Code Security

Prisma® Cloud delivers automated security for cloud native infrastructure and applications, integrated with developer tools
Code Security Front
Code Security Back

Cloud-native application development is fast-paced and complex. It can be a challenge for security teams to keep up. However, several DevOps best practices present an opportunity to use automation to secure apps and infrastructure from code to cloud, alleviating that pressure.

Read about Unit 42’s latest research on the state of infrastructure as code security

A single tool for securing code across all modern architectures and software supply chains.

Prisma Cloud embeds comprehensive security across the software development cycle. The platform identifies vulnerabilities, misconfigurations, compliance violations and exposed secrets earlier in the development lifecycle. With scanning support for IaC templates, container images, open source packages and delivery pipelines, Prisma Cloud provides code security backed by an open source community and years of expertise and threat research. With connected visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that all deployed code is secure.
  • Support for multiple languages, runtimes and frameworks
  • Consistent controls from build time to runtime
  • Embedded in DevOps tooling
  • Infrastructure as code scanning
    Infrastructure as code scanning
  • Container image scanning
    Container image scanning
  • Policy as code
    Policy as code
  • CI/CD security
    CI/CD security
  • Secrets security
    Secrets security
  • Software composition analysis
    Software composition analysis
  • OSS license compliance
    OSS license compliance

THE PRISMA CLOUD SOLUTION

Our approach to Code Security

Infrastructure as code scanning

Infrastructure as code presents an opportunity to secure cloud infrastructure in code before it’s ever deployed to production. Prisma Cloud streamlines security throughout the software development lifecycle using automation and by embedding security into workflows in DevOps tooling for Terraform, CloudFormation, Kubernetes, Dockerfile, Serverless and ARM templates.

  • Automate cloud security scanning in code

    Add automated checks for misconfigurations and exposed secrets at every step of the software development lifecycle.

  • Leverage the power of open source and the community

    Checkov, the leading open source policy-as-code tool powering Prisma Cloud Infrastructure as Code Security, is backed by an active community and has been downloaded millions of times.

  • Embed code security feedback directly in developer tools

    Prisma Cloud comes with native integrations for IDEs, VCS, and CI/CD tooling to help developers ship secure code in their existing workflows.

  • Include deep context for misconfigurations

    Prisma Cloud automatically tracks dependencies for IaC resources as well as the most recent developer modifiers to improve collaboration in large teams.

  • Provide automated feedback and fixes in code

    Automate pull request comments for misconfigurations along with automated pull requests and commit fixes and Smart Fixes for identified misconfigurations.

Infrastructure as code scanning

Container image scanning

Container images are a key component of cloud native applications. However, they typically include many resources outside the control of developers, such as operating systems and configurations. Prisma Cloud allows security teams to implement guardrails to prevent vulnerabilities, compliance violations and exposed secrets in container images.

  • Identify vulnerabilities in container images

    Use twistcli to identify vulnerabilities in operating systems and open source packages built into container image layers.

  • Provide fix status and remediation guidance

    Give developers the fix status, the minimum version to remediate and the time since the fix was released to prioritize updating packages.

  • Alert on or block vulnerabilities by severity level

    Add guardrails to block images with vulnerabilities that don’t meet severity level requirements, before they are pushed to production.

  • Achieve container compliance in code

    Check your container image dependencies and configurations for violations against popular benchmarks like CIS and proprietary issues such as malware in build time.

  • Ensure trust for container images

    Harden images with build time scanning, surface exposed secrets in containers and leverage trusted registries for a secure container image supply chain.

  • Integrate across the software development lifecycle

    Embed security feedback and guardrails in popular CI/CD tools, VCS, and registries.

Container image scanning

Policy as code

Traditional security testing is performed by separate organizations using separate tools, creating siloed and difficult-to-replicate controls. Prisma Cloud offers policy-as-code to provide controls built into code that can be replicated, version-controlled and tested against live code repositories.

  • Build and control policies using code

    Define, test and version control check-lists, skip-lists and graph-based custom policies in Python and YAML for IaC templates.

  • Deploy and configure accounts and agents in code

    Use Terraform to onboard accounts, deploy agents and configure runtime policies, including ingestion and protection based on OpenAPI and Swagger files.

  • Leverage out of the box and custom policies for misconfigurations

    Prisma Cloud comes out of the box with hundreds of policies built in code and allows you to add custom policies for cloud resources and IaC templates.

