Cloud Code Security

Prisma® Cloud delivers automated security for cloud native infrastructure and applications, integrated with developer tools

Request a trial

WHY IT MATTERS
OUR APPROACH
RESOURCES

Cloud native application development is fast-paced and complex. It can be a challenge for security teams to keep up. However, DevOps practices present an opportunity to use automation to secure apps and infrastructure before deployment, alleviating that pressure.

Read about Unit 42’s latest research on the state of infrastructure as code security

Download the report

Agile development requires automated build security

Traditional security reviews break agile development methods and slow the business down. To facilitate remediation while maintaining pace, security needs to be embedded across the development lifecycle, from pull requests and continuous integration builds to registries and runtime.

Cloud native architectures require purpose-built tools

Infrastructure as code (IaC) and microservices allow dev teams to use the best tools, languages and cloud for each service. But it’s impossible for security teams to have expertise across every single component. They need automated security tools to help catch vulnerabilities and misconfigurations before they are deployed.

Siloed security tooling creates overhead

Together, build time and runtime security ensure consistent feedback is shared across teams. But teams need integrated tools that overlay vulnerabilities, misconfigurations, dependencies and network context to prevent breaking changes and mitigate unwanted exposure.

A single tool for securing IaC, container images and source code across all modern architectures cloud environments.

Prisma Cloud embeds comprehensive security across the software development cycle. The platform identifies vulnerabilities, misconfigurations and compliance violations in IaC templates, container images and git repositories. It offers IaC scanning backed by an open source community, and image and code analysis backed by years of expertise and threat research. With centralized visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that only secure code is deployed.

Support for multiple languages, runtimes and frameworks
Consistent controls from build time to runtime
Embedded in DevOps tooling

THE PRISMA CLOUD SOLUTION

Our approach to Cloud Code Security

Infrastructure as code scanning

Infrastructure as code presents an opportunity to secure cloud infrastructure in code before it’s ever deployed to production. Prisma Cloud streamlines security throughout the software development lifecycle using automation and by embedding security into workflows in DevOps tooling for Terraform, CloudFormation, Kubernetes, Dockerfile, Serverless and ARM templates.

Automate cloud misconfiguration checks in code

Add automated checks for misconfigurations at every step of the software development lifecycle.
Leverage the power of open source and the community

Checkov, the open source tool built by Bridgecrew powering Prisma Cloud Infrastructure as Code Security, is backed by an active community and has been downloaded millions of times.
Embed misconfiguration checks in developer tools

Prisma Cloud comes with native integrations for IDEs, VCS, and CI/CD tooling to help developers secure code in their existing workflows.
Include deep context for misconfigurations

Prisma Cloud automatically tracks dependencies for IaC resources as well as the most recent developer modifiers to improve collaboration in large teams.
Provide automated feedback and fixes in code

Automate pull request comments for misconfigurations along with automated pull requests and commit fixes and Smart Fixes for identified misconfigurations.

Learn more

Container image scanning

Container images are a key component of cloud native applications. However, they typically include many resources outside the control of developers, such as operating systems and configurations. Prisma Cloud allows security teams to provide actionable feedback and guardrails for vulnerabilities and compliance violations in container images to keep these components secure.

Identify vulnerabilities in container images

Use twistcli to identify vulnerabilities in operating systems and open source packages built into container image layers.
Provide fix status and remediation guidance

Give developers the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating packages.
Alert on or block vulnerabilities by severity level

Add guardrails to block images with vulnerabilities that don’t meet severity level requirements, before they are pushed to production.
Achieve container compliance in code

Check your container image dependencies and configurations for violations against popular benchmarks like CIS and proprietary issues such as malware in build time.
Ensure trust for container images

Harden images by leveraging build time scanning and trusted registries for a secure container image supply chain.
Integrate across the software development lifecycle

Embed security feedback and guardrails in popular CI/CD tools, VCS, and registries.

Learn more

Policy as code

Traditional security testing is performed by separate organizations using separate tools, creating siloed and difficult-to-replicate controls. Prisma Cloud offers policy-as-code to provide controls built into code that can be replicated, version-controlled and tested against live code repositories.

Build and control policies using code

Define, test and version control check-lists, skip-lists and graph-based custom policies in Python and YAML for IaC templates.
Deploy and configure accounts and agents in code

Use Terraform to onboard accounts, deploy agents and configure runtime policies, including ingestion and protection based on OpenAPI and Swagger files.
Leverage out of the box and custom policies for misconfigurations

Prisma Cloud comes out of the box with hundreds of policies built in code and allows you to add custom policies for cloud resources and IaC templates.
Provide feedback directly on the code being written

IaC templates have direct feedback with auto-fixes, pull/merge request comments, and pull/merge request auto-fixes.

Learn more

Supply chain security

Visualize your supply chain

The Supply Chain Graph provides an inventory and easy-to-consume visualization of your supply chain components to understand and protect your attack surface.
Align VCS configurations to best practices

Automatically manage the posture of your version control systems (VCS) to ensure that security best practices, such as branch protections, are in place.
Harden the posture of your CI/CD pipelines

Check your code-based CI/CD workflow files for misconfigurations to prevent code injection or secrets exposure.
Prevent image poisoning attacks

Leveraging Prisma Cloud image scanning and container sandbox analysis, identify and block malicious images and only allow vetted images into your deployments with trusted images.

Learn more

Secrets scanning

It only takes bad actors a minute to find and abuse credentials exposed online. Identify secrets before production using Prisma Cloud. Find and remove secrets in IaC templates and container images in development environments and build time using signatures and heuristics.

Find secrets in IaC templates

Identify passwords and tokens in IaC templates in IDEs, CLIs, pre-commit and in CI/CD tooling.
Identify secrets in container images

Find hardcoded secrets in container images locally, in registries and CI/CD scans.
Identify secrets using multiple methods

Use regular expressions, keywords or entropy-based identifiers to locate common and uncommon secrets such as AWS access keys and database passwords.

Learn more

Git repository vulnerability management

A majority of modern application code is made up of open source dependencies. Lack of awareness and breaking changes prevent developers from using the latest packages that minimize vulnerabilities. Prisma Cloud identifies vulnerabilities in open source dependencies found in Node.js, Python, Java and Go repositories.

Build out a software bill-of-materials

Prisma Cloud will locate dependencies in repositories and build a software bill-of-materials (SBOM) of the packages in use for vetting.
Verify security of dependencies against open source and proprietary databases

Prisma Cloud scans git and non-git-based repositories for package vulnerabilities and compares them against public databases like NVD and the Prisma Cloud Intelligence Stream.
Include remediation guidance

The output of the findings includes the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating libraries.

Learn more

OSS license compliance

Every company has its own acceptable use policies for open source licenses. Don’t wait until a manual compliance review to find out that an open source library is non-compliant. Prisma Cloud catalogs open source licenses for dependencies and can alert or block repository commits based on customizable policies.

Avoid costly open source license violations

Alert and block builds based on open source package licenses in Node.js, Python, Java and Go dependencies.
Scan git and non-git repositories for issues

Prisma Cloud has native integrations with GitHub, but can scan any repository type using twistcli.
Use default rules or customize alerting and blocking

Set alerting and blocking thresholds by license type to match internal requirements for copyleft and permissive licenses.

Learn more