and compliance violations from making it out of development.
We’ve recently introduced 2 steps supporting Prisma Cloud scanning from a Codefresh pipeline:
Marketplace Step: Incorporate this step to scan your Docker image using your Registry connection from Prisma Cloud.
PrismaCloudImageScan: type: prisma-cloud arguments: IMAGE_NAME: name IMAGE_TAG: tag PC_HOSTNAME: hostname PC_PORT: port PC_USERNAME: username PC_PASSWORD: password REGISTRY: registry COMPLIANCE_THRESHOLD: level VULNERABILITY_THRESHOLD: level
Ad-Hoc Commands: Incorporate this step to scan any resource (ex. Function, K8s manifest) supported by Prisma Cloud by using the TwistCLI from your Codefresh pipeline.
commands: - echo "Installing curl... <Optional>" - apk add curl - echo "Downloading twistcli... <Required>" - curl -k -u "${{PC_USERNAME}}:${{PC_PASSWORD}}" --output ./twistcli "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}/api/v1/util/twistcli" - chmod +x ./twistcli - echo "Scanning codefresh-sa/${{CF_REPO_NAME}}" - ./twistcli images scan --ci --details -address "${{PC_PROTOCOL}}://${{PC_HOSTNAME}}:${{PC_PORT}}" -u "${{PC_USERNAME}}" -p "${{PC_PASSWORD}}" --containerized "codefresh-sa/${{CF_REPO_NAME}}:${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}" --custom-labels Build="${{CF_BUILD_URL}}"
Additional Documentation
Now that you’ve scanned your Docker images and manifests, you can include their reports in Codefresh using annotations, making them available when auditing or tracing your microservice currently running in your Kubernetes cluster.
Kubernetes Service:
Helm Releases:
Codefresh Environment:
All capable of tracing the Docker image being utilized by a service back to…
The Docker image:
The Build:
The Prisma Cloud Report:
Watch the full webinar: “Shifting Left for a Secure CICD Pipeline”