  • Provide feedback directly on the code being written

    IaC templates have direct feedback with auto-fixes, pull/merge request comments, and pull/merge request auto-fixes.

Policy as code

CI/CD security

Cloud-native CI/CD pipelines are increasingly becoming the target of attacks as they give bad actors access to code and secrets, which they use to inject malicious code or pivot to exfiltrate data. Prisma Cloud provides a powerful yet simple way to gain visibility and control of application delivery pipelines. Leverage the platform’s Cloud Application Graph™ to harden CI/CD pipelines over time and prevent security issues from reaching production.

  • Full observability of your entire engineering ecosystem

    Gain unified visibility across the engineering ecosystem, including code repositories, contributors, technologies used, pipelines connected along with code risks from IaC Security, SCA, and secrets security.

  • Harden CI/CD pipelines

    Informed by world-class CI/CD security research, Prisma Cloud helps teams implement security guardrails to harden their pipelines and achieve optimized CI/CD posture against the OWASP Top 10 CI/CD Risks framework.

  • Analyze the entire ecosystem

    Prisma Cloud’s Cloud Application Graph uses relational graph databases so organizations can centralize visibility and control across the engineering ecosystem by correlating disparate signals across codebases, scanners, orchestration and automation tools, and more.

  • Generate a software bill of materials (SBOM)

    Generate an SBOM report containing your open source packages, libraries and IaC resources along with associated security issues to track and understand your application risk.

CI/CD SECURITY

Secrets security

It only takes bad actors a minute to find and abuse credentials exposed online. Identify secrets before production using Prisma Cloud. Find and remove secrets in IaC templates and container images in development environments and build time using signatures and heuristics.

  • Find secrets in nearly any file type

    Identify passwords and tokens in Infrastructure as Code templates, golden images, and Git repository configurations.

  • Surface secrets in developer tools

    Surface hardcoded secrets in code to developers early via IDEs, CLIs, pre-commit and in CI/CD tooling.

  • Multidimensional secrets scanning

    Use regular expressions, keywords or fine-tuned entropy-based identifiers to locate common and uncommon secrets.

Secrets scanning

Software composition analysis

The majority of modern application code is made up of open source dependencies. Lack of awareness of what dependencies are actually in use, and the fear of introducing breaking changes, leads to vulnerabilities going unremediated. Prisma Cloud integrates with developer tools to identify vulnerabilities in open source packages and their full dependency trees with support for flexible and granular bump fixes.

  • Leverage industry-leading sources for complete open source security confidence

    Prisma Cloud scans open source dependencies wherever they are and compares them against public databases like NVD and the Prisma Cloud Intelligence Stream to identify vulnerabilities.

  • Identify vulnerabilities at any dependency depth and in context

    Prisma Cloud ingests package manager data to extrapolate dependency trees to the furthest layer and connects infrastructure and application risks to prioritize remediations faster.

  • Integrate open source security across the development lifecycle

    Surface real-time vulnerability feedback to developers via IDEs and VCS pull/merge requests and block builds based on vulnerability thresholds to proactive keep your cloud-native environment secure.

  • Fix issues without introducing breaking changes

    Get the recommended smallest update to fix vulnerabilities in direct and transitive dependencies without the risk of breaking critical functions. Fix multiple issues at once with the flexibility of selecting granular versions per package.

Software Composition Analysis

OSS license compliance

Every company has its own acceptable use policies for open source licenses. Don’t wait until a manual compliance review to find out that an open source library isn’t compliant with your requirements. Prisma Cloud catalogs open source licenses for dependencies and can alert or block deployments based on customizable license policies.

  • Avoid costly open source license violations

    Surface feedback early, and block builds based on open source package license violations with support for all the popular languages and package managers.

  • Scan git and non-git repositories for issues

    Prisma Cloud has native integrations with version control systems like GitHub and Bitbucket but can scan any repository type using our command-line tool.

  • Use default rules or customize alerting and blocking

    Set alerting and blocking thresholds by license type to match internal requirements for copyleft and permissive licenses.

OSS license compliance

Code Security modules

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

SOFTWARE COMPOSITION ANALYSIS (SCA)

Highly accurate and context-aware open source security and license compliance

SOFTWARE SUPPLY CHAIN SECURITY

End-to-end protection for software components and pipelines

SECRETS SECURITY

Full-stack, multidimensional secrets scanning across repos and pipelines.

Featured Resources

Valuable Code Security documents