1. Overview

Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.

Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users. Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.

2. Capabilities

For serverless, Prisma Cloud can scan Node.js, Python, Java, and C# packages. For a list of supported runtimes see system requirements.

Prisma Cloud scans are triggered by the following events:

  • When the settings change, including when new functions are added for scanning.

  • When you explicitly click the Scan button in the Monitor > Vulnerabilities > Functions > Scanned Functions page.

  • Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval in Manage > System > Scan.

3. Scanning a serverless function

Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scanning, all function scanning is handled by Console.

  1. Open Console.

  2. Go to Defend > Vulnerabilities > Functions > Functions.

  3. Click Add scope.

  4. In the dialog, enter the following settings:

    1. In Provider, select your cloud platform.

    2. Specify a region.

    3. Specify a function name.

      Wildcards are supported.
    4. Select or create credentials so that Prisma Cloud can access your account.

      • AWS — Specify either an IAM user credential (access key ID and secret access key) or IAM role.

      • Google — Specify a service key.

      • Azure — Specify a user access token.

    5. Specify a cap for the number of functions to scan.

      Prisma Cloud scans the X most recent functions, where X is the cap value. Set this value to 0 to scan all functions.
    6. Select Scan only latest versions to only scan the latest version of each function. Otherwise, the scanning will cover all versions of each function up to the specified cap value.

    7. Click Add.

  5. Click the yellow save button.

    save button
  6. View the scan report. Go to Monitor > Vulnerabilities > Functions > Scanned functions.

4. Authenticating with AWS

The serverless scanner is implemented as part of Console. The scanner requires the AWSLambdaReadOnlyAccess permissions policy.

IAM User

If authenticating with an IAM user, use the Security Token Service (STS) to temporarily issue security credentials to Prisma Cloud to scan your Lambda functions. AWS STS is considered a best practice for IAM users per the AWS Well-Architected Framework. For more on how to use AWS STS, see here.

When authenticating with an IAM user, Console can access and scan functions across multiple regions.

IAM Role

IAM roles cannot be used in Prisma Cloud serverless scanning as the Console is not hosted within AWS for Enterprise Edition.

5. Scanning Azure Functions

Azure Functions are architected differently than AWS Lambda and Google Cloud Functions. Azure function apps can hold multiple functions. The functions are not segregated from each other. They share the same file system. Rather than separately scanning each function in a function app, download the root directory of the function app, which contains all its functions, and scan them as a bundle.

Prisma Cloud only scans Linux functions that use External package URL as the deployment technology. For more information, see Deployment technologies in Azure Functions.

To do this, you must know the Region, Name (of the function), and Service Key. To get the Service Key, download and install the Azure CLI, then:

  1. Log into your account with a user that has the User Account Administrator role.

    $ az login
  2. Get the service key.

    $ az ad sp create-for-rbac --sdk-auth --name twistlock-azure-serverless-scanning --role contributor

    Sample output from the previous command:

    {
      "clientId": "f8e9de2o-45bd-af94-ae11-b9r8c5tfy3b6",
      "clientSecret": "4dfds482-6sdd-4dsb-b5ff-56123043c4dc",
      "subscriptionId": "ea19322m-z2bd-501c-dd11-234m547a944e",
      "tenantId": "c189c61a-6c27-41c3-9949-ca5c8cc4a624",
      "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
      "resourceManagerEndpointUrl": "https://management.azure.com/",
      "activeDirectoryGraphResourceId": "https://graph.windows.net/",
      "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
      "galleryEndpointUrl": "https://gallery.azure.com/",
      "managementEndpointUrl": "https://management.core.windows.net/"
    }
  3. Copy the JSON output, which is your secret key, and paste it into the Service Key field for your Azure credentials in Prisma Cloud Console.

6. Scanning functions at build time with twistcli

You can also use the twistcli command line utility to scan your serverless functions. First download your serverless function as a ZIP file, then run:

$ twistcli serverless scan <SERVERLESS_FUNCTION.ZIP>

To view scan reports in Console, go to Monitor > Vulnerabilities > Functions > CI or Monitor > Compliance > Functions > CI.

6.1. Twistcli Options

--address URI

Required. Complete URI for Console, including the protocol and port. Only the HTTPS protocol is supported.

To get the address for your Console, go to Compute > Manage > System > Downloads, and copy the string under Path to Console.

-u, --user Access Key ID

Access Key ID to access Prisma Cloud. If not provided, the TWISTLOCK_USER environment variable is used, if defined. Othewise, "admin" is used as the default.

-p, --password Secret Key

Secret Key for the above Access Key ID specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable is used, if defined. Otherwise, you will be prompted for the user’s password before the scan runs.

Access Key ID and Secret Key are generated from the Prisma Cloud user interface. For more information, see access keys

--details

Show all vulnerability details.

--tlscacert PATH

Path to Prisma Cloud CA certificate file. If no CA certificate is specified, the connection to Console is insecure.

--include-js-dependencies

Include javascript package dependencies.

--token TOKEN

Token to use for Prisma Cloud Console authentication. Tokens can be retrieved from the API endpoint api/v1/authenticate or from the Manage > Authenticate > User Certificates page in Console.

--cloudformation-template PATH

Path to the CloudFormation template file in JSON or YAML format. Prisma Cloud scans the function source code for AWS service APIs being used, compares the APIs being used to the function permissions, and reports when functions have permissions for APIs they don’t need.

--function NAME

Function name to be used in policy detection and Console results. When creating policy rules in Console, you can target specific rules to specific functions by function name. If this field is left unspecified, the function zip file name is used.

--output-used-apis

Report APIs used by the function

--publish

Publish the scan result to the Console. True by default.