1. Overview

Prisma Cloud lets you centrally define your CI policy in Console. These policies establish security gates at build-time. Use policies to pass or fail builds, and surface security issues early during the development process.

There are two types of policies you can use to target your CI pipeline: vulnerability policies and compliance policies. CI rules have the same parameters as the rules for registries and deployed components, letting you evenly enforce policy in all phases of the app lifecycle.

Prisma Cloud offers the following CI tools:

  • A native Jenkins plugin.

  • A stand-alone, statically compiled binary, called twistcli, that can be integrated with any CI/CD tool.

2. Vulnerability policy

For more information about the parameters in vulnerability management rules, see here.

Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting hte effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.

Rules take effect as soon as they are saved.

3. Compliance policy

Prisma Cloud’s compliance checks are based on the Center for Internet Security (CIS) Docker Benchmarks. We also provide numerous checks from our lab. You can also implement your own checks using custom checks or XCCDF.

Compliance rules that target the build tool can permit specific compliance issues by setting the action to 'ignore'. They cannot 'fail' a build.

Rules take effect as soon as they are saved.